CIS13: FCCX and IDESG: An Industry Perspectives

Uploaded on

Jeremy Grant, Senior Executive Advisor, Identity Management, NIST (US Government)

Jeremy Grant, Senior Executive Advisor, Identity Management, NIST (US Government)

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. 1  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   NSTIC  in  Mo+on   Pilots,  Policy  and  Progress     Jeremy  Grant     Senior  Execu+ve  Advisor,  Iden+ty  Management   Na+onal  Ins+tute  of  Standards  and  Technology  (NIST)          
  • 2. 2  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   NSTIC  Workshop  Agenda   Sessions   1pm   Part  1   •  “The  State  of  the  NSTIC”  –  Jeremy  Grant   •  Pilot  Report  #1:  MFA  in  the  Commercial  Sector  –  Cathy  Tilton,  Daon   2pm   Part  2   •  Pilot  Report  #2:    AKribute  Exchange  Network  –  Dave  Coxe,  Criterion  Systems   •  Pilot  Report  #3:    Scalable  Privacy  and  MFA  –  Ken  Klingenstein,  Internet2   3pm   Part  3   •  Iden%ty  Ecosystem  Steering  Group  (IDESG)  –  Bob  Blakely,  Ci%group   •  Federal  Cloud  Creden%al  Exchange  (FCCX)  –  Jeremy  Grant  (NIST)  and  Doug   Glair  (USPS)   •  NSTIC  and  the  Na%onal  Cybersecurity  Center  of  Excellence  (NCCoE)  –  Nate   Lesser  (NIST)   •  Discussion  and  Perspec%ves  
  • 3. 3  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   State of the NSTIC
  • 4. 4  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Imagine  if…   Four  years  from  now,  80%  of  your  customers  arrived   at  your  website  already  holding  a  secure  creden+al   for  iden+fica+on  and  authen+ca+on  –  and  you  could   trust  this  creden+al  in  lieu  of  your  exis+ng   username/password  system.   Interoperable   with  your   login  system   (you  don’t   have  to  issue   creden%als)   Mul%-­‐factor   authen%ca%on   (no  more   password   management)   Tied  to  a  robust   iden%ty  proofing   mechanism  (you   know  if  they  are   who  they  claim   to  be)   With  baked-­‐in   rules  to  limit   liability  and   protect   privacy  
  • 5. 5  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   What  would  this  mean…   For  Security  and  Loss  Preven+on?   • 5  of  the  top  6  vectors  of  aKack  in  2011  data  breaches  %ed  to   passwords;  76%  of  all  2012  records  breached  %ed  to  passwords.   • The  number  of  Americans  impacted  by  data  breaches  rose  67%   from  2010  to  2011   • Weak  iden%ty  systems  fuel  online  fraud,  make  it  impossible  to   know  who  is  a  “dog  on  the  Internet”   For  Reducing  Fric+on  in  Online  Commerce?   • Today,  75%  of  customers  will  avoid  crea%ng  new  accounts.    54%   leave  the  site  or  do  not  return   • Today,  45%  of  consumers  will  abandon  a  site  rather  than   aKempt  to  reset  their  passwords  or  answer  security  ques%ons  
  • 6. 6  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Two  years,  two  months  and  24  days  ago…   An  Iden+ty  Ecosystem…with  4  Guiding   Principles   •  Privacy-­‐Enhancing  and  Voluntary   •  Secure  and  Resilient   •  Interoperable   •  Cost-­‐Effec%ve  and  Easy  To  Use  
  • 7. 7  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   There  is  a  marketplace  today  –  but  there   are  barriers  the  market  has  not  yet   addressed  on  its  own   Why  NSTIC?  
  • 8. 8  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Barriers:    Security  is  a  big  issue   Source:    2012  Data  Breach  Inves%ga%ons  Report,  Verizon  and  USSS   2011:    5  of  the  top  6  aKack  vectors  are  %ed  to  passwords   2010:    4  of  the  top  10  
  • 9. 9  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Business   Models   But  –  it’s  not  all  about  security     Usability   Liability   Interoperability  Privacy   Source:    xkcd  
  • 10. 10  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   There  is  a  marketplace  today  –  but  there   are  barriers  the  market  has  not  yet   addressed  on  its  own.   Government  can  serve  as  a  convener  and   facilitator,  and  a  catalyst.     Why  NSTIC?  
  • 11. 11  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Our  Implementa+on  Strategy  
  • 12. 12  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   We don’t want to boil the ocean.
  • 13. 13  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Let’s go surfing where the waves are… NSTIC  
  • 14. 14  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Private  sector   will  lead  the   effort   Federal   government   will  provide   support   • Not  a  government-­‐run  iden%ty  program   • Private  sector  is  in  the  best  posi%on  to   drive  technologies  and  solu%ons…   • …and  ensure  the  Iden%ty  Ecosystem   offers  improved  online  trust  and  beKer   customer  experiences   • Support  development  of  a  private-­‐sector   led  governance  model   • Facilitate  and  lead  development  of   interoperable  standards   • Provide  clarity  on  na%onal  policy  and   legal  issues  (i.e.,  liability  and  privacy)     • Fund  pilots  to  s%mulate  the  marketplace   • Act  as  an  early  adopter  to  s%mulate   demand   What  does  NSTIC  call  for?  
  • 15. 15  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Where  do  we  stand?  
  • 16. 16  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   The  marketplace  has  started  to  respond  
  • 17. 17  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   But  instead  of  this…  
  • 18. 18  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   …I  now  am  managing  one-­‐off  2FA  solu+ons  for  
  • 19. 19  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   NSTIC  has  funded  5  pilots…with  more  coming   AAMVA   • Focus:    Develop   public-­‐private   partnership  to   strengthen   private-­‐sector   creden%als  with   aKributes  from   a  state  DMV   • Virginia  DMV,   Microsom,  CA,   AT&T  are  key   partners   • Coming  soon:     an  important   health  care  RP   Daon   • Focus:    deploy   smartphone   based,  mul%-­‐ factor   authen%ca%on   to  consumers   • AARP,  PayPal,   Purdue  are  key   relying  par%es   • A  major  bank   (not  yet  publicly   named)  will  also   be  an  RP   Criterion   • Focus:  develop  a   viable  business   model  for   Iden%ty   Ecosystem  and   aKribute   exchange   • Broadridge   Financial,  eBay,   Wal-­‐Mart,  AOL,   Verizon,  GE,   Experian,  Lexis   Nexis,  Ping,  CA,   PacificEast  are   key  partners   Internet2   • Focus:  deploy   smartphone   based,  mul%-­‐ factor   authen%ca%on   across  3  major   universi%es,   integrate  it  with   a  privacy-­‐ protec%ng   infrastructure.   • MIT,  University   of  Texas,   University  of   Utah  are   deployment   sites   Resilient   • Focus:    test     “privacy   enhancing”   infrastructure  in   health  care  and   K-­‐12   environments.   • AMA,  American   College  of   Cardiology,   LexisNexis,   Neustar,   Knowledgefactor   are  key  partners  
  • 20. 20  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Pilots  lessons  learned   Each  pilot  has  run  into  the  same  challenges  –  underscoring  the   need  for  a  robust  Iden%ty  Ecosystem  Framework.   Common  considera%ons:     o  No  standard  way  to  bring  on  new  RP’s   (technical/policy/legal)   o  Exis%ng  trust  frameworks  only  go  so   far   o  RP’s  struggle  to  sort  out  how  to  apply   risk  assessment  to  determine   creden%al  strength/LOA  (800-­‐63  aside,   no  great  alterna%ves)   o  Trust  frameworks  do  not  extend  to   aKribute  providers/verifiers     o  How  to  ensure  “data  minimiza%on”  in   aKribute  exchange,  when  some  APs   offer  “data  promiscuity”   o  How  to  flow  down  consent   requirements  to  end-­‐users  in  a  logical   fashion    
  • 21. 21  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   The  Iden+ty  Ecosystem  Steering  Group     Source:    Phil  Wolff,  hKp://                First  plenary,  August  2012  
  • 22. 22  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   The  Iden+ty  Ecosystem  Steering  Group:       Bringing  together  many  types  of  stakeholders  
  • 23. 23  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   •  200+  firms/organiza%ons;  60+  individuals   •  Elected  Plenary  Chair  (Bob  Blakley/Ci%)  and  Management  Council  Chair   (Peter  Brown);  Elected  16  delegates  to  Management  Council   •  Member  firms  include:    Verizon,  Visa,  PayPal,  Fidelity,  Ci%group,  Mass   Mutual,  IBM,  Bank  of  America,  Microsom,  Oracle,  3M,  CA,  Symantec,  Lexis   Nexis,  Experian,  Equifax,  Neiman  Marcus,  Aetna,  Merck,  United  Health,  Intel.     •  Also:    AARP,  ACLU,  EPIC,  EFF,  and  more  than  65  universi%es.    Par%cipants   from  12+  countries.       •  CommiKees  include:   The  Iden+ty  Ecosystem  Steering  Group   o Standards   o Policy   o Privacy   o User  Experience   o Security   o Trust  Frameworks  &  Trustmarks   o Health  Care   o Financial  Sector   o Interna%onal  Coordina%on    
  • 24. 24  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Linking  Strategy  to  Execu+on   •  Voluntary,  mul%-­‐stakeholder   collabora%ve  efforts  are   hard.     •  What  is  the  art  of  the   possible?   •  What  incen%ves  might  be   needed  to  fully  realize  the   NSTIC  vision?  
  • 25. 25  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   NSTIC  envisions  the  poten+al  need  for  new  policies   “The  Federal  Government  may  need  to  establish  or   amend  both  policies  and  laws  to  address"  concerns  such   as  "the  uncertainty  and  fear  of  unbounded  liability  that   have  limited  the  market's  growth.”                    -­‐NSTIC,  page  31   •  The  IDESG  Policy  CommiKee  is  reviewing  this  topic   •  A  unique  window  of  opportunity  
  • 26. 26  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Ensuring  the  U.S.  Government   can  be  an  early  Adopter  
  • 27. 27  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Making  progress  in  government  is  tough…  
  • 28. 28  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   …but  not  impossible  
  • 29. 29  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Where  we  started   FICAM   (TFPAP)   TFP   MoUs   Cer+fica+on  Agreements   IdP   IdP   IdP   TFP   Integra%on   ???   $$$!!!   RP   RP   RP  RP   Agencies  
  • 30. Current  Agency  Environment   Ci%zens  Government  
  • 31. A  befer  way   Ci%zens  Government   FCCX  
  • 32. 32  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   New  study  shows  real  USG  cost  savings  from   NSTIC   •  Funded  by  NIST  Economic   Analysis  Office  ,  conducted   in  partnership  with  the  IRS   •  Focus:    cost-­‐benefit  analysis   comparing  federa%on   (NSTIC)  approach  vs.  one-­‐off   proprietary  authen%ca%on   system   •  Looked  at  3  scenarios:    20%,   50%,  70%  adop%on  
  • 33. 33  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   New  study  shows  real  USG  cost  savings  from   NSTIC   Key  Findings   •  Over  a  10-­‐year  period,  IRS  would  save  $63  million  to  $298   million  by  aligning  its  ci%zen-­‐facing  iden%ty  and   authen%ca%on  efforts  with  NSTIC  (vs.  building  a  stovepiped,   IRS-­‐only  system)   •  Up-­‐front  adop%on  savings  would  be  $40  million  to  $111   million       •  Savings  driven  both  by  avoidance  of  duplica%ve  iden%ty   proofing  and  authen%ca%on  costs,  as  well  as  increased   customer  uptake  of  online  offerings       •  Opportunity:    IRS  spent  over  $1  billion  communica%ng  with   taxpayers  on  paper  and  by  telephone  in  2012    
  • 34. 34  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   A  final  thought  
  • 35. 35  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   $2         Trillion   The  total   projected   online  retail   sales  across   the  G20   na%ons  in   2016   $2.5   trillion     What  this   number  can   grow  to  if   consumers   believe  the   Internet  is   more  worthy   of  their  trust       $1.5   Trillion   What  this   number  will   fall  to  if  Trust   is  eroded   Trust  mafers  to  online  business   Source:    Rethinking  Personal  Data:  Strengthening  Trust.    World  Economic  Forum,  May  2012.      
  • 36. 36  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Ques+ons?   Jeremy  Grant   202.482.3050       Iden+ty  Ecosystem  Steering  Group        
  • 37. 37  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   NSTIC  Workshop  Agenda   Sessions   1pm   Part  1   •  “The  State  of  the  NSTIC”  –  Jeremy  Grant   •  Pilot  Report  #1:  MFA  in  the  Commercial  Sector  –  Cathy  Tilton,  Daon   2pm   Part  2   •  Pilot  Report  #2:    AKribute  Exchange  Network  –  Dave  Coxe,  Criterion  Systems   •  Pilot  Report  #3:    Scalable  Privacy  and  MFA  –  Ken  Klingenstein,  Internet2   3pm   Part  3   •  Iden%ty  Ecosystem  Steering  Group  (IDESG)  –  Bob  Blakely,  Ci%group   •  Federal  Cloud  Creden%al  Exchange  (FCCX)  –  Jeremy  Grant  (NIST)  and  Doug   Glair  (USPS)   •  NSTIC  and  the  Na%onal  Cybersecurity  Center  of  Excellence  (NCCoE)  –  Nate   Lesser  (NIST)   •  Discussion  and  Perspec%ves  
  • 38. 38  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace  
  • 39. 39  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Created  to  administer  the  development  of   policies,  standards,  and  accreditaHon   processes  for  the  Iden&ty  Ecosystem   Framework.     The  Iden+ty  Ecosystem  Steering  Group