CIS13: FCCX and IDESG: An Industry Perspectives
•
0 j'aime•802 vues
Jeremy Grant, Senior Executive Advisor, Identity Management, NIST (US Government)
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à CIS13: FCCX and IDESG: An Industry Perspectives
Similaire à CIS13: FCCX and IDESG: An Industry Perspectives (20)
Plus de CloudIDSummit
Plus de CloudIDSummit (20)
Dernier
Dernier (20)
CIS13: FCCX and IDESG: An Industry Perspectives
- 1. 1 Na%onal Strategy for Trusted Iden%%es in Cyberspace NSTIC in Mo+on Pilots, Policy and Progress Jeremy Grant Senior Execu+ve Advisor, Iden+ty Management Na+onal Ins+tute of Standards and Technology (NIST)
- 2. 2 Na%onal Strategy for Trusted Iden%%es in Cyberspace NSTIC Workshop Agenda Sessions 1pm Part 1 • “The State of the NSTIC” – Jeremy Grant • Pilot Report #1: MFA in the Commercial Sector – Cathy Tilton, Daon 2pm Part 2 • Pilot Report #2: AKribute Exchange Network – Dave Coxe, Criterion Systems • Pilot Report #3: Scalable Privacy and MFA – Ken Klingenstein, Internet2 3pm Part 3 • Iden%ty Ecosystem Steering Group (IDESG) – Bob Blakely, Ci%group • Federal Cloud Creden%al Exchange (FCCX) – Jeremy Grant (NIST) and Doug Glair (USPS) • NSTIC and the Na%onal Cybersecurity Center of Excellence (NCCoE) – Nate Lesser (NIST) • Discussion and Perspec%ves
- 3. 3 Na%onal Strategy for Trusted Iden%%es in Cyberspace State of the NSTIC
- 4. 4 Na%onal Strategy for Trusted Iden%%es in Cyberspace Imagine if… Four years from now, 80% of your customers arrived at your website already holding a secure creden+al for iden+fica+on and authen+ca+on – and you could trust this creden+al in lieu of your exis+ng username/password system. Interoperable with your login system (you don’t have to issue creden%als) Mul%-‐factor authen%ca%on (no more password management) Tied to a robust iden%ty proofing mechanism (you know if they are who they claim to be) With baked-‐in rules to limit liability and protect privacy
- 5. 5 Na%onal Strategy for Trusted Iden%%es in Cyberspace What would this mean… For Security and Loss Preven+on? • 5 of the top 6 vectors of aKack in 2011 data breaches %ed to passwords; 76% of all 2012 records breached %ed to passwords. • The number of Americans impacted by data breaches rose 67% from 2010 to 2011 • Weak iden%ty systems fuel online fraud, make it impossible to know who is a “dog on the Internet” For Reducing Fric+on in Online Commerce? • Today, 75% of customers will avoid crea%ng new accounts. 54% leave the site or do not return • Today, 45% of consumers will abandon a site rather than aKempt to reset their passwords or answer security ques%ons
- 6. 6 Na%onal Strategy for Trusted Iden%%es in Cyberspace Two years, two months and 24 days ago… An Iden+ty Ecosystem…with 4 Guiding Principles • Privacy-‐Enhancing and Voluntary • Secure and Resilient • Interoperable • Cost-‐Effec%ve and Easy To Use
- 7. 7 Na%onal Strategy for Trusted Iden%%es in Cyberspace There is a marketplace today – but there are barriers the market has not yet addressed on its own Why NSTIC?
- 8. 8 Na%onal Strategy for Trusted Iden%%es in Cyberspace Barriers: Security is a big issue Source: 2012 Data Breach Inves%ga%ons Report, Verizon and USSS 2011: 5 of the top 6 aKack vectors are %ed to passwords 2010: 4 of the top 10
- 9. 9 Na%onal Strategy for Trusted Iden%%es in Cyberspace Business Models But – it’s not all about security Usability Liability Interoperability Privacy Source: xkcd
- 10. 10 Na%onal Strategy for Trusted Iden%%es in Cyberspace There is a marketplace today – but there are barriers the market has not yet addressed on its own. Government can serve as a convener and facilitator, and a catalyst. Why NSTIC?
- 11. 11 Na%onal Strategy for Trusted Iden%%es in Cyberspace Our Implementa+on Strategy
- 12. 12 Na%onal Strategy for Trusted Iden%%es in Cyberspace We don’t want to boil the ocean.
- 13. 13 Na%onal Strategy for Trusted Iden%%es in Cyberspace Let’s go surfing where the waves are… NSTIC
- 14. 14 Na%onal Strategy for Trusted Iden%%es in Cyberspace Private sector will lead the effort Federal government will provide support • Not a government-‐run iden%ty program • Private sector is in the best posi%on to drive technologies and solu%ons… • …and ensure the Iden%ty Ecosystem offers improved online trust and beKer customer experiences • Support development of a private-‐sector led governance model • Facilitate and lead development of interoperable standards • Provide clarity on na%onal policy and legal issues (i.e., liability and privacy) • Fund pilots to s%mulate the marketplace • Act as an early adopter to s%mulate demand What does NSTIC call for?
- 15. 15 Na%onal Strategy for Trusted Iden%%es in Cyberspace Where do we stand?
- 16. 16 Na%onal Strategy for Trusted Iden%%es in Cyberspace The marketplace has started to respond
- 17. 17 Na%onal Strategy for Trusted Iden%%es in Cyberspace But instead of this…
- 18. 18 Na%onal Strategy for Trusted Iden%%es in Cyberspace …I now am managing one-‐off 2FA solu+ons for
- 19. 19 Na%onal Strategy for Trusted Iden%%es in Cyberspace NSTIC has funded 5 pilots…with more coming AAMVA • Focus: Develop public-‐private partnership to strengthen private-‐sector creden%als with aKributes from a state DMV • Virginia DMV, Microsom, CA, AT&T are key partners • Coming soon: an important health care RP Daon • Focus: deploy smartphone based, mul%-‐ factor authen%ca%on to consumers • AARP, PayPal, Purdue are key relying par%es • A major bank (not yet publicly named) will also be an RP Criterion • Focus: develop a viable business model for Iden%ty Ecosystem and aKribute exchange • Broadridge Financial, eBay, Wal-‐Mart, AOL, Verizon, GE, Experian, Lexis Nexis, Ping, CA, PacificEast are key partners Internet2 • Focus: deploy smartphone based, mul%-‐ factor authen%ca%on across 3 major universi%es, integrate it with a privacy-‐ protec%ng infrastructure. • MIT, University of Texas, University of Utah are deployment sites Resilient • Focus: test “privacy enhancing” infrastructure in health care and K-‐12 environments. • AMA, American College of Cardiology, LexisNexis, Neustar, Knowledgefactor are key partners
- 20. 20 Na%onal Strategy for Trusted Iden%%es in Cyberspace Pilots lessons learned Each pilot has run into the same challenges – underscoring the need for a robust Iden%ty Ecosystem Framework. Common considera%ons: o No standard way to bring on new RP’s (technical/policy/legal) o Exis%ng trust frameworks only go so far o RP’s struggle to sort out how to apply risk assessment to determine creden%al strength/LOA (800-‐63 aside, no great alterna%ves) o Trust frameworks do not extend to aKribute providers/verifiers o How to ensure “data minimiza%on” in aKribute exchange, when some APs offer “data promiscuity” o How to flow down consent requirements to end-‐users in a logical fashion
- 21. 21 Na%onal Strategy for Trusted Iden%%es in Cyberspace The Iden+ty Ecosystem Steering Group Source: Phil Wolff, hKp://www.flickr.com/photos/philwolff/7789263898/in/photostream First plenary, August 2012
- 22. 22 Na%onal Strategy for Trusted Iden%%es in Cyberspace The Iden+ty Ecosystem Steering Group: Bringing together many types of stakeholders
- 23. 23 Na%onal Strategy for Trusted Iden%%es in Cyberspace • 200+ firms/organiza%ons; 60+ individuals • Elected Plenary Chair (Bob Blakley/Ci%) and Management Council Chair (Peter Brown); Elected 16 delegates to Management Council • Member firms include: Verizon, Visa, PayPal, Fidelity, Ci%group, Mass Mutual, IBM, Bank of America, Microsom, Oracle, 3M, CA, Symantec, Lexis Nexis, Experian, Equifax, Neiman Marcus, Aetna, Merck, United Health, Intel. • Also: AARP, ACLU, EPIC, EFF, and more than 65 universi%es. Par%cipants from 12+ countries. • CommiKees include: The Iden+ty Ecosystem Steering Group o Standards o Policy o Privacy o User Experience o Security o Trust Frameworks & Trustmarks o Health Care o Financial Sector o Interna%onal Coordina%on
- 24. 24 Na%onal Strategy for Trusted Iden%%es in Cyberspace Linking Strategy to Execu+on • Voluntary, mul%-‐stakeholder collabora%ve efforts are hard. • What is the art of the possible? • What incen%ves might be needed to fully realize the NSTIC vision?
- 25. 25 Na%onal Strategy for Trusted Iden%%es in Cyberspace NSTIC envisions the poten+al need for new policies “The Federal Government may need to establish or amend both policies and laws to address" concerns such as "the uncertainty and fear of unbounded liability that have limited the market's growth.” -‐NSTIC, page 31 • The IDESG Policy CommiKee is reviewing this topic • A unique window of opportunity
- 26. 26 Na%onal Strategy for Trusted Iden%%es in Cyberspace Ensuring the U.S. Government can be an early Adopter
- 27. 27 Na%onal Strategy for Trusted Iden%%es in Cyberspace Making progress in government is tough…
- 28. 28 Na%onal Strategy for Trusted Iden%%es in Cyberspace …but not impossible
- 29. 29 Na%onal Strategy for Trusted Iden%%es in Cyberspace Where we started FICAM (TFPAP) TFP MoUs Cer+fica+on Agreements IdP IdP IdP TFP Integra%on ??? $$$!!! RP RP RP RP Agencies
- 30. Current Agency Environment Ci%zens Government
- 31. A befer way Ci%zens Government FCCX
- 32. 32 Na%onal Strategy for Trusted Iden%%es in Cyberspace New study shows real USG cost savings from NSTIC • Funded by NIST Economic Analysis Office , conducted in partnership with the IRS • Focus: cost-‐benefit analysis comparing federa%on (NSTIC) approach vs. one-‐off proprietary authen%ca%on system • Looked at 3 scenarios: 20%, 50%, 70% adop%on
- 33. 33 Na%onal Strategy for Trusted Iden%%es in Cyberspace New study shows real USG cost savings from NSTIC Key Findings • Over a 10-‐year period, IRS would save $63 million to $298 million by aligning its ci%zen-‐facing iden%ty and authen%ca%on efforts with NSTIC (vs. building a stovepiped, IRS-‐only system) • Up-‐front adop%on savings would be $40 million to $111 million • Savings driven both by avoidance of duplica%ve iden%ty proofing and authen%ca%on costs, as well as increased customer uptake of online offerings • Opportunity: IRS spent over $1 billion communica%ng with taxpayers on paper and by telephone in 2012
- 34. 34 Na%onal Strategy for Trusted Iden%%es in Cyberspace A final thought
- 35. 35 Na%onal Strategy for Trusted Iden%%es in Cyberspace $2 Trillion The total projected online retail sales across the G20 na%ons in 2016 $2.5 trillion What this number can grow to if consumers believe the Internet is more worthy of their trust $1.5 Trillion What this number will fall to if Trust is eroded Trust mafers to online business Source: Rethinking Personal Data: Strengthening Trust. World Economic Forum, May 2012.
- 36. 36 Na%onal Strategy for Trusted Iden%%es in Cyberspace Ques+ons? Jeremy Grant jgrant@nist.gov 202.482.3050 Iden+ty Ecosystem Steering Group www.idecosytem.org idecosystem@trustedfederal.com
- 37. 37 Na%onal Strategy for Trusted Iden%%es in Cyberspace NSTIC Workshop Agenda Sessions 1pm Part 1 • “The State of the NSTIC” – Jeremy Grant • Pilot Report #1: MFA in the Commercial Sector – Cathy Tilton, Daon 2pm Part 2 • Pilot Report #2: AKribute Exchange Network – Dave Coxe, Criterion Systems • Pilot Report #3: Scalable Privacy and MFA – Ken Klingenstein, Internet2 3pm Part 3 • Iden%ty Ecosystem Steering Group (IDESG) – Bob Blakely, Ci%group • Federal Cloud Creden%al Exchange (FCCX) – Jeremy Grant (NIST) and Doug Glair (USPS) • NSTIC and the Na%onal Cybersecurity Center of Excellence (NCCoE) – Nate Lesser (NIST) • Discussion and Perspec%ves
- 38. 38 Na%onal Strategy for Trusted Iden%%es in Cyberspace
- 39. 39 Na%onal Strategy for Trusted Iden%%es in Cyberspace Created to administer the development of policies, standards, and accreditaHon processes for the Iden&ty Ecosystem Framework. www.idecosystem.org The Iden+ty Ecosystem Steering Group