Progress toward an identity ecosystem
Connecting state and local government leaders
Identity must be the foundation for future security platforms because traditional network, data and systems protections are of limited use against today's sophisticated cyber criminals.
First, a bit of good news.
The National Institute of Standards and Technology met its March 16 deadline to produce baseline requirements for its Identity Ecosystem Framework (IDEF), the bedrock document aimed at revving up a move to more secure credentials that are interoperable across the Internet and a big advance toward the holy grail of a single, Internetwide sign-on for individuals.
The first version of the IDEF will be launched sometime this summer. By defining the overall set of interoperability standards, risk models, privacy and liability policies needed to fully describe an identity-based ecosystem, both government and private organizations will be able to see how their identity efforts match up to the IDEF requirements.
The IDEF springs from the Obama administration's National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative, which was launched in 2011. The intent was for the government, through NIST, to bring together the private sector, advocacy groups and government agencies to create an environment that replaces the current one, which uses many different kinds of authentication to access online services,
NIST has a rundown of the kinds of things such an identity ecosystem can be used for, and it does seem enticing when compared to today’s authentication systems. The IDEF by itself won't be enough, of course, because such an ecosystem depends on a broad level of trust among parties, and that will be a huge nut to crack.
But identity is increasingly the focus for future security platforms because, as has become obvious over the past couple of years, traditional network, data and systems protection techniques are of limited use against the focused efforts of today's more sophisticated cyber criminals. Beyond security, a strong identity solution will also act as an enabler, according to Jeremy Grant, the head of the NSTIC initiative.
“If we have easy-to-use identity solutions that enable secure and privacy-enhancing transactions, we can enable citizens to engage with government in more meaningful ways,” he wrote. “With a vibrant identity ecosystem – where citizens can use the same credential to access services at multiple sites – we can enable a wide array of new citizen-facing digital services while reducing costs and hassles for individuals and government agencies alike.”
That the trust needed to build that ecosystem should be at the top of the list of requirements is made clearer by a report from the Ponemon Institute, which looked at the use of security certificates and cryptographic keys around the world and found rampant abuse.
The survey, with over 2,300 security professionals responding, found that 58 percent of them believed their organizations needed to do better in securing certificates and keys in order to stop man-in-the-middle attacks. Over half of them didn't even know where all of their certificates and keys were located.
Over the last two years, the number of keys and certificates deployed on web servers, network appliances and cloud services grew to almost 24,000 per enterprise, the survey found. The major fears respondents listed were of a “cryptopocalypse” and misuse of mobile certificates. All of this could cost organizations at least $53 million over the next couple of years, Ponemon concluded, up 51 percent from 2013.
NIST has already funded four rounds of pilot programs aimed at developing the technologies needed for the identity ecosystem, for a total so far of around $30 million. The intent, according to Grant, is that by 2019 consumers “will think it's quaint” when online service providers ask them to create a new account, and that the NSTIC program office will have become “a blessed memory.”
NEXT STORY: Online voting still faces security issues