By Patrick Marshall

Blog archive
Cyber notes: Progress on identity ecosystem, Android trust and another email vulnerability

Cyber notes: Progress on ID ecosystem, Android trust and another email vulnerability

A public-private working group that has been quietly beavering away for the past few years has finally come out with the first version of an Identity Ecosystem Framework (IDEF).  This  baseline set of standards and policies could finally do away with passwords — the bane of most security systems — and enable better and more secure online transactions.

It’s the first step towards what the four-year old National Strategy for Trusted Identities in Cyberspace envisions as an “identity ecosystem” that uses seamlessly interoperable technology, processes and policies to support a broad range of low- to high-value transactions -- from those that are anonymous all the way to those that are fully authenticated.

At least, that’s the plan. In between now and then comes a range of other steps that must be completed. IDEFv1 is the foundation for the Self Assessment Listing Service (SALS), for example, through which businesses and organizations that sign on to the IDEF basics can report on how well they are conforming to the NSTIC guiding principles for identity solutions that will work in the ID ecosystem.

SALS, gratifyingly, will be available as just a single website and has been developed in parallel with the IDEF work. Assuming everything comes together in good order, it’s slated to go online in January.

Other elements could be tougher to pull together. A key to the success of the NSTIC ecosystem will be the development of various trust networks, each of which will be based on the policies and standards needed for specific communities, such as the financial and healthcare industries. Others could be for the identification of smartcards used for both physical and logical access, another for mobile phone providers and so on.

Each of these trust networks will be supported by one or more private-sector accreditation authorities that will validate identity providers and other parties as meeting all of the policies and standards of a particular trust framework. Those that are validated may be issued a trustmark so that their users will know they meet the requirements of a particular trust framework and the criteria of the overarching IDEF.

Presumably, that could lead to significant cross fertilization. Products and solutions that meet the mobile phone trust requirements, for example, would also have the basics to operate within a healthcare trust framework.

If everything intended for the identity ecosystem comes together — still a big if, with so many different interests to be satisfied — it would go a long way to doing away with the current miasma of unsatisfactory security and trust schemes. That lack of unity is behind many of the vulnerabilities that bad guys now exploit.

Speaking of trust...

There’s been much speculation in the past few months about various vulnerabilities in Android phones that reflect a worsening environment for users of these devices. Now, a paper from the University of Cambridge warns that, on average over the past four years, some 87 percent of Android devices have been open to attack by malicious apps.

The study used data from over 20,000 different devices, from which the researchers concluded that the vulnerabilities occurred because device manufacturers haven’t provided regular, frequent security updates.

This isn’t a new problem, and some companies, particularly Google and Samsung, have committed to regular monthly updates. Of course, the other end of the problem is that users must actually apply those updates, if the phones don’t automatically do that.

Nevertheless, the Cambridge researchers point out, even though Google has done a good job in mitigating many of the risks, it can only do so much. Devices require updates from manufacturers, they say, “and the majority of (Android) devices aren’t getting them.”

Do you use email as a file system?

Illegalities and potential harm to the side, the fact that CIA director John Brennan and DHS Secretary Jeh Johnson — the heads of agencies that are central to U.S. security — can have their private email accounts cracked by a high schooler using fairly basic hacking techniques is cause for some snide giggles.

Not so funny, however, is something one commentator brought up:  many of us seem to use email as an extensive storage system. According to this 20-year tech veteran, Bob Covello, too many people use email as a primary file system for important documents, which offers a very tempting “one-stop shop” for those who want personal information.

After I read this I did a quick survey of my own email. Nothing in it gets remotely to the level of the stuff Brennan and Johnson may have in their inboxes, but there’s enough of consequence that it could prove embarrassing. More embarrassing is the fact I apparently haven’t cleaned out my email in several years.

Novello thinks using a cloud-based storage system for these documents would eliminate many of the concerns with accessibility and redundancy that now exist with email filing systems. Just don’t forget the two-factor authentication logon for that.

All very good advice. But wait a minute -- I see I’ve got emails coming in I’ve got to go handle...

Posted by Brian Robinson on Oct 23, 2015 at 9:37 AM


  • FCW Perspectives
    tech process (pkproject/

    Understanding the obstacles to automation

    As RPA moves from buzzword to practical applications, agency leaders say it’s forcing broader discussions about business operations

  • Federal 100 Awards
    Federal 100 logo

    Fed 100 nominations are now open

    Help us identify this year's outstanding individuals in federal IT.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.