1 / 20

Identity in Cyberspace: Improving Trust via Public-Private Partnerships

Identity in Cyberspace: Improving Trust via Public-Private Partnerships Jeremy Grant and Naomi Lefkovitz National Institute of Standards and Technology (NIST). Why We’re Here Today. Learn about the National Strategy for Trusted Identities in Cyberspace (NSTIC)

mercer
Download Presentation

Identity in Cyberspace: Improving Trust via Public-Private Partnerships

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity in Cyberspace: Improving Trust via Public-Private Partnerships Jeremy Grant and Naomi Lefkovitz National Institute of Standards and Technology (NIST)

  2. Why We’re Here Today • Learn about the National Strategy for Trusted Identities in Cyberspace (NSTIC) • Discuss how a government initiative can help improve online trust, reduce fraud and create new efficiencies in health care • Discuss the role your organizations can play in advancing the use of Trusted Identities in Cyberspace

  3. What is NSTIC? Called for in President’s Cyberspace Policy Review (May 2009): a “cybersecurity focused identity management vision and strategy…that addresses privacy and civil-liberties interests, leveraging privacy-enhancing technologies for the nation.”” Guiding Principles • Privacy-Enhancing and Voluntary • Secure and Resilient • Interoperable • Cost-Effective and Easy To Use NSTIC calls for an Identity Ecosystem, “an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.”

  4. The Problem Today Usernames and passwords are broken • Most people have 25 different passwords, or use the same one over and over • Even strong passwords are vulnerable…criminals have many paths to easily capture “keys to the kingdom” • Rising costs of identity theft and data breaches • 11.6M U.S. victims (+13% YoY) in 2011 at a cost of $37 billion • 67% increase in # of Americans impacted by data breaches in 2011 (Source: Javelin Strategy & Research) • Health sector is #1 target: 43% of all 2011 US data breaches (Source: Symantec Internet Security Report ) • A common vector of attack • Sony Playstation, Zappos, Lulzsec, Infragard among dozens of 2011-12 breaches tied to passwords.

  5. The Problem Today 2011: 5 of the top 6 attack vectors are tied to passwords 2010: 4of the top 10 Source: 2012 Data Breach Investigations Report, Verizon and USSS

  6. The Problem Today Identities are difficult to verify over the internet • Numerous government services still must be conducted in person or by mail,leading to continual rising costs for state, local and federal governments • Electronic health records could save billions, but can’t move forward without solving authentication challenge for providers and individuals • Many transactions, such as signing an auto loan or a mortgage, are still considered too risky to conduct online due to liability risks Rob Cottingham, June 23, 2007 New Yorker, September 12, 2005 New Yorker, July 5, 1993

  7. The Problem Today • Identity Proofing is not always easy

  8. The Problem Today • Privacy remains a challenge • Individuals often must provide more personally identifiable information (PII) than necessary for a particular transaction • This data is often stored, creating “honey pots” of information for cybercriminals to pursue • Individuals have few practical means to control use of their information

  9. Personal Data is Abundant…and Growing Source: World Economic Forum, “Rethinking Personal Data: Strengthening Trust,” May 2012

  10. Trusted Identities provide a foundation • Enable new types of transactions online • Reduce costs for sensitive transactions • Improve customer experiences • Offer citizens more control over when and how data is revealed • Share minimal amount of information • Fight cybercrime and identity theft • Increased consumer confidence

  11. January 1, 2016 The Identity Ecosystem: Individuals can choose among multiple identity providers and digital credentials for convenient, secure, and privacy-enhancing transactions anywhere, anytime. Online shopping with minimal sharing of PII Apply for mortgage online with e-signature Cost-effectiveand easy to use Privacy-enhancing Secure Interoperable Trustworthy critical service delivery Secure Sign-On to state website Security ‘built-into’ system to reduce user error Privately post location to her friends

  12. We've proven that Trusted Identities matter

  13. What does NSTIC call for?

  14. Privacy and Civil Liberties are Fundamental • Increase privacy • Minimize sharing of unnecessary information • Minimum standards for organizations - such as adherence to Fair Information Practice Principles (FIPPs) • Voluntary and private-sector led • Individuals can choose not to participate • Individuals who participate can choose from public or private-sector identity providers • No central database is created • Preserves anonymity • Digital anonymity and pseudonymity supports free speech and freedom of association

  15. NSTIC National Program Office • Charged with leading day-to-day coordination across government and the private sector in implementing NSTIC • Funded with $16.5M for FY12

  16. Federal Government As an Early Adopter • Federal IdM activities are aligned through the Identity, Credential and Access Management (ICAM) Subcommittee • Trust Framework Solutions: how the USG aligns with NSTIC • Secure, interoperable and privacy-enhancing process by which federal agencies can leverage commercially issued digital identities and credentials • Craft “USG profile” of widely used commercial identity protocols like OpenID and SAML to maximize security and privacy. • Privacy criteria based on the FIPPs: Opt in; Minimalism; Activity Tracking; Adequate Notice; Non Compulsory; and Termination • ICAMSC approves non-federal organizations to be the Trust Framework Providers (TFPs) • The TFPs accredit commercial identity providers who agree to use the USG profiles and abide by the privacy criteria

  17. Removing Barriers for Federal Adoption OpenID/LOA1 OpenID/LOA1 SAML/LOA3 • FCCX does the heavy lifting • Guaranteed interoperability of credentials across agencies • Offers citizens an easy path to more convenience • Each agency connects just once saving costs SAML/LOA3

  18. Next Steps

  19. What You Can Do

  20. Questions? Jeremy Grant jgrant@nist.gov 202.482.3050 Naomi Lefkovitz naomi.lefkovitz@nist.gov 301.975.2924

More Related