NSTIC – An Overview · White House made securing online transactions a National priority through...
Transcript of NSTIC – An Overview · White House made securing online transactions a National priority through...
NSTIC – An Overview Tackling the virtual identity problem space
1 Copyright © 2010 Smart Card Alliance, Inc. All rights reserved.
Agenda
Today’s problem of virtual world identity auth.
NSTIC’s Initiative & Ownership
Strategy Development
Public Comment Periods Strategy comment initiative on Web Department of Commerce – DOC NOI
Presidential Strategy Implementation plan
2
Today’s problem of online Auth
Limited to one factor – name & password Keyboard logger and middleman attacks
Insecure entry of credit card information Weak trust for online transactions and many breaches
Relies on individual to present their information. Identity and account theft vulnerabilities
Not enabling growth of ecommerce or egov
Efforts to lobby administration regarding national identity strategy (Identity Crisis) Cyber Space Policy Review undertaken by President
NSTIC initiative & ownership
Owned within the White House at Policy level National Security Staff – Cybersecurity
DHS taking leading role in strategy formulation Interagency involvement Privacy Office involvement
Department of Commerce a major stakeholder
Reached out to several companies and organizations to participate in March 2010
Problem Statement (White House)
Nationwide losses from identity theft measured in the billions of dollars; multiple unauthorized intrusions into our critical infrastructure - Losses and intrusions tied to a lack of security around online transactions
White House made securing online transactions a National priority through the President’s Cyberspace Policy Review - Includes securing transactions for both public and private sector entities
DHS is leading an inter-agency effort to formulate a National Strategy for Secure Online Transactions (N.B. Renamed to NSTIC later) - Stakeholders from a variety of industries are being involved to ensure that the
strategy accounts for the larger online community
Project Purpose (White House)
The National Strategy for Secure Online Transactions is intended to do the following: - Foster the creation and adoption of federated identity frameworks that use a
variety of authentication methods - Encourage the use of authentication methods with well-understood security,
privacy, usability, and cost characteristics - Encourage the use of authentication methods resistant to known and projected
threats - Provide a general trust model for making trust-based authentication decisions
between two or more parties
Strategy applies to government-to-citizen, consumer-to-business, business-to-business, and
other transactions
To improve the trustworthiness and security of online transactions by facilitating the implementation of improved authentication technology
and processes for government and private sector entities.
Key Concepts (White House)
The National Strategy will address critical components such as: - Encouraging the emergence of a ubiquitous federation of identity systems - Joint ownership and operational responsibility by both public and private sector
entities - Identity services tailored to the requirements of the application domain (e.g.,
healthcare, tax, online banking, energy utilities, etc.) - Authentication of individuals that occur at several authentication assurance levels,
commensurate with the level of risk associated with the transaction - Governance processes structured in accordance with applicable laws and
regulations, - Use of open standards, wherever possible - Consistency with the Fair Information Practice Principles (FIPP) to protect
individual privacy
Overall Approach (White House)
Initial Development Finalization and Delivery Developmen
t of Initial Draft
Initial Comment
Period Revise Draft
Inter-Agency Review Public Engagement Strategy and Comment Federal Register Notice Dep. Sec Community Outreach Additional Stakeholder Outreach Refine and Finalize President Signature and White House
Release Cyber Policy Review: Mid Term Action Plan
#13
Finalize Strategy
Socialize Initial Draft
Stakeholder Collaboration
Collect Comments
Finalize Media Stakeholder
Outreach Gather
stakeholder requirements
Collect input Analysis & Draft
Development
Parse Stakeholder Comments
Issue White Glove Version
Final Review
Initial Draft
Final Draft
Stakeholders & Outline Finalized
15 Day Inter-Agency Review
30 Day Public Review
Paper Complete POTUS Ready
Comment Matrix
Continuous Stakeholder Outreach and Communications
Strategy Development
March 2010 - Draft issued from White House to stakeholders 2 weeks to respond with comments 2 weeks to digest and re-issue new draft Several cycles
June 25th 2010 NSTIC public draft published Public comment period using web tool for allowing comments
and voting on comments.
Public comments digested into Strategy
Public comment periods
NSTIC public comment period on Web June 26th (www.nstic.ideascale.com) 557 comments posted. Many votes. SCA membership call to action. SCA & Identity Council
members provided comments and voting along with many other people.
• SCA comment : Ranked #4 with 49 in agreement. – Need for strong 2FA authentication
Department of Commerce NOI Released July 28th, 2010; Comments had to be submitted by
September 20th, 2010 Asked many questions on several topics. SCA submitted comments on the Authentication/Identity
Management and Product Assurance sections.
Presidential Strategy
NSTIC Strategy will be signed by the President once finalized.
Once signed it will be published Perhaps in October (National Cybersecurity awareness month)
Is only a strategy…but it’s a *very significant* start on the road to securing and trusting identity and transactions in cyberspace.
NSTIC Implementation plan
Implementation plan needed Standards, certifications, definitions needed for interoperability
• How many assurance levels? (OMB 04-04 has 4…) • Federated Trust framework to be built • Identity brokers to be created and certified • Legal issues to be addressed (Liability) • Enrolment and credentialing challenges of users
Mechanisms for encouraging adoption needed • Grants, funding, legislation etc
Public/Private partnership needed to define the federated model, it’s components and make it work.
Summary NSTIC is a major initiative to tackle the Cyberspace
identity problem and to define assurance practices for enabling authentication and trust.
It allows for anonymity and variation up to fully identified and authenticated.
It will require strong standards and certifications to be interoperable and gain usage and acceptance.
It is requires government adoption and provides private sector opportunities
Set a framework for online authentication and grow online commerce.
So how many cyberspace personae may you need? One (or more) for your given name and coordinates in
society. One (or more) for your professional career One (or more) for your social networking presence One (or more) for your blogging activities One (or more) for your on-line shopping needs One (or more) for your personal interests ;-) The list goes on…
NSTIC strategy caters for all of the above. Identity Brokers may offer a bundle of personae/per
individual. How many Identity Brokers would you use?
Two factor authentication for higher levels of assurance!
Thank you
Neville Pattinson CISSP CIPP CSCIP Smart Card Alliance Chairman; Identity Council Chairman SVP Government Business, Gemalto Inc.
[email protected] Phone +1 512 257 3982
NSTIC: Enabling Secure Online
Transactions
1 Copyright © 2010 Smart Card Alliance, Inc. All rights reserved.
A National Identity Crisis
Citizens today have the following documents to assert their identity in person Driving License or State issued ID US Passport Military ID (CAC) Government ID (PIV) Birth Certificate Social Security Number Credit Cards (maybe) etc
None of these work online effectively in the cyberspace / online commercial environment
Real World verses Cyberspace
In the real World we can be present and provide a physical document for asserting our identity. “Government issued photo ID”
In the virtual World, or cyberspace, we are very limited Always filling in forms to sign-up to online services
• Names, addresses, phone numbers, mother’s maiden names etc
Possibly requiring SSNs Possibly requiring Credit Card information Onus put on provider to verify and authenticate applicant. Data Breaches compromising Personal Identity Information
Mag Stripe rules
We are dominated with financial transactions which use mag stripe. Fall back to zip-zap embossed numbers or reading numbers. Recent contactless payment (mag stripe emulation)
Online We enter card number, name, expiry date.
• Associated with a loose user ‘account’ after enrolment. CCV introduced for card not present Paypal niche for payment disclosure & identity protection
No Chip and PIN (EMV) in the US today UNFCU issuing to US travelers
What is used for an online financial transaction today?
Understanding of who is transacting (identity/address) and with what.
Assurance that merchant will get paid. Assurance that the transaction is not fraudulent
Merchant bears the cost if it is fraudulent
Today every financial transaction is verified online back to the financial systems.
SSL (maybe) – transport layer only.
Fraud still evident and growing rapidly. Cards easily cloned. Card not present a major vulnerability.
What is needed for a secure online financial transaction?
Identity assurance for account enrolment Risk policy of merchant to know identity or persona
Two factor authentication into account lowest risk to merchant
End to end encryption (Card to Merchant) EMV (Chip and PIN) OTP (one time password)
A payment card with online security and identity capabilities?
Persona integrity verses Risk
Weak authenticated persona may increase risk of transaction integrity therefore limit to low value transactional data exchanges (non-financial).
Strong authenticated persona reduces risk of transaction integrity therefore enable high value transactional exchanges (financial, legal, confidential data etc)
Summary
NSTIC has great value in making a strong foundation for securing online transactions
Two factor Authentication is essential for higher levels of transaction assurance
Identity Brokers need to Accept existing smart ID cards Be able to issue new smart ID cards containing multiple
personae
Federated community must become pervasive
When will N-STIC stick?
How long to become pervasive? How will you get your NSTIC personae Who will ‘police’ the federation?
Compelling applications will drive adoption
NSTIC likely to be measured in Years
Thank you
Neville Pattinson CISSP CIPP CSCIP Smart Card Alliance Chairman; Identity Council Chairman SVP Government Business, Gemalto Inc.
[email protected] Phone +1 512 257 3982