Presentation on theme: "The National Institute Of Standards And Technology(NIST) Identity Management Program Jim Dray, IDMS Program Manager Identity Solutions Workshop & Symposium."— Presentation transcript:
The National Institute Of Standards And Technology(NIST) Identity Management Program Jim Dray, IDMS Program Manager Identity Solutions Workshop & Symposium Arkansas State University, February 2007
NISTs Role From automated teller machines and atomic clocks to mammograms and semiconductors, innumerable products and services rely in some way on technology, measurement, and standards provided by the National Institute of Standards and Technology. Founded in 1901, NIST is a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration. NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. NIST carries out its mission in four cooperative programs: 1. The NIST Laboratories, conducting research that advances the nation's technology infrastructure and is needed by U.S. industry to continually improve products and services; 2. The Baldrige National Quality Program, which promotes performance excellence among U.S. manufacturers, service companies, educational institutions, and health care providers; conducts outreach programs and manages the annual Malcolm Baldrige National Quality Award which recognizes performance excellence and quality achievement; 3. The Manufacturing Extension Partnership, a nationwide network of local centers offering technical and business assistance to smaller manufacturers; and 4. The Advanced Technology Program, which accelerates the development of innovative technologies for broad national benefit by co-funding R&D partnerships with the private sector. (This program is phasing out; no new awards are being made.) NIST has an operating budget of about $930 million and operates in two locations: Gaithersburg, Md., (headquarters234- hectare/578-acre campus) and Boulder, Colo., (84-hectare/208-acre campus). NIST employs about 2,900 scientists, engineers, technicians, and support and administrative personnel. About 1,800 NIST associates complement the staff. In addition, NIST partners with 1,400 manufacturing specialists and staff at nearly 350 affiliated centers around the country.
Background NIST/ITL/Computer Security Divisions Smart Card Research Program initiated 1988 –Reprogrammable cards –Data Encryption Standard –Digital Signature Standard (PKI) Government Smart Card Program –May 2000 –General Services Administrations Smart Access Common ID Card contract –NISTIR 6887: Government Smart Card Interoperability Specifications Homeland Security Presidential Directive 12 –August 2004 –Standardize and improve the security of Federal employee and contractor identification –Personal Identity Verification Program –Commerce Dept. (NIST) responsible for technical architecture and standards –Federal Information Processing Standard 201 and associated Special Publications
What Is An IDMS? An Identity Management System is any system that creates, issues, uses, and terminates electronic identities. In other words, an Identity Management System provides lifecycle management for the digital credential sets that represent electronic identities.
What Is The Problem? A recent Better Business Bureau survey 1 estimates that the cost of identity fraud will reach $56.6 billion in the U.S. 2006. This is just the tip of the iceberg, because the survey does not address other factors such as the loss of consumer confidence, and risks associated with failure to identify terrorists crossing U.S. borders. Despite this, modern identity management systems are evolving as islands with minimal interoperability. This leads to an unmanageable proliferation of electronic identities. 1 http://www.javelinstrategy.com/research
Limitations Of Current Practice Many entities in the private and public sectors across the world are working on IDM. The fact that any research on identity management leads to an over- dose of technical and business, legal, sociological, and policy information and approaches suggests that there is already much duplication of efforts and possibly not enough cooperation and synthesis, at least at the international level. BACKGROUND PAPER ON DIGITAL IDENTITY MANAGEMENT (OECD Working Party on Information Security and Privacy, October 2006)
Observations From The Porvoo 10 Meeting 2005 Manchester Ministerial Directive: The EU will have interoperable eID systems by 2010 CEN standards for European Citizen Card, ISO 24727 Member states at different stages of deployment, heterogeneous approaches Huge identity federation problem! Lack of understanding of IDMS and federation models –Microsoft WS-* Web Services –Shibboleth –Liberty Alliance –TLS/X.509 (Italy) http://www.porvoo10.net
Identity Management Systems Program Part of the NIST Information Technology Laboratory reorganization Three new ITL program areas –Complex Systems –Information Sharing, Discovery and Use –Identity Management Systems Official program start date October 2006
IDMS Program Vision Apply core ITL competencies in measurement science and standards development to improve identity management technology and promote widespread use of secure, scalable, and manageable electronic identification systems.
IDMS Program Projects FY07-08 Personal Identity Verification(PIV) ISO 24727 Biometrics Global eID Non-human identification
What Is Unique About Our Approach? Data collection and analysis –Many worked examples –Clarify use cases Common IDMS models Metrics and tests Standards –Front end technologies Biometrics Smart cards and tokens –Architectures –Federation ITL can help unify and integrate the IDMS world
IDMS Program Benefits Current identity-related work is scattered across ITL divisions IDMS program integrates these efforts, provides a unified vision Stronger focus on leveraging ITL core competencies to address the IDMS problem set Single contact point for external interactions
Themes And Long Term Plan Front end identification technologies –Merge PIV and 24727 into a hardware token project –Continue biometrics work IDMS architectures –Interoperability –Research Collaborations with industry and academia Standards, metrics and conformance testing User control of personal information NIST does not establish government policy
Thoughts On The Future Privacy –User control –Back end system controls, legal and procedural Confusion between demographic info and pure identity –Randomly generated bit string –Is my street address an identifier or a demographic attribute? Credential classes –Universal credential set issued by a trusted party (drivers license) –Compartmentalized credential sets issued by independent parties –Core credential set, augmented as needed on demand Smart tokens –Can support many of the above requirements/scenarios –$: Physical tokens only represent a small percentage of the per-seat deployment and operational cost of an IDMS –Fine grained user control of electronic credentials stored on a token ultimately requires one unique shared authenticator per credential
Thank You! Jim Dray Identity Management Systems Program Manager NIST Information Technology Laboratory firstname.lastname@example.org, 301-975-3356