Post on 08-May-2015
description
Criterion NSTIC Pilot Presentation Ping Cloud Identity Summit – July 9, 2013
David Coxe
Work described in this presentation was supported by the National Strategy for Trusted Identities in Cyberspace (NSTIC) National Program Office and the National Institute of Standards and Technology (NIST).
The views in this presentation do not necessarily reflect the official policies of the NIST or NSTIC, nor does mention by trade names, commercial practices, or organizations imply endorsement by the U.S. Government.
Agenda
• Overview – NSTIC AXN Pilots – AXN Business Model – Potential NSTIC Pilot Relying Parties (RPs) – Benefits to RPs
• AXN Services Framework • Demonstration • Pilot Schedule • Lessons Learned • Summary
© 2013 Criterion Systems, Inc. Proprietary and Confidential Page 2
Attribute Exchange Network
Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
NSTIC AXN Pilots Pilot Program Outcome: Implement a user-centric online Identity Ecosystem and demonstrate an Attribute Exchange Trust Framework using the ID Dataweb (IDW) Attribute Exchange Network (AXN) Project Approach: • Demonstrate online attribute exchange operations and basic features of an attribute exchange trust
framework – User, AP, IdP, and RP interfaces and process/data flows – Legal, policy, and technical interoperability, security, and scalability – Business and market monetization models – Assessor roles and processes
Project Objectives: • Simplify AP, RP, and IdP participation, deploy new online services and demonstrate asset monetization
via the IDW AXN platform using: – Real-time AP online verification services – Out of band verification services – SMS to device, device IDs, Postal mail AP service - PIN code
mail piece • Live user data from commercial and government RPs • RP billing (monthly) and AP/IdP transaction/payment statements • Commercial contracts and Terms of Service that transition pilots to commercial operations NSTIC Pilot Use Case Scenarios: • Basic Use Case scenarios will initially be limited to key identity attributes: Name, e-mail, Address,
Telephone Number (NEAT) and sending one-time passwords via SMS to a mobile device • Increasingly complex and advanced Use Cases will include additional attributes, interoperability between
an OpenID or SAML credential, CAC/PIV card credentials, and identity linkage to end-user devices • For each RP Use Case: Free market trial of verified attribute services for 180 days or 50,000 users,
whichever occurs first
© 2013 Criterion Systems, Inc. Proprietary and Confidential Page 3 Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
The AXN Business Model and Technical Infrastructure • Aligns business objectives of the Identity Ecosystem participants
– Overcome historical implementation barriers – everyone benefits – Expand RP participation to efficiently service and monetize existing markets – Create new business channels currently underserved by the Identity Ecosystem
• Enables a neutral Internet-scale credential and attribute monetization platform – Efficient, open, competitive transaction and contractual hub – Unencumbered by legacy business models, regulations, and technologies – Free to users, lowers RP costs, and new market potential for IdPs and APs
• Promotes user trust, online security, and privacy protective services – Designed to implement and positively transform the online identity ecosystem
AXN Business Model Requirements Solution Affordable AXN serves as a reseller - open, competitive attribute exchange market place
Neutral for User Free to Users – RP pays for credential authentication and attribute verification services to support their risk mitigation (LOA) requirements
Online Attribute Verification and Claims Management Services
75% of the market cannot be efficiently serviced by the large APs; AXN creates a new AP sales channel and enhances online security
Efficient online identity ecosystems
Contractual and transaction hub to enable “Internet” effect IdPs, RPs, APs, and the TFP increase revenue, reduce costs, and increase trust
© 2013 Criterion Systems, Inc. Proprietary and Confidential Page 4 Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
Page 5
The First Year NSTIC Use Cases
Industry
Broadridge Use Case B to C
Investor Communications RP Service: Fluent – Online Application Platform for Investor Communications
General Electric (GE) Use Case B to C, B to B
Multiple Market Verticals RP Service: Various Service Sector Applications Corporate, Partner and Consumer Account Access
DHS/FEMA (MIT Lincoln Labs) First Responder Use Case G to G, G to C
First Responders First USA Services RP Service: Account creation and login for the First USA disaster response collaboration portal
eBay Use Case B to C, C to C
Retail RP Service: Retail Seller and Buyer Account Creation and Login
© 2013 Criterion Systems, Inc. Proprietary and Confidential
(Pending Final Approval)
Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
© 2013 Criterion Systems, Inc. Proprietary and Confidential
AXN Services Framework
6
IdP Services Credential OpenID 2.0, SAML 2.0,
IMI 1.0 Protocol OAuth 2.0, SAML 2.0,
Other LOA LOA 1-4 Cert/TF FICAM, OIX, Kantara,
Other
AP Services Attributes NEAT, SS, DOB,
Gender, Corp Verification Quality Refresh Rate, Coverage,
Sources, Data Types Physical Device ID, BIO, Card, Other Pricing Per Transaction, Per User
Per Year, Annual License Cert/TF FICAM, OIX, Kantara, Other
RP Services Enroll Business Purpose, Attribute
Selection, Claims Refresh Rate, IdP & RP Selections, User Preferences, Contract
LOA LOA 1-4 Admin Logs, Reporting, Billing,
Contract Management Cert/TF FICAM, OIX, Kantara, Other
User Services Attributes Not Stored In AXN, Self
Asserted, Data Minimization PDS PII, Preferences, ABAC,
Encrypted, External Store MAX User Only, Personal Control
and Security, Acct Linking, Federated Access Via RP
Trust Framework Provider
(TFP)
Identity Providers
(IdP)
Relying Parties
(RP)
Assessors & Auditors
Dispute Resolvers
user
Attribute Providers (AP)
Attribute Exchange Network (AXN)
Proxy
AXN Services Billing Pricing and Analytics Acct Management Service Provisioning Contracting Policy Management Marketing Transaction Management Registration Operations and Security Logs, Reporting Administration Audit User Interface
Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
AXN Identity Federation Services
- My Attribute Exchange
2. Personal Data Services (PDS) • User attribute data is not stored in the AXN • PDS data is presented via MAX to create and manage RP accounts • User-centric, privacy protective, secure, and federated • No cost to user
1. Credential Federation • Verified attributes are used to create new or bind to existing user accounts
3. User Managed Admin (UMA) Console • Authenticated users have federated access at each RP • Created when a user first opts in to share their verified
attribute claims via the AXN with an RP • Users can securely manage PDS attributes shared with
an RP service accessed by an IdP credential • Enables user to link and unlink multiple IdP credentials
Page 7 © 2013 Criterion Systems, Inc. Proprietary and Confidential Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
AXN Business Services • Credential transaction management services
– IDP authenticates user credentials as a service to RPs registered on the AXN – RP credential requirements for a given LOA (e.g., 1 – 4), type (e.g., SAML,
OpenID, IDI), and trust framework certifications
• Personal (Pii) attribute verification and claims management services
– RPs designate which Pii attributes they required from users – User asserted, verified attributes and claims are shared with RPs with user
permission – Device ID and biometric attributes are verified as required for RP authorization
transactions
• Preference attribute management services – RPs can designate preferences to display for users when interacting with the RP
service
• Attribute Based Access Control (ABAC) management services – RPs select authoritative role-based attributes for users to assert when accessing
their service
• User Managed Access (UMA) attribute services – UMA services define how users (as resource owners) can control protected-
resource access by requesting parties © 2013 Criterion Systems, Inc. Proprietary and Confidential Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
Device Attribute Verification Services • Mobile Device Verification Services
• Users log in using a trusted mobile device registered and managed on the AXN via MAX
• Secure device ID service ensures user RP accounts can only be accessed using a trusted device
• Computer Verification Services • Over 600 million computers with Trusted Platform
Modules (TPMs) can be managed via the AXN • Windows 8 requires TPMs on a wide range of
devices from desktops to smart phones
Biometric Attribute Verification Services • Cloud-based Voice, Retinal, Photo and
Fingerprint Verification Services • Daon, CGI, and others
• Integration with Authoritative AP Services • e.g., driver license attributes and photos
ABAC Services • Fine-grained Policy Authorization Services • UMA Services to Dynamically Control Access
to RP Data and Services
AXN Technology Roadmap Trust Elevation Services
AXN Trust Elevation Services
Page 9 © 2013 Criterion Systems, Inc. Proprietary and Confidential Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
• AXN legal agreements – Standardized agreements with regulatory flow down terms from IdPs and APs – Limit PII collection to what is necessary to accomplish the specified purpose(s) – Accountability and audit to protect PII through appropriate safeguards
• AXN as a proxy - no single service provider can gain a complete picture of a user’s activity • The AXN data management design mitigates potential threats
– Does not create a central data store of verified user attributes – Security and privacy enhancing technology is built into the AXN infrastructure
• Users opt-in to each control process for collection, verification, and distribution of attributes – User Admin console for attribute and credential management – Only the minimum necessary information is shared in a transaction (FIPPS)
AXN Privacy – By Design
10 © 2013 Criterion Systems, Inc. Proprietary and Confidential Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
AXN Demonstration With Broadridge Fluent
Page 11 © 2013 Criterion Systems, Inc. Proprietary and Confidential Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
12 | Copyright 2013
Broadridge FluentSM
Fluent is a communica.ons exchange that centrally manages communica.ons across internal and external channels suppor.ng customer choice.
Fluent:
Enables new communica=on channels (approved by firm)
Validates client iden==es across channels
Captures preferences and consents on behalf of firm across channels
Facilitates distribu=on of content across consumer channels
Ensures security and regulatory compliance
Provides insight into the effec=veness of communica=ons
Ensures comprehensive audit trail to measure compliance
BROADRIDGE FLUENT
CHANNEL MGMT
PREFERENCE
IDENTITY
INSIGHT
Innova3ve Consumer Experience
1
2
3
4
5
6
7
FIRM Web Sites & Apps BANKING BROKERAGE
MORTGAGE CREDIT CARDS
E-‐MAIL SOCIAL FUTURE
GLOBAL DIGITAL MAIL
NEWSSTANDS / TABLETS
FIRM
13 | Copyright 2013
The Nature of Communica3ons is rapidly evolving
n Firms con=nue to spend millions of dollars to migrate Customers to e-‐delivery, these efforts have leveled out below ini=al expecta=ons § All Industries – 14% of transac=onal documents suppressed § With the excep=on of retail banking, limited adop=on of firm web sites (Brokerage, Mortgage, Credit
Cards, …) § A poor Client Experiences has been the primary obstacle
n Meanwhile the web has migrated from a B to C experience to a C to B experience, with new channels emerging daily
n Opportunity costs within financial services alone approach $20 billion annually
2012-2014 Attribute Exchange Pilots
Assess POC On Going OperationsBasic Ops Advanced
Evaluate1. Assess 2. Proof of Concept 3. Basic Opera3ons 4. Advanced 5. On Going Opera3ons
• Evaluate – Incorporate lessons learned and repeat WBS element 1.0 • Assess, for subsequent Use Case Implementa3ons 1.0
Pilot Project Life Cycle
© 2013 Criterion Systems, Inc. Proprietary and Confidential
Relying Party Use-‐Case By Task/Month
Oct-‐12 Nov-‐12 Dec-‐12 Jan-‐13 Feb-‐13 Mar-‐13 Apr-‐13 May-‐13 Jun-‐13 Jul-‐13 Aug-‐13 Sep-‐13 Oct-‐13 Nov-‐13 Dec-‐13 Jan-‐14 Feb-‐14 Mar-‐14 Apr-‐14 May-‐14 Jun-‐14 Jul-‐14 Aug-‐14 Sep-‐14Use-‐Case RP#1Operation GraduateUser Verifications -‐ -‐ -‐ -‐ -‐ -‐ 10,000 10,000 10,000 10,000 10,000 BroadridgeUse-‐Case RP#2Operation Assess GraduateUser Verifications -‐ -‐ -‐ -‐ -‐ -‐ -‐ 10,000 10,000 10,000 10,000 10,000 eBayUse-‐Case RP#3Operation GraduateUser Verifications -‐ -‐ -‐ -‐ -‐ -‐ 10,000 10,000 10,000 10,000 10,000 DHS/MITUse-‐Case RP#4Operation POC GraduateUser Verifications -‐ -‐ -‐ 10,000 10,000 10,000 10,000 10,000 GEUse-‐Case RP#5Operation = Production ready Assess POC GraduateUser Verifications -‐ -‐ 10,000 10,000 10,000 10,000 10,000
Use-‐Case RP#6Operation Assess POC GraduateUser Verifications -‐ -‐ 10,000 10,000 10,000 10,000 10,000
Use-‐Case RP#7Operation Assess POC GraduateUser Verifications -‐ -‐ 10,000 10,000 10,000 10,000 10,000
Use-‐Case RP#8Operation Assess POC GraduateUser Verifications -‐ -‐ 10,000 10,000 10,000 10,000 10,000
Total Verified Users -‐ -‐ -‐ -‐ -‐ -‐ -‐ -‐ 20,000 40,000 40,000 50,000 50,000 40,000 20,000 30,000 20,000 30,000 20,000 20,000 10,000 10,000 400,000
Basic Operations
Basic Operations
Basic Operations
Basic Operations
Advanced
Advanced
Advanced
Advanced
Basic Operations Advanced
Advanced
Project Launch Year 1 Pilot Project Operations Year 2 Pilot Project Operations
Basic Operations
Assess
Assess
Basic Operations Advanced
Assess
POC
POC
Basic Operations AdvancedPOC
Line reflecting May 1
Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
Lessons Learned • RPs are the customer, and will drive market requirements, adoption, and
policy controls. • Emerging Trust Frameworks are being driven by Communities of Interest
(COI) who seek market operational efficiencies through business, legal, technical and policy interoperability.
• Credential federation requires policy changes to enable significant security, user experience (SSO and account creation), and business benefits.
• Current IdP and RP business practices do not always conform to FIPP’s, and need to be managed.
• A rigorous Privacy Evaluation Methodology (PEM) implementation resulted in significant benefits
– AXN technical and architectural enhancements – Privacy protective enhancements as core messaging in AXN marketing strategy
• RP risk mitigation strategies (for a required LOA) lack consistency – Emerging user-centric trust elevation technologies are scalable, cost effective and
interoperable. – Trust Marks could be used to objectively promote confidence in various
combinations of authentication methods, verified user attributes, and attribute claims from device identities, biometric technologies, etc.
– It would be helpful to map these risk mitigation methods to NIST SP 800-63.
Page 15 © 2013 Criterion Systems, Inc. Proprietary and Confidential Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
Summary
• 2013 - 2014 AX initiatives will define how to… – Protect and extend customer relationships online
– Increase revenue with existing service infrastructure through new online channels
– Manage organizational risks with cost effective solutions – Reduce online fraud and identity theft while enhancing brand
– Improve User online experience, increase User trust and transaction volumes, and reduce related costs
• Neutral market platform for the emerging identity ecosystem
• Online attribute monetization platform – unencumbered by legacy business models, regulations and technologies
Page 16 © 2013 Criterion Systems, Inc. Proprietary and Confidential Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.