cis13: fccx and idesg: an industry perspectives

1 Na%onal Strategy for Trusted Iden%%es in Cyberspace

NSTIC in Mo+on Pilots, Policy and Progress Jeremy Grant Senior Execu+ve Advisor, Iden+ty Management Na+onal Ins+tute of Standards and Technology (NIST)


NSTIC Workshop Agenda

Sessions

1pm Part 1 •  “The State of the NSTIC” – Jeremy Grant

•  Pilot Report #1: MFA in the Commercial Sector – Cathy Tilton, Daon

2pm Part 2 •  Pilot Report #2: AKribute Exchange Network – Dave Coxe, Criterion Systems

•  Pilot Report #3: Scalable Privacy and MFA – Ken Klingenstein, Internet2

3pm Part 3 •  Iden%ty Ecosystem Steering Group (IDESG) – Bob Blakely, Ci%group

•  Federal Cloud Creden%al Exchange (FCCX) – Jeremy Grant (NIST) and Doug Glair (USPS)

•  NSTIC and the Na%onal Cybersecurity Center of Excellence (NCCoE) – Nate Lesser (NIST)

•  Discussion and Perspec%ves


State of the NSTIC


Imagine if…

Four years from now, 80% of your customers arrived at your website already holding a secure creden+al for iden+fica+on and authen+ca+on – and you could

trust this creden+al in lieu of your exis+ng username/password system.

Interoperable with your

login system (you don’t

have to issue creden%als)

Mul%-‐factor authen%ca%on

(no more password

management)

Tied to a robust iden%ty proofing mechanism (you know if they are who they claim

to be)

With baked-‐in rules to limit liability and protect privacy


What would this mean… For Security and Loss Preven+on? • 5 of the top 6 vectors of aKack in 2011 data breaches %ed to passwords; 76% of all 2012 records breached %ed to passwords.

• The number of Americans impacted by data breaches rose 67% from 2010 to 2011

• Weak iden%ty systems fuel online fraud, make it impossible to know who is a “dog on the Internet”

For Reducing Fric+on in Online Commerce? • Today, 75% of customers will avoid crea%ng new accounts. 54% leave the site or do not return

• Today, 45% of consumers will abandon a site rather than aKempt to reset their passwords or answer security ques%ons


Two years, two months and 24 days ago…

An Iden+ty Ecosystem…with 4 Guiding Principles •  Privacy-‐Enhancing and Voluntary •  Secure and Resilient •  Interoperable •  Cost-‐Effec%ve and Easy To Use


There is a marketplace today – but there are barriers the market has not yet addressed on its own

Why NSTIC?


Barriers: Security is a big issue

Source: 2012 Data Breach Inves%ga%ons Report, Verizon and USSS

2011: 5 of the top 6 aKack vectors are %ed to passwords 2010: 4 of the top 10


Business Models

But – it’s not all about security

Usability

Liability

Interoperability Privacy

Source: xkcd


There is a marketplace today – but there are barriers the market has not yet addressed on its own.

Government can serve as a convener and facilitator, and a catalyst.

Why NSTIC?


Our Implementa+on Strategy


We don’t want to boil the ocean.


Let’s go surfing where the waves are…

NSTIC


Private sector will lead the

effort

Federal government will provide support

• Not a government-‐run iden%ty program • Private sector is in the best posi%on to drive technologies and solu%ons…

• …and ensure the Iden%ty Ecosystem offers improved online trust and beKer customer experiences

• Support development of a private-‐sector led governance model

• Facilitate and lead development of interoperable standards

• Provide clarity on na%onal policy and legal issues (i.e., liability and privacy)

• Fund pilots to s%mulate the marketplace • Act as an early adopter to s%mulate demand

What does NSTIC call for?


Where do we stand?


The marketplace has started to respond


But instead of this…


…I now am managing one-‐off 2FA solu+ons for


NSTIC has funded 5 pilots…with more coming

AAMVA

• Focus: Develop public-‐private partnership to strengthen private-‐sector creden%als with aKributes from a state DMV

• Virginia DMV, Microsom, CA, AT&T are key partners

• Coming soon: an important health care RP

Daon

• Focus: deploy smartphone based, mul%-‐factor authen%ca%on to consumers

• AARP, PayPal, Purdue are key relying par%es

• A major bank (not yet publicly named) will also be an RP

Criterion

• Focus: develop a viable business model for Iden%ty Ecosystem and aKribute exchange

• Broadridge Financial, eBay, Wal-‐Mart, AOL, Verizon, GE, Experian, Lexis Nexis, Ping, CA, PacificEast are key partners

Internet2

• Focus: deploy smartphone based, mul%-‐factor authen%ca%on across 3 major universi%es, integrate it with a privacy-‐protec%ng infrastructure.

• MIT, University of Texas, University of Utah are deployment sites

Resilient

• Focus: test “privacy enhancing” infrastructure in health care and K-‐12 environments.

• AMA, American College of Cardiology, LexisNexis, Neustar, Knowledgefactor are key partners


Pilots lessons learned

Each pilot has run into the same challenges – underscoring the need for a robust Iden%ty Ecosystem Framework.

Common considera%ons:

o  No standard way to bring on new RP’s (technical/policy/legal) o  Exis%ng trust frameworks only go so far

o  RP’s struggle to sort out how to apply risk assessment to determine creden%al strength/LOA (800-‐63 aside, no great alterna%ves)

o  Trust frameworks do not extend to aKribute providers/verifiers

o  How to ensure “data minimiza%on” in aKribute exchange, when some APs offer “data promiscuity”

o  How to flow down consent requirements to end-‐users in a logical fashion


The Iden+ty Ecosystem Steering Group

Source: Phil Wolff, hKp://www.flickr.com/photos/philwolff/7789263898/in/photostream

First plenary, August 2012


The Iden+ty Ecosystem Steering Group: Bringing together many types of stakeholders


•  200+ firms/organiza%ons; 60+ individuals

•  Elected Plenary Chair (Bob Blakley/Ci%) and Management Council Chair (Peter Brown); Elected 16 delegates to Management Council

•  Member firms include: Verizon, Visa, PayPal, Fidelity, Ci%group, Mass Mutual, IBM, Bank of America, Microsom, Oracle, 3M, CA, Symantec, Lexis Nexis, Experian, Equifax, Neiman Marcus, Aetna, Merck, United Health, Intel.

•  Also: AARP, ACLU, EPIC, EFF, and more than 65 universi%es. Par%cipants from 12+ countries.

•  CommiKees include:


o Standards o Policy o Privacy o User Experience o Security

o Trust Frameworks & Trustmarks o Health Care o Financial Sector o Interna%onal Coordina%on


Linking Strategy to Execu+on

•  Voluntary, mul%-‐stakeholder collabora%ve efforts are hard.

•  What is the art of the possible?

•  What incen%ves might be needed to fully realize the NSTIC vision?


NSTIC envisions the poten+al need for new policies

“The Federal Government may need to establish or amend both policies and laws to address" concerns such as "the uncertainty and fear of unbounded liability that

have limited the market's growth.” -‐NSTIC, page 31

•  The IDESG Policy CommiKee is reviewing this topic

•  A unique window of opportunity


Ensuring the U.S. Government can be an early Adopter


Making progress in government is tough…


…but not impossible


Where we started FICAM (TFPAP)

TFP

MoUs

Cer+fica+on Agreements

IdP IdP

IdP

TFP

Integra%on

???

$$$!!!

RP RP

RP RP

Agencies

Current Agency Environment Ci%zens Government

A befer way Ci%zens Government

FCCX


New study shows real USG cost savings from NSTIC •  Funded by NIST Economic Analysis Office , conducted in partnership with the IRS

•  Focus: cost-‐benefit analysis comparing federa%on (NSTIC) approach vs. one-‐off proprietary authen%ca%on system

•  Looked at 3 scenarios: 20%, 50%, 70% adop%on


New study shows real USG cost savings from NSTIC Key Findings

•  Over a 10-‐year period, IRS would save $63 million to $298 million by aligning its ci%zen-‐facing iden%ty and authen%ca%on efforts with NSTIC (vs. building a stovepiped, IRS-‐only system)

•  Up-‐front adop%on savings would be $40 million to $111 million

•  Savings driven both by avoidance of duplica%ve iden%ty proofing and authen%ca%on costs, as well as increased customer uptake of online offerings

•  Opportunity: IRS spent over $1 billion communica%ng with taxpayers on paper and by telephone in 2012


A final thought


$2 Trillion

The total projected online retail sales across the G20 na%ons in 2016

$2.5 trillion What this number can grow to if consumers believe the Internet is

more worthy of their trust

$1.5 Trillion

What this number will fall to if Trust is eroded

Trust mafers to online business

Source: Rethinking Personal Data: Strengthening Trust. World Economic Forum, May 2012.


Ques+ons?

Jeremy Grant [email protected] 202.482.3050 Iden+ty Ecosystem Steering Group www.idecosytem.org [email protected]


NSTIC Workshop Agenda

Sessions

1pm Part 1 •  “The State of the NSTIC” – Jeremy Grant

•  Pilot Report #1: MFA in the Commercial Sector – Cathy Tilton, Daon

2pm Part 2 •  Pilot Report #2: AKribute Exchange Network – Dave Coxe, Criterion Systems

•  Pilot Report #3: Scalable Privacy and MFA – Ken Klingenstein, Internet2

3pm Part 3 •  Iden%ty Ecosystem Steering Group (IDESG) – Bob Blakely, Ci%group

•  Federal Cloud Creden%al Exchange (FCCX) – Jeremy Grant (NIST) and Doug Glair (USPS)

•  NSTIC and the Na%onal Cybersecurity Center of Excellence (NCCoE) – Nate Lesser (NIST)

•  Discussion and Perspec%ves


Created to administer the development of policies, standards, and accreditaHon processes for the Iden&ty Ecosystem

Framework.

www.idecosystem.org
