- Tools & Templates
- Security Jobs
- Data Protection
- Identity & Access
- Business Continuity
- Physical Security
- Security Leadership
Trusted Identities in Cyberspace: Why a New National Strategy is a Good Idea
Back on April 15, the Obama Administration released the National Strategy for Trusted Identities in Cyberspace (NSTIC). Unfortunately, most of the “outside the beltway” crowd, state and local government officials and citizens around the country paid minimal attention. The entire document is definitely worth reading, and I urge readers of this blog to take at least a few minutes and look through the executive summary.
My response to the lack of nationwide buzz: Too bad, because this plan (and improving the digital identity ecosystem) is critically important, whether the public understands it (yet) or not. Allow me to explain why.
But first, I must admit that our brief world history on this digital identity topic is not a pretty tale. Back in the late 90s, everyone was talking about the need for “Single Sign-on (SSO).” Early solutions came out, such as Microsoft’s Passport that even worked with other services such as AOL, but critics were plentiful and it didn’t catch-on as expected. Meanwhile, Microsoft Passport competitors, who called themselves the Liberty Alliance, failed to accomplish much more. And yet, the stage was set for further innovation regarding identities in cyberspace.
After becoming frustrated with early SSO implementations, many enterprises moved on to rename projects and reset expectations to “Reduced Sign-on” with newer products that seemed more realistic (cheaper/faster) to implement. From there, we’ve watched new concepts be introduced such as enterprise ID management, provisioning profiles, Enterprise authentication and other terms.
Yes, I know that these components mean different things, but that is part of our industry problem when trying to explain trusted identity solutions to the non-technical world. We struggle with implementing: “Who are you and what are you allowed to do” in the multi-vendor world of cyberspace.
Now we have a new term to incorporate: “Identity ecosystem.” I really like the concept, because doing nothing is not an alternative which will improve things. Nevertheless, some critics are saying this is a bad idea or another new ID rabbit trail.
I recently decide to do my own (unscientific) survey on the topic. Because we (the computer industry) have “failed” regarding meaningful reductions in the number of digital identities for more than a decade, most of my (real-world) friends and relatives (when asked) were skeptical that this new plan will achieve anything like a single sign-on in their personal (online) lives. However, they still liked the concept. (One thought “ecosystem” brought visions of wetlands.)
No doubt, the simplest questions from family members are usually the toughest to answer. “Will Apple every trust Google – much less Facebook? How will this work between Gmail, my new iPad, my online Bank account and Facebook? Will it be easier for the bad guys to get my centralized data? Does the nation really need another new strategy?”
I stumbled: “Well, um, you see that’s too many specifics for a strategic plan. And, it’s a federated model, that … relies on … trust. And, yes, this plan is different, because … the stakes are higher…, and ….” (Not a very convincing story dad - as they walk away.)
No doubt, there is an uphill battle for “grass-roots outrage” on this digital ID issue and/or essential media coverage. The public loves new cool gadgets – even if they seem to break defacto industry standards. Meanwhile, although geeks can get just about anything to work with anything else, the consumerization of IT seems to be fighting single sign-on.
A Google search for “iPad launch” yields about 45.4 million page views; whereas googling “National Strategy for Trusted Identities in Cyberspace” yields about 102K page views. I hope these search results change, but we’ll need better marketing labels to make it happen.
Still, there are many hopeful signs that this plan will lead to meaningful action. A website has been established to foster industry dialog on the NSTIC (visit - http://www.nstic.us/ ). I encourage participation in the discussion. One article summarized a 40-page analysis of NSTIC from Aaron Titus, the founder of the privacy group Identity Finder. Here’s an excerpt:
“Through extensive analysis, Identity Finder has found that to successfully implement its visions of privacy, security, and secure identities, NSTIC must call for regulation that will:
- Hold all Identity Ecosystem Participants to legal and technical standards which implement Fair Information Practice Principles (FIPPs) and baseline privacy and security protocols.
- Create incentives for businesses to not commoditize human identity.
- Compensate for an individual’s unequal bargaining power when establishing privacy policies.
- Subject Identity Providers to similar requirements to the Fair Credit Reporting Act.
- Train individuals on how to properly safeguard their Identity Medium to avoid identity theft.
- Ensure that consumers and advocates have a meaningful voice in the development of NSTIC policy.
If implemented improperly, an unregulated Identity Ecosystem could have a devastating impact on individual privacy. If NSTIC fails to implement the necessary regulations, the resulting Identity Ecosystem could turn into a free-for-all Identity Marketplace, and create the following risks:
- Powerful identity credentials which, if lost or stolen will enable hyper-identity theft
- A false sense of control, privacy, and security among users
- New ways to covertly collect users’ personal information
- New markets in which to commoditize human identity
- Few consumer protections against abuse or sharing personal information with third parties
- No default legal recourse against participants who abuse personal information without consent”
The plan itself is impressive with fairly wide backing. Coverage from technology magazines and federal government watchers has been generally positive. An eWeek article said this,
“The technologies described in NSTIC would allow online users to stop using unique passwords on each site and instead use a set of credentials that are accepted by multiple sites. The goal is to not have just one trusted identity technology or provider, but to have several and let users choose which ones to use….
The fact is that the old password and username combination we often use to verify people is no longer good enough,” Commerce Secretary Gary Locke said at the event. The current system leaves ‘too many consumers, government agencies and businesses vulnerable to identity thieves and criminals intent on stealing information, Locke said.
The identity ecosystem would revolve around credentials stored outside of the actual Website, application or service, and would eliminate the need for unique passwords, Locke said.”
The sad truth is that we are not much further along today than we were a decade ago in this digital identity area. Some people say we are actually in worse shape online for a variety of reasons. While there are ample ways to implement federated identity management systems today that work across businesses and governments, far too few people use these systems effectively or at home. In addition, new hot products and services are coming online all the time that seem to start over again regarding the collection of personal identity information or keep credentials inside their proprietary solutions.
So that’s why I join others in supporting this new National Strategy for Trusted Identities in Cyberspace. This issue is even more critical today than it was a dozen years ago when we first started implementing enterprise-wide single sign-on projects in Michigan.
I truly hope things are substantially better online a decade from now. I am passionate about helping end users and families build more integrity into their interactions in cyberspace. In fact, I’m hoping to see an Internet where individuals are enabled to “surf your values” in new ways. To do that, we need more online trust – and trusted identities.
Yes, we need this strategy to work.
What are your thoughts on NSTIC?
Thanks to cloud computing, your business data is everywhere and being accessed by everyone. Making the wrong decision to protect your data can result in high costs, increased risk and executive exposure. View this live webinar on cloud security and the evolving data center, and learn why a data-centric approach to security is the best bet for today's virtual environment.
- Enterprise File Sharing: All You Need to Know
- Forrester Research and EMC on Continuous Availability
- Big Ideas; Big Tech-Continuous Availability for VMware
- Security Analytics Video
- Reduce Costs, Maximize Performance and Ensure High Availability of your Business Critical Applications
- B2B Integration on Cloud: Real World Solutions and Technology Advances