Risk
6/28/2010
06:26 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

White House Cybersecurity Czar Unveils National Strategy For Trusted Online Identity

Devil's in the details for Obama administration's draft plan for eliminating passwords and advancing authentication, security expert say

The White House has outlined a national strategy for trusted digital identities that could ultimately eliminate the username-and-password model and lay the groundwork for a nationwide federated identity infrastructure.

Howard Schmidt, cybersecurity coordinator and special assistant to the president, unveiled the administration's strategy for what he called an identity "ecosystem" for users and organizations to conduct online transactions securely and privately such that identities of all parties are trusted.

"For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers -- both public and private -- to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.)," Schmidt blogged late last week.

The White House won't issue a controversial national identity card for online authentication, however, according to the new National Strategy for Trusted Identities in Cyberspace (NSTIC) draft paper, which is open for public comment and input until July 19.

Schmidt said the identity ecosystem or framework would be user-centric: "That means you, as a user, will be able to have more control of the private information you use to authenticate yourself on-line, and generally will not have to reveal more than is necessary to do so," Schmidt blogged.

The paper, a product of the White House's cybersecurity policy review last year, was created with input from government agencies, business leaders, and privacy advocates. Among other things, it calls for designating a federal agency to lead the public-private sector efforts to implement the blueprint, and for the federal government to lead the way in the adoption of secure digital identities.

"This Strategy is a call to action that begins with the Federal Government continuing its role as a primary enabler, first adopter and key supporter of the envisioned Identity Ecosystem. The Federal Government must continually collaborate with the private sector, state, local, tribal, and international governments and provide the leadership and incentives necessary to make the Identity Ecosystem a reality. The private sector in turn is crucial to the execution of this Strategy," the NSTIC said. "Individuals will realize the benefits associated with the Identity Ecosystem through the conduct of their daily online transactions in cyberspace. National success will require a concerted effort from all parties, as well as joint ownership and accountability for the activities identified."

The concept of a federated identity system is nothing new, however. There's the Open Group's Identity Management Forum standards for identity management and federation; OpenID, which is backed by Microsoft, IBM, VeriSign, Google, Yahoo, Facebook, and PayPal, for instance; as well as Microsoft's U-Prove software, which deploys minimal-disclosure tokens that let a user specify exactly which information he will disclose to each website he visits, eliminating privacy risks associated with unnecessary disclosure of personal information. Microsoft also has been talking up its vision of an "end to end trust" model on the Internet.

"There's no shortage of technology for federated identity systems," says Avivah Litan, vice president and distinguished analyst at Gartner.

Most implementations of trusted and federated identity to date have been all about so-called "low-assurance" authentication, such as using your OpenID credentials for both your Yahoo mail and Gmail accounts, for instance. The National Institute of Health is offering OpenID for low-risk apps, such as accessing its library, Litan notes. "It does give you some convenience," she says, but an imposter using one of these apps wouldn't be catastrophic.

But the Holy Grail of trusted online authentication -- a so-called "high-assurance" authentication vouching for the identity of a banking customer conducting a transaction online, for example -- has yet to take off. "No one has stepped up to the plate to vouch for identities ... a Bank of America or a high-assurance provider to make all of this work,"says Gartner's Litan, adding we may never get systems in the U.S. to say an online user is who he or she says he is, she adds. "They may not want to assume the liability and pay you if they are wrong," she says.

Meanwhile, The Open Group, which ultimately could play a role in the national framework initiative, welcomed the administration's identity management framework initiative, and is in the process of reviewing the draft's details. "The Open Group's membership has long looked at the issue of identity management and trusted authentication, and applauds this effort to establish a framework where both the private sector and government can collaborate to help define a trusted identity scheme that can be used by everyone," says Dave Lounsbury, vice president of collaboration services at The Open Group. "We're currently doing a more thorough review of the strategy document and encouraging our members to do the same. We will define a possible role for The Open Group to help advance the framework based on feedback from our members."

Microsoft said the administration's strategy is good news for online security and trust. Paul Nicholas, director of global security strategy and diplomacy for Microsoft's Trustworthy Computing group, called the paper "an important step" for improving online identity and trust. "[The draft] ... represents significant progress to help improve the ability to identify and authenticate the organizations, individuals, and underlying infrastructure involved in an online transaction," Nicholas said in a statement.

"Government and industry must continue to work together on this initiative, as well as, on advancing standards and formats on both a nationally and globally to enable a robust identity ecosystem. As part of its End to End Trust vision, Microsoft has long supported the development of a claims-based identity metasystem that allows for interoperability, privacy, minimal disclosure and higher levels of trust for online transactions. We look forward to continuing to collaborate with the government, privacy advocates and other industry members on this important issue."

The new draft National Strategy for Trusted Identities in Cyberspace (NSTIC), which will be final later this fall, is available at this website set up by the U.S. Department of Homeland Security.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.