the need for trusted credentials information assurance in cyberspace judith spencer chair, federal...
Post on 24-Dec-2015
214 Views
Preview:
TRANSCRIPT
The Need for Trusted Credentials
Information Assurance in Cyberspace
Judith SpencerChair, Federal PKI
Steering Committeewww.cio.gov/fpkisc
Doing Business with the Public Today
Face to Face
TelephoneJane Q. Smith123 Main StreetAnytown, USA
State Driver’s License Identification Number Expiration Date P-123-456-789 01-01-2010
Birth Date Issue Date 12-31-1975 12-20-2000
Height Weight Sex 5-06 130 F
JaneQSmith IRS Form 1040Line 32. . . . . . . . . . . . . . . . . . . . . . . . . . . . . $98,765
Written Request
JaneQSmith
Fac
tors
Fac
tors
Privilege ManagementPrivilege Management
SignatureRequired
IdentityVerification
Required
IdentityVerification
Not Required
Low Risk
High Risk
Gener
al
Info
rmat
ion
Change
Reques
t
Benef
its
Applicat
ion
Perso
nal
Info
rmat
ion
Proprie
tary
Info
rmat
ion
Defining the Risk
Are There Levels of Trust?
No confidence is placed in the asserted real-world identity of the client or no real-world identity is asserted.
On the balance of probabilities, the registrant’s real-world identity is verified.
There is substantial assurance that the registrant’s real-world identity is verified.
The registrant’s real-world identity is verified beyond reasonable doubt.
Courtesy of the UK Government, Office of the E-Envoy
Types of EvidencePersonal statement.– Individual provides personal data about him/herself
Documentary evidence.– Individual provides collateral documents to confirm the
information provided.
Third party corroboration.– A trusted entity that can confirm information provided.
Biometrics.– Physical evidence tying individual to the asserted
identity.
Existing relationship. – Individual’s previous interactions with the registration
agent. (e.g. Bank customer) Courtesy of the UK Government, Office of the E-Envoy
Doing Business with the Public Tomorrow
Statutory Requirement to offer an electronic option:Government Paperwork Elimination Act, October 1998– Commitment to on-line government– Public electronic access by October 2003
. . . A signature may not be denied legal effect simply because it is electronic. . .
Your Choices
Automated Telephone Interaction
E-mail interaction
Web services
Today’s E-Government Requirements
Government agencies need to innovate at an ever increasing pace
E-Government success requires broad interoperability– Within an enterprise– Between business partners– Across a heterogeneous set of platforms, applications, and
programming languages
Internet technologies are assumed, Interoperability is required– E-Government platforms enable more rapidly developed
interoperability
But . . .
Without trust and security Web
Services are dead on arrival
Facets of Building Trust
Facet DescriptionIdentification Who are you?
Authentication How do I know you are who you claim to be?
Authorization Are you allowed to perform this transaction?
Integrity Is the data you sent the same as what I received?
Confidentiality Are we sure no one else read the data you sent?
Auditing Record of transactions to assist in looking for security problems?
Non-repudiation Can you prove the sender sent it, and the receiver received the identical transaction?
Thanks to Karl Best, Director of Technical Operations, OASIS
Facets of Building Trust
Facet DescriptionIdentification Who are you?
Authentication How do I know you are who you claim to be?
Authorization Are you allowed to perform this transaction?
Integrity Is the data you sent the same as what I received?
Confidentiality Are we sure no one else read the data you sent?
Auditing Record of transactions to assist in looking for security problems?
Non-repudiation Can you prove the sender sent it, and the receiver received the identical transaction?
Thanks to Karl Best, Director of Technical Operations, OASIS
But . . . What About Identity Assurance in Cyberspace?
No Physical Presence
No Photo ID
No Physical Document with Signature
No Human Voice
A Few Facts
The Internet is perceived as being inherently anonymous
In order to conduct trusted transactions, we must know with whom we are dealing
Knowledge must be within reasonable risk limits
Trusted electronic credentials provide the means to link an asserted identity in the electronic medium to physical credentials
Preconditions for Credential ‘Trustworthiness’
Unique to the person using it
Under the sole control of the person using it
Capable of verification
Credential Pedigree
– Institutional Standing of the Provider
– Governance
– Establishment of Identity
– Credential Control
E-Authentication Will:
Evaluate Electronic Credential Providers
Apply a common set of universally understood Assurance Levels
Provide a tool for performing Risk Assessment
Interact with FirstGov portal and Agency business processes to broker identity assurance
Provide the public with a single sign-on capability and a common interface for doing electronic transactions with government through the Gateway
Assessing the Need
Perform Transaction-level Risk Assessment on your e-Government process
Review OMB e-Authentication Guidance
Choose the e-Authentication assurance level that meets your needs
ThenWork with the e-Authentication team to ensure Gateway interoperability
Thank YouFor your Time & Attention
top related