1 / 14

Transport and Security Standards Work Group

Transport and Security Standards Work Group. New Directions In Identity Paul Grassi Senior Standards and Technology Advisor. Existing Challenges. NSTIC Launch. IDE Sustaining. Well-rounded pilots hitting diverse user set. Attributes. Standards Gaps. FCCX Goes Live. Market Discovery.

axel-stanley
Télécharger la présentation

Transport and Security Standards Work Group

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Transport and Security Standards Work Group New Directions In Identity Paul GrassiSenior Standards and Technology Advisor

  2. Existing Challenges NSTICLaunch IDE Sustaining Well-rounded pilots hitting diverse user set Attributes Standards Gaps FCCX Goes Live Market Discovery Attribute Providers Internet of Things Consumer-Centric Deployment Costs Identification of policy and technical overlays Embedded Privacy Liability Envision It!? True Interoperability RP Integration + Cost Public and Private Sectors 2012 2013 2014 2015

  3. Envision It (soon we hope)! But we have partially realized so many - http://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf

  4. But We Are Getting Closer

  5. NIST Coverage of Identity Services Key No coverage Partial coverage, toinclude other D/Adocumentation Needs refreshing Full coverage

  6. Where We Will Focus in FY14/15 • Simplify, accelerate, and reduce the cost of ICAM implementations • Focus beyond the PIV • Establish RP toolkits • Identify and foster innovation from untapped sources • IOT Identity • Non-intrusive security model • Continuous monitoring and assessment • Codify privacy enhancing profiles • Enhance/Establish ‘standard’ to establish confidence, trustworthiness, and privacy preservation (zero knowledge, derived, minimal disclosure) • Address portability of preferred credentials and relying party accounts • BYOI • Revisit and retool existing standards to address current market state and flex to innovation • Develop new standards that increase IE participation • Increase participation in commercial open standards • Mobility, Cloud, Shared Services

  7. Assurance – What Would You Think If? NIST just measured authenticationperformance/strength/usability? Componentized Trust and Assurance Elements and SupportedAssembly of ‘Vectors of Trust’ Got rid of LOA? Developed a private sector companionto 800-63? What else could we do to turn thesedocs on their head to enhance the IE?

  8. Vectors of Trust – Discussion Example Identity Proofing [IP] Assertion Presentation [AP] Credential Strength [CS] Binding [B] Provider Supported Components and Levels Levels IP[ ] CS[ ] AP[ ] B[ ] CS[ ] AP[ ] B[ ] IP[ ] Provider 2 Provider 1 Provider 3 Relying Party Risk Tolerance Individual Choice Market/Trust Framework Driven New Standard? … … DISCUSSION ONLY – CONCEPTUAL FOR ILLUSTRATION AND PROVOCATION PURPOSES

  9. Other Components? Incident response OpSec Liability Contractual strength Reputation of subject Reputation of IdP Additional external claims (presumablysigned by third party) Heuristic Compensating Controls Endpoint Security Account recovery Credential revocation

  10. Attributes – What Should Happen? Dependent Standards Performance Metrics Informs Attribute Registries Risk Tolerance Market Address RootCauses Include attributes in next ‘800-63’ OR Do Nothing Let RP’s Decide

  11. Privacy By Design 12345 CSP • Designed specifically to ensure that privacy requirements of anonymity, unlinkability and unobservability are built in from the start • In simple terms, this means that private organizations that issue citizens credentials – and the agencies that accept them – will have no way to track where citizens use them. ABCDDDEE Agency 1 ABCDDDEE ABCDE 12345 AADDFEE AADDFEE Agency 2 User Record • But… • Attributes flow freely through FCCX • If they didn’t, RP’s would get them on their own (inconsistently) • “Let the RP Figure It Out” is the wrong answer!

  12. So...We Need A Privacy Profile Broker 1 3 Standard and Protocol Agnostic CSP/AP can’t know the RP Authentication Request Relying Party Authentication Request Broker can’t see the attributes 2 4 RP can’t know CSP Double Blind Architecture Response + Encrypted Attributes Response + Encrypted Attributes CSP (but we may soften this requirement) 5 Minimal Changes to Infrastructure User Consent Attribute Provider

  13. In Summary Rebooting and Reinvigorating Our Commitment to Identity and Access Management We Are NotSpecial We Need to Adopt Private Sector Identity Innovation We AllNeed to Stop Talking Amongst Ourselves RP’s and Users Rule Be On The Lookout For Upcoming Public/Private Engagement Opportunities

  14. Contact Information United States Department of CommerceNational Institute of Standards and Technology Paul Grassi, CISSP Senior Standards and TechnologyAdvisor, NSTIC Information Technology Laboratory 1401 Constitution Ave. NW, Rm. 2069 Washington, DC 20230 W: 202.482.8349 M: 703.786.8275 Email: paul.grassi@nist.gov

More Related