TFTM 01-02 TFTM Committee working call to discuss how to describe the “IDESG-Acknowledged Identity Ecosystem” in its interim or long term state. 2013 November.

Slides:

Advertisements

Similar presentations

The Need for Trusted Credentials Information Assurance in Cyberspace Mary Mitchell Deputy Associate Administrator Office of Electronic Government & Technology.

Advertisements

FIA Prague Preparation February 6, Scenario planning approach We cannot predict the future We cannot predict the future We do understand the drivers.

TFTM TFTM Committee working call to discuss how to describe the “IDESG-Acknowledged Identity Ecosystem” in its interim or long term state October.

TFTM Interim Trust Mark/Listing Approach Paper Discussion Deck TFTM Committee IDESG Plenary Meeting January 14, IDESG TFTM Committee1.

Chapter 3 Health Care Information Systems: A Practical Approach for Health Care Management 2nd Edition Wager ~ Lee ~ Glaser.

Identity Federation Rules and Process Linda Elliott President, PingID Network Electronic Authentication Partnership Washington, DC February 12, 2004.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

IDESG Goals & Work-plans for 2013 and beyond Brett McDowell IDESG Management Council Chair

Functional component terminology - thoughts C. Tilton.

TFTM Sub-Committee What do we need for the IDESG Trust Mark Program Discussion Deck TFTM Committee April 16, IDESG TFTM Committee1.

The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,

Back to Table of Contents

Framework Planning Draft 1 Jack Suess Ian Glazer Peter Alterman Andrew Hughes Michael Garcia.

Cross Sector Digital Identity Initiative March 12, 2014 Hearing on the National Strategy for Trusted Identities in Cyberspace (NSTIC) Cross Sector Digital.

Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

Use Case Development Scott Shorter, Electrosoft Services January/February 2013.

SAS 70 (Statement on Auditing Standards No. 70) Kelley Piner Charles Roberts Ashley Walker.

Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.

Introduction to OIX: A Market Solution to Online Identity Trust Don Thibeau.

SWITCHaai Team Federated Identity Management.

Identity Relationship Management The Next Evolution of Identity and Access Management for the Internet of Everything.

Functional Model Workstream 1: Functional Element Development.

Bill Newhouse Program Lead National Initiative for Cybersecurity Education Cybersecurity R&D Coordination National Institute of Standards and Technology.

NSTIC ID Ecosystem A Conceptual Model v03 Andrew Hughes October October IDESG Version 1.

Ray Collins27th September 2005LGfL Project – workshop report1 LGfL Project Report Proof of Principle of the Shibboleth Authentication & Authorisation Infrastructure.

Identifying the Baseline IDESG Security Committee Discussion 10/23/

TFTM Interim Trust Mark/Listing Approach Paper Accreditation, Certification, and Trust Mark Program Key Administrative and Operational Responsibilities.

Internet 2 Corporate Value Proposition Stuart Kippelman (J&J) Jeff Lemmer (Ford) December 12, 2005.

Requirements Development & Template Presentation to All Chairs 8/12/2014.

Privacy and Security Tiger Team Recommendations Adopted by The Health IT Policy Committee Relevant to Consumer Empowerment May 24, 2013.

HIT Policy Committee Nationwide Health Information Network Governance Workgroup Recommendations Accepted by the HITPC on 12/13/10 Nationwide Health Information.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

Trusted Federated Identity and Access Management to provide the Cornerstone for Cyber Defense.

TFTM Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.

Presented by: Jay Maxwell CIO, AAMVA The Driver’s License: Finally, National Standards Presented by: Jay Maxwell CIO, AAMVA.

A DESCRIPTION OF CONCEPTS AND PLANS MAY 14, 2014 A. HUGHES FOR TFTM The Identity Ecosystem DISCUSSION DRAFT 1.

TFTM Deliverable Self Assessment and Attestation Program Discussion Deck TFTM Committee June 25, IDESG TFTM Committee1.

Cyber Authentication Renewal Project Executive Overview June – minute Brief.

Copyright © 2004 by The Web Services Interoperability Organization (WS-I). All Rights Reserved 1 Interoperability: Ensuring the Success of Web Services.

Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.

1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Identity Ecosystem Framework and Charter Gap Analysis.

Overview of Marketing Class 23 Tuesday 11/15/11. Nature of Marketing To create value by allowing people and organizations to obtain what they need and.

HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.

Red Flag Training IDENTITY THEFT PREVENTION PROGRAM OVERVIEW AUTOMOTIVE.

E-Authentication: Simplifying Access to E-Government Presented at the PESC 3 rd Annual Conference on Technology and Standards May 1, 2006.

Consumer Authentication for Networked Personal Health Information Redwood Health Information Collaborative March 18, 2008 Josh Lemieux Director, Personal.

COAG AUSTRALIA The Prime Minister, Premiers and Chief Ministers signed the IGA at the COAG meeting on 13 April The key objectives of the Strategy,

“The FIDO Alliance Today”

Proposed Privacy Taxonomy for IOT Scott Shorter, Electrosoft, These slides are based on work contributed to the IDESG Use Case AHG in January.

Scalable Trust Community Framework STCF (01/07/2013)

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

NSTIC and the Identity Ecosystem Jim Sheire Senior Advisor NSTIC National Program Office, NIST 14 November 2012.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Discussion - HITSC / HITPC Joint Meeting Transport & Security Standards Workgroup October 22, 2014.

HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.

The Value of Creating the Identity Ecosystem. The Identity Ecosystem Steering Group (IDESG) is the source of expertise, guidance, best practices and tools.

INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

Progress Report on the U.S. NSTIC Efforts Jack Suess – Delegate for Research, Development, Education & Innovation

Chapter 4 Access Control. Access Control Principles RFC 4949 defines computer security as: “Measures that implement and assure security services in a.

Financial Services Sector Coordinating Council (FSSCC) 2011 KEY FSSCC INITIATIVES 2011 Key FSSCC Initiatives Project Name: Project Description: All-Hazards.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

Update from the Faster Payments Task Force

Data and Applications Security Developments and Directions

Higher Education’s Role in the Identity Ecosystem

Tokens & Proofing De-Mystified

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Presentation transcript:

TFTM TFTM Committee working call to discuss how to describe the “IDESG-Acknowledged Identity Ecosystem” in its interim or long term state November IDESG TFTM Committee 1 NOTE: The notes section of each slide captures the discussion about that slide from the October 30 meeting.

Contents of this deck The Value of establishing an IDESG-Acknowledged ID Ecosystem (interim or long-term) Discussion of the nature of “Interim” versus “Longer term” Some possible descriptions of the IDESG- Acknowledged ID Ecosystem * These slides should be modified as needed to circle in on the description of “What” we are working to establish IDESG TFTM Committee 2 October 30 Call

Some assumptions There will be an IDESG-Acknowledged ID Ecosystem Participation will grow over time Structures will evolve and requirements will become better-defined over time Adherence to the NSTIC Guiding Principles is mandatory The NSTIC Derived Requirements might be used as a mechanism to demonstrate adherence to the principles IDESG TFTM Committee 3 October 30 Call

The NSTIC ID Ecosystem* will consist of different online communities that use interoperable technology, processes, and policies *Source: The NSTIC Strategy Document * The term “online communities”, while not perfect, should be used until IDESG determines the best replacement term and creates an IDESG Vision statement IDESG TFTM Committee 4 October 30 Call

ID Ecosystem? ID Ecosystem Framework Rules Arrows = Inter-community interactions Online Communities IDESG TFTM Committee 5 October 30 Call

Rationale and Value IDESG TFTM Committee 6 October 30 Call

The rationale for The rationale for establishing an IDESG- Acknowledged ID Ecosystem (interim or long-term) is: The same as establishing any Standards-based program To acknowledge the conforming participants from the Internet ID Ecosystem To influence service providers to use sound practices To signal to service consumers that there are minimum acceptable standards of operation IDESG TFTM Committee 7 October 30 Call

The value in participating To enable identity solution and ‘online community’ participants to be recognized as being or strive to become recognized as participating in the IDESG-acknowledged ID Ecosystem For the cross-endorsement of participants to instill trusted brand power and the beginnings of a network effect for identity solution trust brands i.e. The companies would not identify with it if it brings their brand into disrepute To assure consumers/citizens/individuals that certain standards have been met and policies & practices are in place To act as a finding aid for identity services consumers to locate ‘trustworthy’ service providers To enable participants to promote participation as a service differentiator IDESG TFTM Committee 8 October 30 Call

What is “Interim” IDESG TFTM Committee 9 October 30 Call

The sense of “Interim” An initial group (as identified by IDESG) of ‘online communities’ which demonstrate that they meet the basic requirements of the Interim stage E.g. have been certified and accredited by an IDESG-vetted accreditation body E.g. self-assert that they satisfy the NSTIC Derived Requirements A period of time prior to a declared start date of an IDESG-acknowledged ID Ecosystem in which potential participants can prepare for and receive accreditation A period during which any identity solutions can self-assert participation and satisfy requirements A Transition period would be required to formally verify the validity of these claims IDESG TFTM Committee 10 October 30 Call

IDESG-Acknowledged Interim Ecosystem: Described IDESG TFTM Committee 11 October 30 Call

What is the Interim thing? Consists of a few or several ‘Online Communities’ that are well-defined, well-governed, in operation, appear to be stable, satisfy the NSTIC Derived Requirements and have a positive track record of privacy and security management IDESG TFTM Committee 12 October 30 Call

These ‘Online Communities’: Have community-defined, documented and enforced: Interoperability Standards; Shared risk model; Privacy policy, requirements and accountability mechanisms; Liability policy and requirements Have community-defined, documented and enforced: Policy, standards and processes that govern the activities of community members Can demonstrate that they satisfy all of the NSTIC Derived Requirements Can describe the types of community-member interactions or transactions that rely on identity- or attribute-related services Can demonstrate a track record of consistent application of the Community Rules; and the ability to detect, respond to and repair security and privacy breaches Have policies and processes for adding new members and revoking membership in the Community Have documented processes for handling interactions with entities that are not community members Have a business model that appears to support the activities of the Community IDESG TFTM Committee 13 October 30 Call

TFTM TFTM Committee working call to discuss how to describe the “IDESG-Acknowledged Identity Ecosystem” in its interim or long term state November 06 Call IDESG TFTM Committee 14 NOTE: The notes section of each slide captures the discussion about that slide from the October 30 meeting. November 6 Call Starts Here

A Few Quick Points Rationale for Interim state: To influence Online Communities & Participants towards conformance with IDESG Requirements To start a virtuous cycle of association of IDESG brand with highly visible companies, brands and associations To demonstrate elements of the Value Proposition for participating in the IDESG-Acknowledged ID Ecosystem To learn and fine tune tactics for the longer term Consider using “Initial” instead of “Interim” to keep evolution/maturity concepts IDESG TFTM Committee 15 November 6 Call

IDESG-Acknowledged ID Ecosystem – Interim/Initial State Description Consists of a few or several ‘Online Communities’ that are well-defined, well-governed, in operation, appear to be stable, satisfy the NSTIC Derived Requirements and have a positive track record of privacy and security management. ‘Online Communities’ have documented & self- defined ‘Trust Frameworks’ and use one or more ‘ID Solutions’: Federated Authentication/Credentials; Web Single Sign On; Centralized/Directory Authentication IDESG TFTM Committee 16 November 6 Call

Requirements Gathering 1.Start with the NPO NSTIC Derived Requirements (as a proxy for the Guiding Principles) 2.Determine Legal Requirements: What contracts needed? Is IDESG liable or providing implicit warranty? What Trust Mark licensing is needed for Interim state? 3.Determine Operational Requirements 4.??? IDESG TFTM Committee 17 November 6 Call

Selecting The Initial Participants Use ‘Online Communities’ as the granularity of participant selection Pick which interaction/transaction types should be showcased in the first group of ‘Online Communities’: C2G; G2C; B2B; B2C (hopefully mostly on the ‘B’ and ‘C’ end) Select ‘Online Communities’ that have strong brand power and high visibility to non-Identity-Focused companies, individuals and organizations Select ‘Online Communities’ that use 3 rd party Certification & Accreditation of their participants Select based on large total number of Individuals, Businesses and Organizations in the ‘Online Community’? All viable NSTIC Pilot Grant Awardees plus ‘big name’ Federations? IDESG TFTM Committee 18 November 6 Call

Feature Preferences? If you had to pick one or two of… Non-password credentials only Credential/Authentication portability/interoperability between initial group of ‘Online Communities’ i.e. The Individual observes that they can use a single credential to access a range of services that previously had their own unique credentials/user accounts Multiple or Single Industry Sector focus? Public sector-verified attributes available for private sector transactions? Improvements to security, privacy, usability and interoperability that result in real but ‘Invisible’ benefits? ??? IDESG TFTM Committee 19 November 6 Call

Business Scenario Preferences? Do we describe (and choose initial participants based on) a single scenario that is difficult to do using non-IDESG-Acknowledged ID Solutions, but would be less frustrating from end to end? Do we choose initial ‘Online Communities’ that are mature and sound at the expense of interoperability between those ‘Online Communities’? Do we choose based on a preferred outcome? E.g. fraud reduction; seamless user experience; retail experience efficiency; proof that stronger credentials are possible and easy to use; proof that externalization of authentication is good for business Do we choose to emphasize added value for one or several primary Participants (e.g. the Individual, the IDP/CSP, the eService Provider/RP) or do we value balanced benefit more? IDESG TFTM Committee 20 November 6 Call

Next Steps? Andrew to start writing up the document And…? IDESG TFTM Committee 21 November 6 Call