Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/28/2010
06:26 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

White House Cybersecurity Czar Unveils National Strategy For Trusted Online Identity

Devil's in the details for Obama administration's draft plan for eliminating passwords and advancing authentication, security expert say

The White House has outlined a national strategy for trusted digital identities that could ultimately eliminate the username-and-password model and lay the groundwork for a nationwide federated identity infrastructure.

Howard Schmidt, cybersecurity coordinator and special assistant to the president, unveiled the administration's strategy for what he called an identity "ecosystem" for users and organizations to conduct online transactions securely and privately such that identities of all parties are trusted.

"For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers -- both public and private -- to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.)," Schmidt blogged late last week.

The White House won't issue a controversial national identity card for online authentication, however, according to the new National Strategy for Trusted Identities in Cyberspace (NSTIC) draft paper, which is open for public comment and input until July 19.

Schmidt said the identity ecosystem or framework would be user-centric: "That means you, as a user, will be able to have more control of the private information you use to authenticate yourself on-line, and generally will not have to reveal more than is necessary to do so," Schmidt blogged.

The paper, a product of the White House's cybersecurity policy review last year, was created with input from government agencies, business leaders, and privacy advocates. Among other things, it calls for designating a federal agency to lead the public-private sector efforts to implement the blueprint, and for the federal government to lead the way in the adoption of secure digital identities.

"This Strategy is a call to action that begins with the Federal Government continuing its role as a primary enabler, first adopter and key supporter of the envisioned Identity Ecosystem. The Federal Government must continually collaborate with the private sector, state, local, tribal, and international governments and provide the leadership and incentives necessary to make the Identity Ecosystem a reality. The private sector in turn is crucial to the execution of this Strategy," the NSTIC said. "Individuals will realize the benefits associated with the Identity Ecosystem through the conduct of their daily online transactions in cyberspace. National success will require a concerted effort from all parties, as well as joint ownership and accountability for the activities identified."

The concept of a federated identity system is nothing new, however. There's the Open Group's Identity Management Forum standards for identity management and federation; OpenID, which is backed by Microsoft, IBM, VeriSign, Google, Yahoo, Facebook, and PayPal, for instance; as well as Microsoft's U-Prove software, which deploys minimal-disclosure tokens that let a user specify exactly which information he will disclose to each website he visits, eliminating privacy risks associated with unnecessary disclosure of personal information. Microsoft also has been talking up its vision of an "end to end trust" model on the Internet.

"There's no shortage of technology for federated identity systems," says Avivah Litan, vice president and distinguished analyst at Gartner.

Most implementations of trusted and federated identity to date have been all about so-called "low-assurance" authentication, such as using your OpenID credentials for both your Yahoo mail and Gmail accounts, for instance. The National Institute of Health is offering OpenID for low-risk apps, such as accessing its library, Litan notes. "It does give you some convenience," she says, but an imposter using one of these apps wouldn't be catastrophic.

But the Holy Grail of trusted online authentication -- a so-called "high-assurance" authentication vouching for the identity of a banking customer conducting a transaction online, for example -- has yet to take off. "No one has stepped up to the plate to vouch for identities ... a Bank of America or a high-assurance provider to make all of this work,"says Gartner's Litan, adding we may never get systems in the U.S. to say an online user is who he or she says he is, she adds. "They may not want to assume the liability and pay you if they are wrong," she says.

Meanwhile, The Open Group, which ultimately could play a role in the national framework initiative, welcomed the administration's identity management framework initiative, and is in the process of reviewing the draft's details. "The Open Group's membership has long looked at the issue of identity management and trusted authentication, and applauds this effort to establish a framework where both the private sector and government can collaborate to help define a trusted identity scheme that can be used by everyone," says Dave Lounsbury, vice president of collaboration services at The Open Group. "We're currently doing a more thorough review of the strategy document and encouraging our members to do the same. We will define a possible role for The Open Group to help advance the framework based on feedback from our members."

Microsoft said the administration's strategy is good news for online security and trust. Paul Nicholas, director of global security strategy and diplomacy for Microsoft's Trustworthy Computing group, called the paper "an important step" for improving online identity and trust. "[The draft] ... represents significant progress to help improve the ability to identify and authenticate the organizations, individuals, and underlying infrastructure involved in an online transaction," Nicholas said in a statement.

"Government and industry must continue to work together on this initiative, as well as, on advancing standards and formats on both a nationally and globally to enable a robust identity ecosystem. As part of its End to End Trust vision, Microsoft has long supported the development of a claims-based identity metasystem that allows for interoperability, privacy, minimal disclosure and higher levels of trust for online transactions. We look forward to continuing to collaborate with the government, privacy advocates and other industry members on this important issue."

The new draft National Strategy for Trusted Identities in Cyberspace (NSTIC), which will be final later this fall, is available at this website set up by the U.S. Department of Homeland Security.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16275
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-16276
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16277
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16278
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-15139
PUBLISHED: 2020-08-10
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Mes...