NSTIC – An Overview Tackling the virtual identity problem space

1 Copyright © 2010 Smart Card Alliance, Inc. All rights reserved.

Agenda

 Today’s problem of virtual world identity auth.

 NSTIC’s Initiative & Ownership

 Strategy Development

 Public Comment Periods   Strategy comment initiative on Web   Department of Commerce – DOC NOI

 Presidential Strategy   Implementation plan

2

Today’s problem of online Auth

 Limited to one factor – name & password   Keyboard logger and middleman attacks

  Insecure entry of credit card information  Weak trust for online transactions and many breaches

 Relies on individual to present their information.   Identity and account theft vulnerabilities

 Not enabling growth of ecommerce or egov

 Efforts to lobby administration regarding national identity strategy (Identity Crisis)   Cyber Space Policy Review undertaken by President

NSTIC initiative & ownership

 Owned within the White House at Policy level   National Security Staff – Cybersecurity

 DHS taking leading role in strategy formulation   Interagency involvement   Privacy Office involvement

 Department of Commerce a major stakeholder

 Reached out to several companies and organizations to participate in March 2010

Problem Statement (White House)

  Nationwide losses from identity theft measured in the billions of dollars; multiple unauthorized intrusions into our critical infrastructure -  Losses and intrusions tied to a lack of security around online transactions

  White House made securing online transactions a National priority through the President’s Cyberspace Policy Review -  Includes securing transactions for both public and private sector entities

  DHS is leading an inter-agency effort to formulate a National Strategy for Secure Online Transactions (N.B. Renamed to NSTIC later) -  Stakeholders from a variety of industries are being involved to ensure that the

strategy accounts for the larger online community

Project Purpose (White House)

  The National Strategy for Secure Online Transactions is intended to do the following: -  Foster the creation and adoption of federated identity frameworks that use a

variety of authentication methods -  Encourage the use of authentication methods with well-understood security,

privacy, usability, and cost characteristics -  Encourage the use of authentication methods resistant to known and projected

threats -  Provide a general trust model for making trust-based authentication decisions

between two or more parties

  Strategy applies to government-to-citizen, consumer-to-business, business-to-business, and

other transactions

To improve the trustworthiness and security of online transactions by facilitating the implementation of improved authentication technology

and processes for government and private sector entities.

Key Concepts (White House)

  The National Strategy will address critical components such as: -  Encouraging the emergence of a ubiquitous federation of identity systems -  Joint ownership and operational responsibility by both public and private sector

entities -  Identity services tailored to the requirements of the application domain (e.g.,

healthcare, tax, online banking, energy utilities, etc.) -  Authentication of individuals that occur at several authentication assurance levels,

commensurate with the level of risk associated with the transaction -  Governance processes structured in accordance with applicable laws and

regulations, -  Use of open standards, wherever possible -  Consistency with the Fair Information Practice Principles (FIPP) to protect

individual privacy

Overall Approach (White House)

Initial Development Finalization and Delivery Developmen

t of Initial Draft

Initial Comment

Period Revise Draft

 Inter-Agency Review  Public Engagement Strategy and Comment  Federal Register Notice  Dep. Sec Community Outreach  Additional Stakeholder Outreach  Refine and Finalize  President Signature and White House

Release  Cyber Policy Review: Mid Term Action Plan

#13

Finalize Strategy

 Socialize Initial Draft

 Stakeholder Collaboration

 Collect Comments

 Finalize Media  Stakeholder

Outreach  Gather

stakeholder requirements

 Collect input  Analysis & Draft

Development

 Parse Stakeholder Comments

 Issue White Glove Version

 Final Review

Initial Draft

Final Draft

Stakeholders & Outline Finalized

15 Day Inter-Agency Review

30 Day Public Review

Paper Complete POTUS Ready

Comment Matrix

Continuous Stakeholder Outreach and Communications

Strategy Development

 March 2010 - Draft issued from White House to stakeholders   2 weeks to respond with comments   2 weeks to digest and re-issue new draft   Several cycles

 June 25th 2010   NSTIC public draft published   Public comment period using web tool for allowing comments

and voting on comments.

 Public comments digested into Strategy

Public comment periods

 NSTIC public comment period on Web   June 26th (www.nstic.ideascale.com)   557 comments posted. Many votes.   SCA membership call to action. SCA & Identity Council

members provided comments and voting along with many other people.

•  SCA comment : Ranked #4 with 49 in agreement. –  Need for strong 2FA authentication

 Department of Commerce NOI   Released July 28th, 2010; Comments had to be submitted by

September 20th, 2010   Asked many questions on several topics.   SCA submitted comments on the Authentication/Identity

Management and Product Assurance sections.

Presidential Strategy

 NSTIC Strategy will be signed by the President once finalized.

 Once signed it will be published   Perhaps in October (National Cybersecurity awareness month)

  Is only a strategy…but it’s a *very significant* start on the road to securing and trusting identity and transactions in cyberspace.

NSTIC Implementation plan

  Implementation plan needed   Standards, certifications, definitions needed for interoperability

•  How many assurance levels? (OMB 04-04 has 4…) •  Federated Trust framework to be built •  Identity brokers to be created and certified •  Legal issues to be addressed (Liability) •  Enrolment and credentialing challenges of users

 Mechanisms for encouraging adoption needed •  Grants, funding, legislation etc

  Public/Private partnership needed to define the federated model, it’s components and make it work.

Summary   NSTIC is a major initiative to tackle the Cyberspace

identity problem and to define assurance practices for enabling authentication and trust.

  It allows for anonymity and variation up to fully identified and authenticated.

  It will require strong standards and certifications to be interoperable and gain usage and acceptance.

  It is requires government adoption and provides private sector opportunities

  Set a framework for online authentication and grow online commerce.

So how many cyberspace personae may you need?   One (or more) for your given name and coordinates in

society.   One (or more) for your professional career   One (or more) for your social networking presence   One (or more) for your blogging activities   One (or more) for your on-line shopping needs   One (or more) for your personal interests ;-)   The list goes on…

  NSTIC strategy caters for all of the above.   Identity Brokers may offer a bundle of personae/per

individual.   How many Identity Brokers would you use?

  Two factor authentication for higher levels of assurance!

Thank you

 Neville Pattinson CISSP CIPP CSCIP Smart Card Alliance Chairman; Identity Council Chairman SVP Government Business, Gemalto Inc.

Neville.pattinson@gemalto.com Phone +1 512 257 3982

NSTIC: Enabling Secure Online

Transactions

1 Copyright © 2010 Smart Card Alliance, Inc. All rights reserved.

A National Identity Crisis

 Citizens today have the following documents to assert their identity in person   Driving License or State issued ID   US Passport  Military ID (CAC)  Government ID (PIV)   Birth Certificate   Social Security Number   Credit Cards (maybe)   etc

 None of these work online effectively in the cyberspace / online commercial environment

Real World verses Cyberspace

  In the real World we can be present and provide a physical document for asserting our identity. “Government issued photo ID”

  In the virtual World, or cyberspace, we are very limited   Always filling in forms to sign-up to online services

•  Names, addresses, phone numbers, mother’s maiden names etc

  Possibly requiring SSNs   Possibly requiring Credit Card information  Onus put on provider to verify and authenticate applicant.   Data Breaches compromising Personal Identity Information

Mag Stripe rules

 We are dominated with financial transactions which use mag stripe. Fall back to zip-zap embossed numbers or reading numbers.   Recent contactless payment (mag stripe emulation)

 Online  We enter card number, name, expiry date.

•  Associated with a loose user ‘account’ after enrolment.   CCV introduced for card not present   Paypal niche for payment disclosure & identity protection

 No Chip and PIN (EMV) in the US today   UNFCU issuing to US travelers

What is used for an online financial transaction today?

 Understanding of who is transacting (identity/address) and with what.

 Assurance that merchant will get paid.  Assurance that the transaction is not fraudulent

 Merchant bears the cost if it is fraudulent

 Today every financial transaction is verified online back to the financial systems.

 SSL (maybe) – transport layer only.

 Fraud still evident and growing rapidly.   Cards easily cloned.   Card not present a major vulnerability.

What is needed for a secure online financial transaction?

  Identity assurance for account enrolment   Risk policy of merchant to know identity or persona

 Two factor authentication into account   lowest risk to merchant

 End to end encryption (Card to Merchant)  EMV (Chip and PIN)  OTP (one time password)

 A payment card with online security and identity capabilities?

Persona integrity verses Risk

 Weak authenticated persona may increase risk of transaction integrity therefore limit to low value transactional data exchanges (non-financial).

 Strong authenticated persona reduces risk of transaction integrity therefore enable high value transactional exchanges (financial, legal, confidential data etc)

Summary

 NSTIC has great value in making a strong foundation for securing online transactions

 Two factor Authentication is essential for higher levels of transaction assurance

  Identity Brokers need to   Accept existing smart ID cards   Be able to issue new smart ID cards containing multiple

personae

 Federated community must become pervasive

When will N-STIC stick?

 How long to become pervasive?  How will you get your NSTIC personae  Who will ‘police’ the federation?

 Compelling applications will drive adoption

 NSTIC likely to be measured in Years

Thank you

 Neville Pattinson CISSP CIPP CSCIP Smart Card Alliance Chairman; Identity Council Chairman SVP Government Business, Gemalto Inc.

Neville.pattinson@gemalto.com Phone +1 512 257 3982