Presentation on theme: "Transport and Security Standards Work Group New Directions In Identity Paul Grassi Senior Standards and Technology Advisor."— Presentation transcript:
Transport and Security Standards Work Group New Directions In Identity Paul Grassi Senior Standards and Technology Advisor
Existing Challenges 2 Well-rounded pilots hitting diverse user set FCCX Goes Live Market Discovery Attribute Providers Internet of Things Consumer-Centric Deployment Costs Standards Gaps Embedded Privacy Identification of policy and technical overlays NSTIC Launch IDE Sustaining 2012201320142015 Envision It!? True Interoperability RP Integration + Cost Public and Private Sectors Liability Attributes
Envision It (soon we hope)! 3 But we have partially realized so many - http://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf
NIST Coverage of Identity Services 5 Key No coverage Partial coverage, to include other D/A documentation Full coverage Needs refreshing
Where We Will Focus in FY14/15 6 Codify privacy enhancing profiles Enhance/Establish ‘standard’ to establish confidence, trustworthiness, and privacy preservation (zero knowledge, derived, minimal disclosure) Address portability of preferred credentials and relying party accounts BYOI Revisit and retool existing standards to address current market state and flex to innovation Develop new standards that increase IE participation Increase participation in commercial open standards Mobility, Cloud, Shared Services Simplify, accelerate, and reduce the cost of ICAM implementations Focus beyond the PIV Establish RP toolkits Identify and foster innovation from untapped sources IOT Identity Non-intrusive security model Continuous monitoring and assessment
Assurance – What Would You Think If? 7 Componentized Trust and Assurance Elements and Supported Assembly of ‘Vectors of Trust’ NIST just measured authentication performance/strength/usability? Got rid of LOA? What else could we do to turn these docs on their head to enhance the IE? Developed a private sector companion to 800-63?
Vectors of Trust – Discussion Example 8 Identity Proofing [IP] Assertion Presentation [AP] Credential Strength [CS] Binding [B] IP[ ] CS[ ] AP[ ] B[ ] Provider 1 CS[ ] AP[ ] B[ ] Provider 2 IP[ ] Provider 3 Relying Party Risk Tolerance Individual Choice DISCUSSION ONLY – CONCEPTUAL FOR ILLUSTRATION AND PROVOCATION PURPOSES New Standard? Market/Trust Framework Driven Levels Provider Supported Components and Levels
Other Components? 9 Reputation of subject Reputation of IdP Additional external claims (presumably signed by third party) Heuristic Compensating Controls Endpoint Security Trusted Identities Organizatio n Maturity Business Process LegalOther Liability Contractual strength Account recovery Credential revocation Incident response OpSec
Do Nothing Address Root Causes Let RP’s Decide Attributes – What Should Happen? 10 Meta-AttributeConfidence/TruthinessLiabilitySecurity and PrivacyGovernanceExchange Informs Dependent Standards Performance Metrics Risk Tolerance Market Attribute Registries Include attributes in next ‘800-63’
Privacy By Design 11 12345 ABCDDDEE User Record CSP Agency 1 AADDFEE Agency 2 ABCDE AADDFEE Designed specifically to ensure that privacy requirements of anonymity, unlinkability and unobservability are built in from the start In simple terms, this means that private organizations that issue citizens credentials – and the agencies that accept them – will have no way to track where citizens use them. 12345 ABCDDDEE But… Attributes flow freely through FCCX If they didn’t, RP’s would get them on their own (inconsistently) “Let the RP Figure It Out” is the wrong answer!
So...We Need A Privacy Profile 12 Broker Authentication Request Response + Encrypted Attributes Double Blind Architecture User Consent Response + Encrypted Attributes 1 CSP/AP can’t know the RP 2 Broker can’t see the attributes 3 Standard and Protocol Agnostic 4 RP can’t know CSP 5 Minimal Changes to Infrastructure (but we may soften this requirement)
In Summary 13 Rebooting and Reinvigorating Our Commitment to Identity and Access Management We Are Not Special We Need to Adopt Private Sector Identity Innovation We All Need to Stop Talking Amongst Ourselves RP’s and Users Rule Be On The Lookout For Upcoming Public/Private Engagement Opportunities
Contact Information 14 United States Department of Commerce National Institute of Standards and Technology Paul Grassi, CISSP Senior Standards and Technology Advisor, NSTIC Information Technology Laboratory 1401 Constitution Ave. NW, Rm. 2069 Washington, DC 20230 W: 202.482.8349 M: 703.786.8275 Email: email@example.com