identity in cyberspace: improving trust via public-private partnerships
DESCRIPTION
Identity in Cyberspace: Improving Trust via Public-Private Partnerships Jeremy Grant and Naomi Lefkovitz National Institute of Standards and Technology (NIST). Why We’re Here Today. Learn about the National Strategy for Trusted Identities in Cyberspace (NSTIC) - PowerPoint PPT PresentationTRANSCRIPT
1National Strategy for Trusted Identities in Cyberspace
Identity in Cyberspace:Improving Trust via Public-Private Partnerships
Jeremy Grant and Naomi LefkovitzNational Institute of Standards and Technology (NIST)
2National Strategy for Trusted Identities in Cyberspace
1. Learn about the National Strategy for Trusted Identities in Cyberspace (NSTIC)
2. Discuss how a government initiative can help improve online trust, reduce fraud and create new efficiencies in health care
3. Discuss the role your organizations can play in advancing the use of Trusted Identities in Cyberspace
Why We’re Here Today
3National Strategy for Trusted Identities in Cyberspace
Called for in President’s Cyberspace Policy Review (May 2009): a “cybersecurity focused identity management vision and strategy…that addresses privacy and civil-liberties interests, leveraging privacy-enhancing technologies for the nation.””
Guiding Principles• Privacy-Enhancing and Voluntary• Secure and Resilient• Interoperable• Cost-Effective and Easy To Use
NSTIC calls for an Identity Ecosystem, “an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.”
What is NSTIC?
4National Strategy for Trusted Identities in Cyberspace
Usernames and passwords are broken
•Most people have 25 different passwords, or use the same one over and over •Even strong passwords are vulnerable…criminals have many paths to easily capture “keys to the kingdom”
•Rising costs of identity theft and data breaches– 11.6M U.S. victims (+13% YoY) in 2011 at a cost of $37 billion – 67% increase in # of Americans impacted by data breaches in 2011
(Source: Javelin Strategy & Research)– Health sector is #1 target: 43% of all 2011 US data breaches
(Source: Symantec Internet Security Report )
•A common vector of attack– Sony Playstation, Zappos, Lulzsec, Infragard among dozens
of 2011-12 breaches tied to passwords.
The Problem Today
5National Strategy for Trusted Identities in Cyberspace
The Problem Today
Source: 2012 Data Breach Investigations Report, Verizon and USSS
2011: 5 of the top 6 attack vectors are tied to passwords2010: 4 of the top 10
6National Strategy for Trusted Identities in Cyberspace
Identities are difficult to verify over the internet
•Numerous government services still must be conducted in person or by mail,leading to continual rising costs for state, local and federal governments
•Electronic health records could save billions, but can’t move forward without solving authentication challenge for providers and individuals
•Many transactions, such as signing an auto loan or a mortgage, are still considered too risky to conduct online due to liability risks
The Problem Today
New Yorker, July 5, 1993New Yorker, September 12, 2005Rob Cottingham, June 23, 2007
7National Strategy for Trusted Identities in Cyberspace
Identity Proofing is not always easy
The Problem Today
8National Strategy for Trusted Identities in Cyberspace
Privacy remains a challenge
• Individuals often must provide more personally identifiable information (PII) than necessary for a particular transaction
– This data is often stored, creating “honey pots” of information for cybercriminals to pursue
• Individuals have few practical means to control use of their information
The Problem Today
9National Strategy for Trusted Identities in Cyberspace
Personal Data is Abundant…and Growing
Source: World Economic Forum, “Rethinking Personal Data: Strengthening Trust,” May 2012
10National Strategy for Trusted Identities in Cyberspace
Trusted Identities provide a foundation
• Fight cybercrime and identity theft • Increased consumer confidence
• Offer citizens more control over when and how data is revealed• Share minimal amount of information
• Enable new types of transactions online• Reduce costs for sensitive transactions• Improve customer experiences
11National Strategy for Trusted Identities in Cyberspace
Apply for mortgage online with e-signature
Trustworthy critical service delivery
Security ‘built-into’ system to reduce user error
Privately post location to her friends
Secure Sign-On to state website
Online shopping with minimal sharing of PII
January 1, 2016The Identity Ecosystem: Individuals can choose among multiple identity providers and digital credentials for convenient, secure, and privacy-enhancing transactions anywhere, anytime.
12National Strategy for Trusted Identities in Cyberspace
We've proven that Trusted Identities matter
13National Strategy for Trusted Identities in Cyberspace
What does NSTIC call for?
14National Strategy for Trusted Identities in Cyberspace
Privacy and Civil Liberties are Fundamental
Increase privacy• Minimize sharing of unnecessary information• Minimum standards for organizations - such as
adherence to Fair Information Practice Principles (FIPPs)
Voluntary and private-sector led• Individuals can choose not to participate• Individuals who participate can choose from
public or private-sector identity providers• No central database is created
Preserves anonymity• Digital anonymity and pseudonymity supports
free speech and freedom of association
15National Strategy for Trusted Identities in Cyberspace
NSTIC National Program Office
• Charged with leading day-to-day coordination across government and the private sector in implementing NSTIC
• Funded with $16.5M for FY12
16National Strategy for Trusted Identities in Cyberspace
Federal Government As an Early Adopter
• Federal IdM activities are aligned through the Identity, Credential and Access Management (ICAM) Subcommittee
• Trust Framework Solutions: how the USG aligns with NSTIC • Secure, interoperable and privacy-enhancing process by which federal
agencies can leverage commercially issued digital identities and credentials
• Craft “USG profile” of widely used commercial identity protocols like OpenID and SAML to maximize security and privacy.
• Privacy criteria based on the FIPPs: Opt in; Minimalism; Activity Tracking; Adequate Notice; Non Compulsory; and Termination
• ICAMSC approves non-federal organizations to be the Trust Framework Providers (TFPs)
• The TFPs accredit commercial identity providers who agree to use the USG profiles and abide by the privacy criteria
17National Strategy for Trusted Identities in Cyberspace
Removing Barriers for Federal Adoption
•FCCX does the heavy lifting•Guaranteed interoperability of credentials across agencies•Offers citizens an easy path to more convenience•Each agency connects just once saving costs
OpenID/LOA1
SAML/LOA3
SAML/LOA3
OpenID/LOA1
18National Strategy for Trusted Identities in Cyberspace
Next Steps
19National Strategy for Trusted Identities in Cyberspace
What You Can Do
20National Strategy for Trusted Identities in Cyberspace
Questions?
Jeremy [email protected]
Naomi [email protected]