1	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
NSTIC	
  in	
  Mo+on	
  
Pilots,	
  Policy	...
2	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
NSTIC	
  Workshop	
  Agenda	
  
Sessions	
 ...
3	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
State of the
NSTIC
4	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
Imagine	
  if…	
  
Four	
  years	
  from	
 ...
5	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
What	
  would	
  this	
  mean…	
  
For	
  S...
6	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
Two	
  years,	
  two	
  months	
  and	
  24...
7	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
There	
  is	
  a	
  marketplace	
  today	
 ...
8	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
Barriers:	
  	
  Security	
  is	
  a	
  big...
9	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
Business	
  
Models	
  
But	
  –	
  it’s	
 ...
10	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
There	
  is	
  a	
  marketplace	
  today	
...
11	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
Our	
  Implementa+on	
  Strategy	
  
12	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
We don’t want to boil the ocean.
13	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
Let’s go surfing where the waves are…	

NST...
14	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
Private	
  sector	
  
will	
  lead	
  the	...
15	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
Where	
  do	
  we	
  stand?	
  
16	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
The	
  marketplace	
  has	
  started	
  to...
17	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
But	
  instead	
  of	
  this…	
  
18	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
…I	
  now	
  am	
  managing	
  one-­‐off	
 ...
19	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
NSTIC	
  has	
  funded	
  5	
  pilots…with...
20	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
Pilots	
  lessons	
  learned	
  
Each	
  p...
21	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
The	
  Iden+ty	
  Ecosystem	
  Steering	
 ...
22	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
The	
  Iden+ty	
  Ecosystem	
  Steering	
 ...
23	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
•  200+	
  firms/organiza%ons;	
  60+	
  in...
24	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
Linking	
  Strategy	
  to	
  Execu+on	
  
...
25	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
NSTIC	
  envisions	
  the	
  poten+al	
  n...
26	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
Ensuring	
  the	
  U.S.	
  Government	
  
...
27	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
Making	
  progress	
  in	
  government	
  ...
28	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
…but	
  not	
  impossible	
  
29	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
Where	
  we	
  started	
  
FICAM	
  
(TFPA...
Current	
  Agency	
  Environment	
  
Ci%zens	
  Government	
  
A	
  befer	
  way	
  
Ci%zens	
  Government	
  
FCCX	
  
32	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
New	
  study	
  shows	
  real	
  USG	
  co...
33	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
New	
  study	
  shows	
  real	
  USG	
  co...
34	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
A	
  final	
  thought	
  
35	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
$2	
  	
  	
  	
  
Trillion	
  
The	
  tot...
36	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
Ques+ons?	
  
Jeremy	
  Grant	
  
jgrant@n...
37	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
NSTIC	
  Workshop	
  Agenda	
  
Sessions	
...
38	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
39	
  Na%onal	
  Strategy	
  for	
  Trusted	
  Iden%%es	
  in	
  Cyberspace	
  
Created	
  to	
  administer	
  the	
  deve...
Upcoming SlideShare
Loading in …5
×

CIS13: FCCX and IDESG: An Industry Perspectives

686 views

Published on

Jeremy Grant, Senior Executive Advisor, Identity Management, NIST (US Government)

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
686
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

CIS13: FCCX and IDESG: An Industry Perspectives

  1. 1. 1  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   NSTIC  in  Mo+on   Pilots,  Policy  and  Progress     Jeremy  Grant     Senior  Execu+ve  Advisor,  Iden+ty  Management   Na+onal  Ins+tute  of  Standards  and  Technology  (NIST)          
  2. 2. 2  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   NSTIC  Workshop  Agenda   Sessions   1pm   Part  1   •  “The  State  of  the  NSTIC”  –  Jeremy  Grant   •  Pilot  Report  #1:  MFA  in  the  Commercial  Sector  –  Cathy  Tilton,  Daon   2pm   Part  2   •  Pilot  Report  #2:    AKribute  Exchange  Network  –  Dave  Coxe,  Criterion  Systems   •  Pilot  Report  #3:    Scalable  Privacy  and  MFA  –  Ken  Klingenstein,  Internet2   3pm   Part  3   •  Iden%ty  Ecosystem  Steering  Group  (IDESG)  –  Bob  Blakely,  Ci%group   •  Federal  Cloud  Creden%al  Exchange  (FCCX)  –  Jeremy  Grant  (NIST)  and  Doug   Glair  (USPS)   •  NSTIC  and  the  Na%onal  Cybersecurity  Center  of  Excellence  (NCCoE)  –  Nate   Lesser  (NIST)   •  Discussion  and  Perspec%ves  
  3. 3. 3  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   State of the NSTIC
  4. 4. 4  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Imagine  if…   Four  years  from  now,  80%  of  your  customers  arrived   at  your  website  already  holding  a  secure  creden+al   for  iden+fica+on  and  authen+ca+on  –  and  you  could   trust  this  creden+al  in  lieu  of  your  exis+ng   username/password  system.   Interoperable   with  your   login  system   (you  don’t   have  to  issue   creden%als)   Mul%-­‐factor   authen%ca%on   (no  more   password   management)   Tied  to  a  robust   iden%ty  proofing   mechanism  (you   know  if  they  are   who  they  claim   to  be)   With  baked-­‐in   rules  to  limit   liability  and   protect   privacy  
  5. 5. 5  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   What  would  this  mean…   For  Security  and  Loss  Preven+on?   • 5  of  the  top  6  vectors  of  aKack  in  2011  data  breaches  %ed  to   passwords;  76%  of  all  2012  records  breached  %ed  to  passwords.   • The  number  of  Americans  impacted  by  data  breaches  rose  67%   from  2010  to  2011   • Weak  iden%ty  systems  fuel  online  fraud,  make  it  impossible  to   know  who  is  a  “dog  on  the  Internet”   For  Reducing  Fric+on  in  Online  Commerce?   • Today,  75%  of  customers  will  avoid  crea%ng  new  accounts.    54%   leave  the  site  or  do  not  return   • Today,  45%  of  consumers  will  abandon  a  site  rather  than   aKempt  to  reset  their  passwords  or  answer  security  ques%ons  
  6. 6. 6  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Two  years,  two  months  and  24  days  ago…   An  Iden+ty  Ecosystem…with  4  Guiding   Principles   •  Privacy-­‐Enhancing  and  Voluntary   •  Secure  and  Resilient   •  Interoperable   •  Cost-­‐Effec%ve  and  Easy  To  Use  
  7. 7. 7  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   There  is  a  marketplace  today  –  but  there   are  barriers  the  market  has  not  yet   addressed  on  its  own   Why  NSTIC?  
  8. 8. 8  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Barriers:    Security  is  a  big  issue   Source:    2012  Data  Breach  Inves%ga%ons  Report,  Verizon  and  USSS   2011:    5  of  the  top  6  aKack  vectors  are  %ed  to  passwords   2010:    4  of  the  top  10  
  9. 9. 9  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Business   Models   But  –  it’s  not  all  about  security     Usability   Liability   Interoperability  Privacy   Source:    xkcd  
  10. 10. 10  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   There  is  a  marketplace  today  –  but  there   are  barriers  the  market  has  not  yet   addressed  on  its  own.   Government  can  serve  as  a  convener  and   facilitator,  and  a  catalyst.     Why  NSTIC?  
  11. 11. 11  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Our  Implementa+on  Strategy  
  12. 12. 12  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   We don’t want to boil the ocean.
  13. 13. 13  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Let’s go surfing where the waves are… NSTIC  
  14. 14. 14  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Private  sector   will  lead  the   effort   Federal   government   will  provide   support   • Not  a  government-­‐run  iden%ty  program   • Private  sector  is  in  the  best  posi%on  to   drive  technologies  and  solu%ons…   • …and  ensure  the  Iden%ty  Ecosystem   offers  improved  online  trust  and  beKer   customer  experiences   • Support  development  of  a  private-­‐sector   led  governance  model   • Facilitate  and  lead  development  of   interoperable  standards   • Provide  clarity  on  na%onal  policy  and   legal  issues  (i.e.,  liability  and  privacy)     • Fund  pilots  to  s%mulate  the  marketplace   • Act  as  an  early  adopter  to  s%mulate   demand   What  does  NSTIC  call  for?  
  15. 15. 15  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Where  do  we  stand?  
  16. 16. 16  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   The  marketplace  has  started  to  respond  
  17. 17. 17  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   But  instead  of  this…  
  18. 18. 18  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   …I  now  am  managing  one-­‐off  2FA  solu+ons  for  
  19. 19. 19  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   NSTIC  has  funded  5  pilots…with  more  coming   AAMVA   • Focus:    Develop   public-­‐private   partnership  to   strengthen   private-­‐sector   creden%als  with   aKributes  from   a  state  DMV   • Virginia  DMV,   Microsom,  CA,   AT&T  are  key   partners   • Coming  soon:     an  important   health  care  RP   Daon   • Focus:    deploy   smartphone   based,  mul%-­‐ factor   authen%ca%on   to  consumers   • AARP,  PayPal,   Purdue  are  key   relying  par%es   • A  major  bank   (not  yet  publicly   named)  will  also   be  an  RP   Criterion   • Focus:  develop  a   viable  business   model  for   Iden%ty   Ecosystem  and   aKribute   exchange   • Broadridge   Financial,  eBay,   Wal-­‐Mart,  AOL,   Verizon,  GE,   Experian,  Lexis   Nexis,  Ping,  CA,   PacificEast  are   key  partners   Internet2   • Focus:  deploy   smartphone   based,  mul%-­‐ factor   authen%ca%on   across  3  major   universi%es,   integrate  it  with   a  privacy-­‐ protec%ng   infrastructure.   • MIT,  University   of  Texas,   University  of   Utah  are   deployment   sites   Resilient   • Focus:    test     “privacy   enhancing”   infrastructure  in   health  care  and   K-­‐12   environments.   • AMA,  American   College  of   Cardiology,   LexisNexis,   Neustar,   Knowledgefactor   are  key  partners  
  20. 20. 20  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Pilots  lessons  learned   Each  pilot  has  run  into  the  same  challenges  –  underscoring  the   need  for  a  robust  Iden%ty  Ecosystem  Framework.   Common  considera%ons:     o  No  standard  way  to  bring  on  new  RP’s   (technical/policy/legal)   o  Exis%ng  trust  frameworks  only  go  so   far   o  RP’s  struggle  to  sort  out  how  to  apply   risk  assessment  to  determine   creden%al  strength/LOA  (800-­‐63  aside,   no  great  alterna%ves)   o  Trust  frameworks  do  not  extend  to   aKribute  providers/verifiers     o  How  to  ensure  “data  minimiza%on”  in   aKribute  exchange,  when  some  APs   offer  “data  promiscuity”   o  How  to  flow  down  consent   requirements  to  end-­‐users  in  a  logical   fashion    
  21. 21. 21  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   The  Iden+ty  Ecosystem  Steering  Group     Source:    Phil  Wolff,  hKp://www.flickr.com/photos/philwolff/7789263898/in/photostream                First  plenary,  August  2012  
  22. 22. 22  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   The  Iden+ty  Ecosystem  Steering  Group:       Bringing  together  many  types  of  stakeholders  
  23. 23. 23  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   •  200+  firms/organiza%ons;  60+  individuals   •  Elected  Plenary  Chair  (Bob  Blakley/Ci%)  and  Management  Council  Chair   (Peter  Brown);  Elected  16  delegates  to  Management  Council   •  Member  firms  include:    Verizon,  Visa,  PayPal,  Fidelity,  Ci%group,  Mass   Mutual,  IBM,  Bank  of  America,  Microsom,  Oracle,  3M,  CA,  Symantec,  Lexis   Nexis,  Experian,  Equifax,  Neiman  Marcus,  Aetna,  Merck,  United  Health,  Intel.     •  Also:    AARP,  ACLU,  EPIC,  EFF,  and  more  than  65  universi%es.    Par%cipants   from  12+  countries.       •  CommiKees  include:   The  Iden+ty  Ecosystem  Steering  Group   o Standards   o Policy   o Privacy   o User  Experience   o Security   o Trust  Frameworks  &  Trustmarks   o Health  Care   o Financial  Sector   o Interna%onal  Coordina%on    
  24. 24. 24  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Linking  Strategy  to  Execu+on   •  Voluntary,  mul%-­‐stakeholder   collabora%ve  efforts  are   hard.     •  What  is  the  art  of  the   possible?   •  What  incen%ves  might  be   needed  to  fully  realize  the   NSTIC  vision?  
  25. 25. 25  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   NSTIC  envisions  the  poten+al  need  for  new  policies   “The  Federal  Government  may  need  to  establish  or   amend  both  policies  and  laws  to  address"  concerns  such   as  "the  uncertainty  and  fear  of  unbounded  liability  that   have  limited  the  market's  growth.”                    -­‐NSTIC,  page  31   •  The  IDESG  Policy  CommiKee  is  reviewing  this  topic   •  A  unique  window  of  opportunity  
  26. 26. 26  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Ensuring  the  U.S.  Government   can  be  an  early  Adopter  
  27. 27. 27  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Making  progress  in  government  is  tough…  
  28. 28. 28  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   …but  not  impossible  
  29. 29. 29  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Where  we  started   FICAM   (TFPAP)   TFP   MoUs   Cer+fica+on  Agreements   IdP   IdP   IdP   TFP   Integra%on   ???   $$$!!!   RP   RP   RP  RP   Agencies  
  30. 30. Current  Agency  Environment   Ci%zens  Government  
  31. 31. A  befer  way   Ci%zens  Government   FCCX  
  32. 32. 32  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   New  study  shows  real  USG  cost  savings  from   NSTIC   •  Funded  by  NIST  Economic   Analysis  Office  ,  conducted   in  partnership  with  the  IRS   •  Focus:    cost-­‐benefit  analysis   comparing  federa%on   (NSTIC)  approach  vs.  one-­‐off   proprietary  authen%ca%on   system   •  Looked  at  3  scenarios:    20%,   50%,  70%  adop%on  
  33. 33. 33  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   New  study  shows  real  USG  cost  savings  from   NSTIC   Key  Findings   •  Over  a  10-­‐year  period,  IRS  would  save  $63  million  to  $298   million  by  aligning  its  ci%zen-­‐facing  iden%ty  and   authen%ca%on  efforts  with  NSTIC  (vs.  building  a  stovepiped,   IRS-­‐only  system)   •  Up-­‐front  adop%on  savings  would  be  $40  million  to  $111   million       •  Savings  driven  both  by  avoidance  of  duplica%ve  iden%ty   proofing  and  authen%ca%on  costs,  as  well  as  increased   customer  uptake  of  online  offerings       •  Opportunity:    IRS  spent  over  $1  billion  communica%ng  with   taxpayers  on  paper  and  by  telephone  in  2012    
  34. 34. 34  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   A  final  thought  
  35. 35. 35  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   $2         Trillion   The  total   projected   online  retail   sales  across   the  G20   na%ons  in   2016   $2.5   trillion     What  this   number  can   grow  to  if   consumers   believe  the   Internet  is   more  worthy   of  their  trust       $1.5   Trillion   What  this   number  will   fall  to  if  Trust   is  eroded   Trust  mafers  to  online  business   Source:    Rethinking  Personal  Data:  Strengthening  Trust.    World  Economic  Forum,  May  2012.      
  36. 36. 36  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Ques+ons?   Jeremy  Grant   jgrant@nist.gov   202.482.3050       Iden+ty  Ecosystem  Steering  Group   www.idecosytem.org   idecosystem@trustedfederal.com        
  37. 37. 37  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   NSTIC  Workshop  Agenda   Sessions   1pm   Part  1   •  “The  State  of  the  NSTIC”  –  Jeremy  Grant   •  Pilot  Report  #1:  MFA  in  the  Commercial  Sector  –  Cathy  Tilton,  Daon   2pm   Part  2   •  Pilot  Report  #2:    AKribute  Exchange  Network  –  Dave  Coxe,  Criterion  Systems   •  Pilot  Report  #3:    Scalable  Privacy  and  MFA  –  Ken  Klingenstein,  Internet2   3pm   Part  3   •  Iden%ty  Ecosystem  Steering  Group  (IDESG)  –  Bob  Blakely,  Ci%group   •  Federal  Cloud  Creden%al  Exchange  (FCCX)  –  Jeremy  Grant  (NIST)  and  Doug   Glair  (USPS)   •  NSTIC  and  the  Na%onal  Cybersecurity  Center  of  Excellence  (NCCoE)  –  Nate   Lesser  (NIST)   •  Discussion  and  Perspec%ves  
  38. 38. 38  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace  
  39. 39. 39  Na%onal  Strategy  for  Trusted  Iden%%es  in  Cyberspace   Created  to  administer  the  development  of   policies,  standards,  and  accreditaHon   processes  for  the  Iden&ty  Ecosystem   Framework.         www.idecosystem.org     The  Iden+ty  Ecosystem  Steering  Group  

×