transport and security standards work group new directions in identity paul grassi senior standards...
TRANSCRIPT
Transport and Security Standards Work GroupNew Directions In IdentityPaul GrassiSenior Standards and Technology Advisor
2
Existing Challenges
Well-rounded pilots hitting diverse user set
FCCX Goes Live
Market Discovery
Attribute Providers
Internet of Things
Consumer-Centric
Deployment Costs
Standards Gaps
Embedded Privacy
Identification of policy and technical overlays
NSTICLaunch
IDESustaining
2012 2013 2014 2015
Envision It!?
True Interoperability
RP Integration + CostPublic and Private Sectors
LiabilityAttributes
3
Envision It (soon we hope)!
But we have partially realized so many - http://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf
NIST Coverage of Identity Services
5
Key
No coverage
Partial coverage, toinclude other D/Adocumentation
Full coverage
Needs refreshing
6
Where We Will Focus in FY14/15
Codify privacy enhancing profiles
Enhance/Establish ‘standard’ to establish confidence, trustworthiness, and privacy preservation (zero knowledge, derived, minimal disclosure)
Address portability of preferred credentials and relying party accounts
BYOI
Revisit and retool existing standards to address current market state and flex to innovation
Develop new standards that increase IE participation
Increase participation in commercial open standards
Mobility, Cloud, Shared Services
Simplify, accelerate, and reduce the cost of ICAM implementations
Focus beyond the PIV
Establish RP toolkits
Identify and foster innovation from untapped sources
IOT Identity Non-intrusive
security model Continuous
monitoring and assessment
7
Assurance – What Would You Think If?
Componentized Trust and Assurance Elementsand Supported Assembly of ‘Vectors of Trust’
NIST just measured authenticationperformance/strength/usability?
Got rid of LOA?
What else could we do to turn thesedocs on their head to enhance the IE?
Developed a private sector companionto 800-63?
Vectors of Trust – Discussion Example
8
Identity Proofing [IP]
Assertion Presentation
[AP]
Credential Strength [CS]
Binding [B]
IP[ ]CS[ ]AP[ ]B[ ]
Provider 1
CS[ ]AP[ ]B[ ]
Provider 2
IP[ ]Provider 3
Relying Party Risk Tolerance
Individual Choice
DISCUSSION ONLY – CONCEPTUAL FOR ILLUSTRATION AND PROVOCATION
PURPOSES
New Standard? Market/Trust Framework Driven
Levels Provider Supported Components and Levels
… …
9
Other Components?
Reputation of subjectReputation of IdPAdditional external claims (presumablysigned by third party)Heuristic Compensating ControlsEndpoint Security
Trusted Identiti
es
Organization
Maturity
Business Process Legal
Other
LiabilityContractual strength
Account recoveryCredential revocation
Incident responseOpSec
Do Nothing
Address RootCauses
Let RP’s Decide
Attributes – What Should Happen?
10
Meta-Attribute
Confidence/Truthiness
Liability
Security and Privacy
Governance
Exchange
Informs
Dependent Standards
Performance Metrics
Risk Tolerance
Market
Attribute Registries
ORInclude
attributes in next ‘800-63’
11
Privacy By Design
12345
ABCDDDEE
User Record
CSP
Agency 1
AADDFEE Agency 2
ABCDE
AADDFEE
Designed specifically to ensure that privacy requirements of anonymity, unlinkability and unobservability are built in from the start
In simple terms, this means that private organizations that issue citizens credentials – and the agencies that accept them – will have no way to track where citizens use them.
12345
ABCDDDEE
But…
Attributes flow freely through FCCX
If they didn’t, RP’s would get them on their own (inconsistently)
“Let the RP Figure It Out” is the wrong answer!
12
So...We Need A Privacy Profile
BrokerAuthentication RequestAuthentication Request
Response + Encrypted Attributes
Double BlindArchitecture
RelyingParty
CSP
User Consent
AttributeProvider
Response + Encrypted Attributes
1CSP/AP can’t know the RP
2Broker can’t seethe attributes
3Standard and Protocol Agnostic
4RP can’t know CSP
5Minimal Changes to Infrastructure
(but we may soften this requirement)
13
In SummaryRebooting and Reinvigorating Our Commitment to Identity and
Access Management
We Are Not Special
We Need to Adopt Private Sector Identity Innovation
We All Need to Stop Talking Amongst Ourselves
RP’s and Users Rule
Be On The Lookout For Upcoming Public/Private Engagement Opportunities
14
Contact Information
United States Department of CommerceNational Institute of Standards and Technology
Paul Grassi, CISSPSenior Standards and TechnologyAdvisor, NSTIC
Information Technology Laboratory
1401 Constitution Ave. NW, Rm. 2069Washington, DC 20230W: 202.482.8349M: 703.786.8275Email: [email protected]