Risk
6/28/2010
06:26 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

White House Cybersecurity Czar Unveils National Strategy For Trusted Online Identity

Devil's in the details for Obama administration's draft plan for eliminating passwords and advancing authentication, security expert say

The White House has outlined a national strategy for trusted digital identities that could ultimately eliminate the username-and-password model and lay the groundwork for a nationwide federated identity infrastructure.

Howard Schmidt, cybersecurity coordinator and special assistant to the president, unveiled the administration's strategy for what he called an identity "ecosystem" for users and organizations to conduct online transactions securely and privately such that identities of all parties are trusted.

"For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers -- both public and private -- to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.)," Schmidt blogged late last week.

The White House won't issue a controversial national identity card for online authentication, however, according to the new National Strategy for Trusted Identities in Cyberspace (NSTIC) draft paper, which is open for public comment and input until July 19.

Schmidt said the identity ecosystem or framework would be user-centric: "That means you, as a user, will be able to have more control of the private information you use to authenticate yourself on-line, and generally will not have to reveal more than is necessary to do so," Schmidt blogged.

The paper, a product of the White House's cybersecurity policy review last year, was created with input from government agencies, business leaders, and privacy advocates. Among other things, it calls for designating a federal agency to lead the public-private sector efforts to implement the blueprint, and for the federal government to lead the way in the adoption of secure digital identities.

"This Strategy is a call to action that begins with the Federal Government continuing its role as a primary enabler, first adopter and key supporter of the envisioned Identity Ecosystem. The Federal Government must continually collaborate with the private sector, state, local, tribal, and international governments and provide the leadership and incentives necessary to make the Identity Ecosystem a reality. The private sector in turn is crucial to the execution of this Strategy," the NSTIC said. "Individuals will realize the benefits associated with the Identity Ecosystem through the conduct of their daily online transactions in cyberspace. National success will require a concerted effort from all parties, as well as joint ownership and accountability for the activities identified."

The concept of a federated identity system is nothing new, however. There's the Open Group's Identity Management Forum standards for identity management and federation; OpenID, which is backed by Microsoft, IBM, VeriSign, Google, Yahoo, Facebook, and PayPal, for instance; as well as Microsoft's U-Prove software, which deploys minimal-disclosure tokens that let a user specify exactly which information he will disclose to each website he visits, eliminating privacy risks associated with unnecessary disclosure of personal information. Microsoft also has been talking up its vision of an "end to end trust" model on the Internet.

"There's no shortage of technology for federated identity systems," says Avivah Litan, vice president and distinguished analyst at Gartner.

Most implementations of trusted and federated identity to date have been all about so-called "low-assurance" authentication, such as using your OpenID credentials for both your Yahoo mail and Gmail accounts, for instance. The National Institute of Health is offering OpenID for low-risk apps, such as accessing its library, Litan notes. "It does give you some convenience," she says, but an imposter using one of these apps wouldn't be catastrophic.

But the Holy Grail of trusted online authentication -- a so-called "high-assurance" authentication vouching for the identity of a banking customer conducting a transaction online, for example -- has yet to take off. "No one has stepped up to the plate to vouch for identities ... a Bank of America or a high-assurance provider to make all of this work,"says Gartner's Litan, adding we may never get systems in the U.S. to say an online user is who he or she says he is, she adds. "They may not want to assume the liability and pay you if they are wrong," she says.

Meanwhile, The Open Group, which ultimately could play a role in the national framework initiative, welcomed the administration's identity management framework initiative, and is in the process of reviewing the draft's details. "The Open Group's membership has long looked at the issue of identity management and trusted authentication, and applauds this effort to establish a framework where both the private sector and government can collaborate to help define a trusted identity scheme that can be used by everyone," says Dave Lounsbury, vice president of collaboration services at The Open Group. "We're currently doing a more thorough review of the strategy document and encouraging our members to do the same. We will define a possible role for The Open Group to help advance the framework based on feedback from our members."

Microsoft said the administration's strategy is good news for online security and trust. Paul Nicholas, director of global security strategy and diplomacy for Microsoft's Trustworthy Computing group, called the paper "an important step" for improving online identity and trust. "[The draft] ... represents significant progress to help improve the ability to identify and authenticate the organizations, individuals, and underlying infrastructure involved in an online transaction," Nicholas said in a statement.

"Government and industry must continue to work together on this initiative, as well as, on advancing standards and formats on both a nationally and globally to enable a robust identity ecosystem. As part of its End to End Trust vision, Microsoft has long supported the development of a claims-based identity metasystem that allows for interoperability, privacy, minimal disclosure and higher levels of trust for online transactions. We look forward to continuing to collaborate with the government, privacy advocates and other industry members on this important issue."

The new draft National Strategy for Trusted Identities in Cyberspace (NSTIC), which will be final later this fall, is available at this website set up by the U.S. Department of Homeland Security.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.