CyberEye

By Patrick Marshall

Blog archive
Progress toward an identity ecosystem

Progress toward an identity ecosystem

First, a bit of good news.

The National Institute of Standards and Technology met its March 16 deadline to produce baseline requirements for its Identity Ecosystem Framework (IDEF), the bedrock document aimed at revving up a move to more secure credentials that are interoperable across the Internet and a big advance toward the holy grail of a single, Internetwide sign-on for individuals.

The first version of the IDEF will be launched sometime this summer. By defining the overall set of interoperability standards, risk models, privacy and liability policies needed to fully describe an identity-based ecosystem, both government and private organizations will be able to see how their identity efforts match up to the IDEF requirements.

The IDEF springs from the Obama administration's National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative, which was launched in 2011. The intent was for the government, through NIST, to bring together the private sector, advocacy groups and government agencies to create an environment that replaces the current one, which uses many different kinds of authentication to access online services,

NIST has a rundown of the kinds of things such an identity ecosystem can be used for, and it does seem enticing when compared to today’s authentication systems. The IDEF by itself won't be enough, of course, because such an ecosystem depends on a broad level of trust among parties, and that will be a huge nut to crack.

But identity is increasingly the focus for future security platforms because, as has become obvious over the past couple of years, traditional network, data and systems protection techniques are of limited use against the focused efforts of today's more sophisticated cyber criminals. Beyond security, a strong identity solution will also act as an enabler, according to Jeremy Grant, the head of the NSTIC initiative.

“If we have easy-to-use identity solutions that enable secure and privacy-enhancing transactions, we can enable citizens to engage with government in more meaningful ways,” he wrote. “With a vibrant identity ecosystem – where citizens can use the same credential to access services at multiple sites – we can enable a wide array of new citizen-facing digital services while reducing costs and hassles for individuals and government agencies alike.”

That the trust needed to build that ecosystem should be at the top of the list of requirements is made clearer by a report from the Ponemon Institute, which looked at the use of security certificates and cryptographic keys around the world and found rampant abuse.

The survey, with over 2,300 security professionals responding, found that 58 percent of them believed their organizations needed to do better in securing certificates and keys in order to stop man-in-the-middle attacks. Over half of them didn't even know where all of their certificates and keys were located.

Over the last two years, the number of keys and certificates deployed on web servers, network appliances and cloud services grew to almost 24,000 per enterprise, the survey found. The major fears respondents listed were of a “cryptopocalypse” and misuse of mobile certificates. All of this could cost organizations at least $53 million over the next couple of years, Ponemon concluded, up 51 percent from 2013.

NIST has already funded four rounds of pilot programs aimed at developing the technologies needed for the identity ecosystem, for a total so far of around $30 million. The intent, according to Grant, is that by 2019 consumers “will think it's quaint” when online service providers ask them to create a new account, and that the NSTIC program office will have become “a blessed memory.”

Posted by Brian Robinson on Mar 27, 2015 at 1:32 PM


Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.