CIS13: More NSTIC Pilots: Scalable Privacy and Multi-factor Authentication and Attribute Exchange Network

  • 2,449 views
Uploaded on

Dave Coxe, CEO, Criterion Systems …

Dave Coxe, CEO, Criterion Systems
Ken Klingenstein, Director, Middleware and Security, Internet2
NSTIC pilots presentations continue; we begin with a presentation of the Attribute Exchange Network being deployed across a number of commercial participants by ID/Dataweb, and then we provide an overview of the framework Internet2 is building for “scalable privacy” and multi-factor authentication.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,449
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
9
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Criterion NSTIC Pilot Presentation Ping Cloud Identity Summit – July 9, 2013 David Coxe Work described in this presentation was supported by the National Strategy for Trusted Identities in Cyberspace (NSTIC) National Program Office and the National Institute of Standards and Technology (NIST). The views in this presentation do not necessarily reflect the official policies of the NIST or NSTIC, nor does mention by trade names, commercial practices, or organizations imply endorsement by the U.S. Government.
  • 2. Agenda •  Overview –  NSTIC AXN Pilots –  AXN Business Model –  Potential NSTIC Pilot Relying Parties (RPs) –  Benefits to RPs •  AXN Services Framework •  Demonstration •  Pilot Schedule •  Lessons Learned •  Summary © 2013 Criterion Systems, Inc. Proprietary and Confidential   Page 2 Attribute Exchange Network Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
  • 3. NSTIC AXN Pilots Pilot Program Outcome: Implement a user-centric online Identity Ecosystem and demonstrate an Attribute Exchange Trust Framework using the ID Dataweb (IDW) Attribute Exchange Network (AXN) Project Approach: •  Demonstrate online attribute exchange operations and basic features of an attribute exchange trust framework –  User, AP, IdP, and RP interfaces and process/data flows –  Legal, policy, and technical interoperability, security, and scalability –  Business and market monetization models –  Assessor roles and processes Project Objectives: •  Simplify AP, RP, and IdP participation, deploy new online services and demonstrate asset monetization via the IDW AXN platform using: –  Real-time AP online verification services –  Out of band verification services – SMS to device, device IDs, Postal mail AP service - PIN code mail piece •  Live user data from commercial and government RPs •  RP billing (monthly) and AP/IdP transaction/payment statements •  Commercial contracts and Terms of Service that transition pilots to commercial operations NSTIC Pilot Use Case Scenarios: •  Basic Use Case scenarios will initially be limited to key identity attributes: Name, e-mail, Address, Telephone Number (NEAT) and sending one-time passwords via SMS to a mobile device •  Increasingly complex and advanced Use Cases will include additional attributes, interoperability between an OpenID or SAML credential, CAC/PIV card credentials, and identity linkage to end-user devices •  For each RP Use Case: Free market trial of verified attribute services for 180 days or 50,000 users, whichever occurs first © 2013 Criterion Systems, Inc. Proprietary and Confidential Page 3 Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
  • 4. The AXN Business Model and Technical Infrastructure •  Aligns business objectives of the Identity Ecosystem participants –  Overcome historical implementation barriers – everyone benefits –  Expand RP participation to efficiently service and monetize existing markets –  Create new business channels currently underserved by the Identity Ecosystem •  Enables a neutral Internet-scale credential and attribute monetization platform –  Efficient, open, competitive transaction and contractual hub –  Unencumbered by legacy business models, regulations, and technologies –  Free to users, lowers RP costs, and new market potential for IdPs and APs •  Promotes user trust, online security, and privacy protective services –  Designed to implement and positively transform the online identity ecosystem AXN Business Model Requirements Solution Affordable AXN serves as a reseller - open, competitive attribute exchange market place Neutral for User Free to Users – RP pays for credential authentication and attribute verification services to support their risk mitigation (LOA) requirements Online Attribute Verification and Claims Management Services 75% of the market cannot be efficiently serviced by the large APs; AXN creates a new AP sales channel and enhances online security Efficient online identity ecosystems Contractual and transaction hub to enable “Internet” effect IdPs, RPs, APs, and the TFP increase revenue, reduce costs, and increase trust © 2013 Criterion Systems, Inc. Proprietary and Confidential   Page 4 Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
  • 5. Page 5 The First Year NSTIC Use Cases Industry Broadridge Use Case B to C Investor CommunicationsRP Service: Fluent – Online Application Platform for Investor Communications General Electric (GE) Use Case B to C, B to B Multiple Market VerticalsRP Service: Various Service Sector Applications Corporate, Partner and Consumer Account Access DHS/FEMA (MIT Lincoln Labs) First Responder Use Case G to G, G to C First Responders First USA ServicesRP Service: Account creation and login for the First USA disaster response collaboration portal eBay Use Case B to C, C to C RetailRP Service: Retail Seller and Buyer Account Creation and Login © 2013 Criterion Systems, Inc. Proprietary and Confidential (Pending Final Approval) Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
  • 6. © 2013 Criterion Systems, Inc. Proprietary and Confidential AXN Services Framework 6 IdP Services Credential OpenID 2.0, SAML 2.0, IMI 1.0 Protocol OAuth 2.0, SAML 2.0, Other LOA LOA 1-4 Cert/TF FICAM, OIX, Kantara, Other AP Services Attributes NEAT, SS, DOB, Gender, Corp Verification Quality Refresh Rate, Coverage, Sources, Data Types Physical Device ID, BIO, Card, Other Pricing Per Transaction, Per User Per Year, Annual License Cert/TF FICAM, OIX, Kantara, Other RP Services Enroll Business Purpose, Attribute Selection, Claims Refresh Rate, IdP & RP Selections, User Preferences, Contract LOA LOA 1-4 Admin Logs, Reporting, Billing, Contract Management Cert/TF FICAM, OIX, Kantara, Other User Services Attributes Not Stored In AXN, Self Asserted, Data Minimization PDS PII, Preferences, ABAC, Encrypted, External Store MAX User Only, Personal Control and Security, Acct Linking, Federated Access Via RP Trust Framework Provider (TFP) Identity Providers (IdP) Relying Parties (RP) Assessors & Auditors Dispute Resolvers user Attribute Providers (AP) Attribute Exchange Network (AXN) Proxy AXN Services Billing Pricing and Analytics Acct Management Service Provisioning Contracting Policy Management Marketing Transaction Management Registration Operations and Security Logs, Reporting Administration Audit User Interface Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
  • 7. AXN Identity Federation Services - My Attribute Exchange 2.  Personal Data Services (PDS) •  User attribute data is not stored in the AXN •  PDS data is presented via MAX to create and manage RP accounts •  User-centric, privacy protective, secure, and federated •  No cost to user 1.  Credential Federation •  Verified attributes are used to create new or bind to existing user accounts 3.  User Managed Admin (UMA) Console •  Authenticated users have federated access at each RP •  Created when a user first opts in to share their verified attribute claims via the AXN with an RP •  Users can securely manage PDS attributes shared with an RP service accessed by an IdP credential •  Enables user to link and unlink multiple IdP credentials Page 7© 2013 Criterion Systems, Inc. Proprietary and Confidential Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
  • 8. AXN Business Services •  Credential transaction management services –  IDP authenticates user credentials as a service to RPs registered on the AXN –  RP credential requirements for a given LOA (e.g., 1 – 4), type (e.g., SAML, OpenID, IDI), and trust framework certifications •  Personal (Pii) attribute verification and claims management services –  RPs designate which Pii attributes they required from users –  User asserted, verified attributes and claims are shared with RPs with user permission –  Device ID and biometric attributes are verified as required for RP authorization transactions •  Preference attribute management services –  RPs can designate preferences to display for users when interacting with the RP service •  Attribute Based Access Control (ABAC) management services –  RPs select authoritative role-based attributes for users to assert when accessing their service •  User Managed Access (UMA) attribute services –  UMA services define how users (as resource owners) can control protected- resource access by requesting parties © 2013 Criterion Systems, Inc. Proprietary and Confidential Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
  • 9. Device Attribute Verification Services •  Mobile Device Verification Services •  Users log in using a trusted mobile device registered and managed on the AXN via MAX •  Secure device ID service ensures user RP accounts can only be accessed using a trusted device •  Computer Verification Services •  Over 600 million computers with Trusted Platform Modules (TPMs) can be managed via the AXN •  Windows 8 requires TPMs on a wide range of devices from desktops to smart phones   Biometric Attribute Verification Services •  Cloud-based Voice, Retinal, Photo and Fingerprint Verification Services •  Daon, CGI, and others •  Integration with Authoritative AP Services •  e.g., driver license attributes and photos ABAC Services •  Fine-grained Policy Authorization Services •  UMA Services to Dynamically Control Access to RP Data and Services AXN Technology Roadmap Trust Elevation Services AXN Trust Elevation Services Page 9© 2013 Criterion Systems, Inc. Proprietary and Confidential Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
  • 10. •  AXN legal agreements –  Standardized agreements with regulatory flow down terms from IdPs and APs –  Limit PII collection to what is necessary to accomplish the specified purpose(s) –  Accountability and audit to protect PII through appropriate safeguards •  AXN as a proxy - no single service provider can gain a complete picture of a user’s activity •  The AXN data management design mitigates potential threats –  Does not create a central data store of verified user attributes –  Security and privacy enhancing technology is built into the AXN infrastructure •  Users opt-in to each control process for collection, verification, and distribution of attributes –  User Admin console for attribute and credential management –  Only the minimum necessary information is shared in a transaction (FIPPS) AXN Privacy – By Design 10 © 2013 Criterion Systems, Inc. Proprietary and Confidential Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
  • 11. AXN Demonstration With Broadridge Fluent Page 11© 2013 Criterion Systems, Inc. Proprietary and Confidential Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
  • 12. 12   |  Copyright  2013   Broadridge  FluentSM   Fluent  is  a  communica.ons  exchange  that  centrally  manages  communica.ons   across  internal  and  external  channels  suppor.ng  customer  choice.   Fluent:   Enables  new  communica=on   channels  (approved  by  firm)     Validates  client  iden==es  across   channels   Captures  preferences  and  consents   on  behalf  of  firm  across  channels   Facilitates  distribu=on  of  content   across  consumer  channels   Ensures  security  and  regulatory   compliance   Provides  insight  into  the   effec=veness  of  communica=ons   Ensures  comprehensive  audit  trail  to   measure  compliance   BROADRIDGE FLUENT CHANNEL MGMT PREFERENCE IDENTITY INSIGHT Innova3ve  Consumer   Experience   1   2   3   4   5   6   7   FIRM Web Sites & Apps BANKING BROKERAGE MORTGAGE CREDIT CARDS E-­‐MAIL   SOCIAL   FUTURE   GLOBAL  DIGITAL  MAIL   NEWSSTANDS  /  TABLETS   FIRM  
  • 13. 13   |  Copyright  2013   The  Nature  of  Communica3ons  is  rapidly  evolving   n  Firms  con=nue  to  spend  millions  of  dollars  to  migrate  Customers  to  e-­‐delivery,  these   efforts  have  leveled  out  below  ini=al  expecta=ons   §  All  Industries  –  14%  of  transac=onal  documents  suppressed   §  With  the  excep=on  of  retail  banking,  limited  adop=on  of  firm  web  sites  (Brokerage,  Mortgage,  Credit   Cards,  …)   §  A  poor  Client  Experiences  has  been  the  primary  obstacle   n  Meanwhile  the  web  has  migrated  from  a  B  to  C  experience  to  a  C  to  B  experience,  with   new  channels  emerging  daily     n  Opportunity  costs  within  financial  services  alone  approach  $20  billion  annually  
  • 14. 2012-2014 Attribute Exchange Pilots Assess POC On Going OperationsBasic Ops Advanced Evaluate 1.  Assess     2.  Proof  of  Concept   3.  Basic  Opera3ons   4.  Advanced   5.  On  Going  Opera3ons   •  Evaluate  –  Incorporate  lessons  learned  and  repeat  WBS  element  1.0     •  Assess,  for  subsequent  Use  Case  Implementa3ons  1.0   Pilot Project Life Cycle © 2013 Criterion Systems, Inc. Proprietary and Confidential Relying  Party  Use-­‐Case  By  Task/Month Oct-­‐12 Nov-­‐12 Dec-­‐12 Jan-­‐13 Feb-­‐13 Mar-­‐13 Apr-­‐13 May-­‐13 Jun-­‐13 Jul-­‐13 Aug-­‐13 Sep-­‐13 Oct-­‐13 Nov-­‐13 Dec-­‐13 Jan-­‐14 Feb-­‐14 Mar-­‐14 Apr-­‐14 May-­‐14 Jun-­‐14 Jul-­‐14 Aug-­‐14 Sep-­‐14 Use-­‐Case  RP#1 Operation Graduate User  Verifications -­‐ -­‐ -­‐ -­‐ -­‐ -­‐ 10,000             10,000             10,000             10,000             10,000             Broadridge Use-­‐Case  RP#2 Operation Assess Graduate User  Verifications -­‐ -­‐ -­‐ -­‐ -­‐ -­‐ -­‐ 10,000             10,000             10,000             10,000             10,000             eBay Use-­‐Case  RP#3 Operation Graduate User  Verifications -­‐ -­‐ -­‐ -­‐ -­‐ -­‐ 10,000             10,000             10,000             10,000             10,000             DHS/MIT Use-­‐Case  RP#4 Operation POC Graduate User  Verifications -­‐ -­‐ -­‐ 10,000             10,000             10,000             10,000             10,000             GE Use-­‐Case  RP#5 Operation =  Production  ready Assess POC Graduate User  Verifications -­‐ -­‐ 10,000             10,000             10,000             10,000             10,000             Use-­‐Case  RP#6 Operation Assess POC Graduate User  Verifications -­‐ -­‐ 10,000             10,000             10,000             10,000             10,000             Use-­‐Case  RP#7 Operation Assess POC Graduate User  Verifications -­‐ -­‐ 10,000             10,000             10,000             10,000             10,000             Use-­‐Case  RP#8 Operation Assess POC Graduate User  Verifications -­‐ -­‐ 10,000             10,000             10,000             10,000             10,000             Total  Verified  Users -­‐                           -­‐                           -­‐                           -­‐                           -­‐                           -­‐                           -­‐                           -­‐                           20,000             40,000             40,000             50,000             50,000             40,000             20,000             30,000             20,000             30,000             20,000             20,000             10,000             10,000             400,000           Basic  Operations Basic  Operations Basic  Operations Basic  Operations Advanced Advanced Advanced Advanced Basic  Operations Advanced Advanced Project  Launch Year  1  Pilot  Project  Operations Year  2  Pilot  Project  Operations Basic  Operations Assess Assess Basic  Operations Advanced Assess POC POC Basic  Operations AdvancedPOC Line   reflecting   May 1 Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
  • 15. Lessons Learned •  RPs are the customer, and will drive market requirements, adoption, and policy controls. •  Emerging Trust Frameworks are being driven by Communities of Interest (COI) who seek market operational efficiencies through business, legal, technical and policy interoperability. •  Credential federation requires policy changes to enable significant security, user experience (SSO and account creation), and business benefits. •  Current IdP and RP business practices do not always conform to FIPP’s, and need to be managed. •  A rigorous Privacy Evaluation Methodology (PEM) implementation resulted in significant benefits –  AXN technical and architectural enhancements –  Privacy protective enhancements as core messaging in AXN marketing strategy •  RP risk mitigation strategies (for a required LOA) lack consistency –  Emerging user-centric trust elevation technologies are scalable, cost effective and interoperable. –  Trust Marks could be used to objectively promote confidence in various combinations of authentication methods, verified user attributes, and attribute claims from device identities, biometric technologies, etc. –  It would be helpful to map these risk mitigation methods to NIST SP 800-63. Page 15© 2013 Criterion Systems, Inc. Proprietary and Confidential Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
  • 16. Summary •  2013 - 2014 AX initiatives will define how to… –  Protect and extend customer relationships online –  Increase revenue with existing service infrastructure through new online channels –  Manage organizational risks with cost effective solutions –  Reduce online fraud and identity theft while enhancing brand –  Improve User online experience, increase User trust and transaction volumes, and reduce related costs •  Neutral market platform for the emerging identity ecosystem •  Online attribute monetization platform – unencumbered by legacy business models, regulations and technologies Page 16© 2013 Criterion Systems, Inc. Proprietary and Confidential Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.