The problem today

advertisement
Identity in Cyberspace:
Improving Trust via Public-Private Partnerships
Jeremy Grant
Senior Executive Advisor, Identity Management
National Institute of Standards and Technology (NIST)
National Strategy for Trusted Identities in Cyberspace
1
Why We’re Here Today
1. Learn about the National Strategy for Trusted
Identities in Cyberspace (NSTIC)
2. Discuss how a government initiative can help
taxpayers and return preparers improve online trust,
reduce fraud and create enhanced customer
experiences
3. Discuss the role your firm can play in advancing the
use of Trusted Identities in Cyberspace
National Strategy for Trusted Identities in Cyberspace
2
What is NSTIC?
Called for in President’s Cyberspace Policy Review (May 2009):
a “cybersecurity focused identity management vision and strategy…that
addresses privacy and civil-liberties interests, leveraging privacy-enhancing
technologies for the nation.””
Guiding Principles
• Privacy-Enhancing and Voluntary
• Secure and Resilient
• Interoperable
• Cost-Effective and Easy To Use
NSTIC calls for an Identity Ecosystem,
“an online environment where individuals
and organizations will be able to trust each other
because they follow agreed upon standards to obtain
and authenticate their digital identities.”
National Strategy for Trusted Identities in Cyberspace
3
The Problem Today
Usernames and passwords are broken
•Most people have 25 different passwords, or use the same one over and over
• Example: reuse of IRS PINs is prevalent
•Even strong passwords are vulnerable…criminals have many paths to easily
capture “keys to the kingdom”
•Rising costs of identity theft
– 11.6M U.S. victims (+13% YoY) in 2011 at a cost of $37 billion
– 67% increase in # of Americans impacted by data breaches in 2011
(Source: Javelin Strategy & Research)
– Indications of extensive and increasing tax fraud through ID theft
•Burden: taxpayers cannot remember how to eFile
From the 2011 ETA AC Report:
“A 15 – 20% [return] reject rate is unacceptable . . .
The most notorious cause of rejects is the current
identity proofing mechanism – the AGI/PIN signature.”
Improved Security and Ease-of-Use Needed
National Strategy for Trusted Identities in Cyberspace
4
The Problem Today
2011: 5 of the top 6 attack vectors are tied to passwords
2010: 4 of the top 10
National
for Trusted
Identities in Cyberspace
Source:
2012Strategy
Data Breach
Investigations
Report, Verizon and USSS
5
The Problem Today
Identities are difficult to verify over the internet
• Numerous government services still must
be conducted in person or by mail,
leading to continual rising costs for state,
local and federal governments
• Electronic health records
could save billions, but can’t move
forward without solving authentication
challenge for providers and individuals
New
Rob New
Yorker,
Cottingham,
Yorker,
September
July
June5,23,
1993
12,2007
2005
• Many transactions, such as signing an auto loan or a mortgage,
are still considered too risky to conduct online due to liability risks
National Strategy for Trusted Identities in Cyberspace
6
The Problem Today
Privacy remains a challenge
• Individuals often must provide more personally identifiable information (PII)
than necessary for a particular transaction
– This data is often stored, creating “honey pots” of information for cybercriminals to pursue
• Individuals have few practical means to control use of their information
National Strategy for Trusted Identities in Cyberspace
7
Personal Data is Abundant…and Growing
National Strategy for Trusted Identities in Cyberspace
8
Trusted Identities provide a foundation
Economic
benefits
• Enable new types of transactions online
• Reduce costs for sensitive transactions
• Improve customer experiences
Improved privacy
standards
• Offer citizens more control over when and
how data is revealed
• Share minimal amount of information
Enhanced security
• Fight cybercrime and identity theft
• Increased consumer confidence
TRUSTED IDENTITIES
National Strategy for Trusted Identities in Cyberspace
9
Vision: January 1, 2014
The Identity Ecosystem: Individuals can choose among multiple identity providers and digital credentials
for convenient, secure, and privacy-enhancing transactions anywhere, anytime.
File taxes
online with
e-signature
Online
shopping with
minimal
sharing of PII
Trustworthy
critical service
delivery
Secure Sign-On to state
DMV website
Security ‘built-into’
system to
reduce user error
National Strategy for Trusted Identities in Cyberspace
Privately post location
to her friends
10
Reduce Fraud with Strong Authentication
• Federal Identity, Credential, and Access Management (FICAM)
Certified “Level of Assurance 3” (LOA3) credentials for
authentication provide the “high confidentiality in the asserted
identity’s validity” which is required for eFiling and other IRS
applications*
• Certified LOA3 credentials can be issued online
• Two-factor authentication leverages “something you have” like a
smartcard, cell-phone, thumb-drive, or computer, with “something
you know” like a PIN or password.
• Example: ATMs use two-factor authentication
An ID thief would have to physically possess the credential device as well as the
PIN or password, hugely crippling their capability and preventing ID theft
upfront.
National Strategy for Trusted Identities in Cyberspace
*OMB Memorandum 04 04/NIST Special Publication 800-63
11
Shift in Taxpayer and Return Preparer Authentication
Currently:
With NSTIC:
Proprietary
Certified, Standardized,
Interoperable, Multifactor
Once a year, taxpayer
needs to remember last
year’s PIN, AGI, etc. to
authenticate. Incorrect
entry results in rejection
of return
Authentication done like all
secure online transactions, so
becomes something TP does
regularly. Customer
authentication problems
handled by the credential
provider.
For taxpayer returns, IRS
“looks back”: verifies TP
is ID theft victim, then
mitigates damage
ID theft prevented upfront, so
nothing to mitigate
National Strategy for Trusted Identities in Cyberspace
12
Verizon Universal Identity Service (UIS)
The only current commercial provider of FICAM-certified
credentials that provide LOA3 “high confidence in the
asserted identity’s validity” as well as LOA2 “some
confidence.”
• Verizon certified to do the ID proofing, credential issuance, and
online authentication, plus optionally the verification of otherparty approved credentials.
Other credential providers in the
pipeline for LOA3 certification
National Strategy for Trusted Identities in Cyberspace
13
UIS Online Registration and Authentication
Initial online credential registration requires:
1. Record match of name, SSN, DOB, address, telephone #
2. Answer 5-question KBA quiz within 2 minutes
3. Possession of registered telephone to receive OTP
Once registered can provide additional devices for authentication
Authentication for each online transaction requires:
1. Username and password
2. Possession of registered device
National Strategy for Trusted Identities in Cyberspace
14
Advantages of aligning with NSTIC and FICAM
1. Very fast adoption of LOA3 by public
– Leverages currently owned devices in public’s hands (vs. provisioning a
new physical credential)
– Registration can be done on-line.
2. High security from Two-Factor Authentication
3. “Single Sign-on capability” makes authentication appealing and
easy to use
4. Enforces privacy protection
5. Formally “blessed” by NIST and OMB
–
Agencies are specifically directed to use these solutions
National Strategy for Trusted Identities in Cyberspace
15
Additional Benefit: Impedes Phishing
• Relying party website is vetted by Identity Provider
– Once Identity Ecosystem is in place, taxpayers will look for and use ID
Provider’s logo for login, which will therefore hinder fraudulent sites.
For instance, users of VZ UIS will look for and use the UIS logo to log into site.
National Strategy for Trusted Identities in Cyberspace
16
What does NSTIC call for?
Private sector
will lead the
effort
Federal
government
will provide
support
National Strategy for Trusted Identities in Cyberspace
• Not a government-run identity program
• Private sector is in the best position to
drive technologies and solutions…
• …and ensure the Identity Ecosystem
offers improved online trust and better
customer experiences
• Help develop a private-sector led
governance model
• Facilitate and lead development of
interoperable standards
• Provide clarity on national policy and
legal framework around liability and
privacy
• Act as an early adopter to stimulate
demand
17
NSTIC National Program Office
• Charged with leading strategy and day-to-day coordination
across government and the private sector in implementing NSTIC
• Funded with $16.5M for FY12
National Strategy for Trusted Identities in Cyberspace
18
Next Steps
Convene the Private Sector
• Summer 2012: Create an Identity Ecosystem Steering Group
• New two-year grant will fund a privately-led Steering Group to convene
stakeholders, craft standards and policies to create an Identity Ecosystem
• Collaborate with CERCA on authentication working group
• Consider possibilities for next filing season
• Offer taxpayers the option of obtaining and/or using a strong credential,
integrated with your software.
• May 23: White House Conference for Relying Parties
• 70 major stakeholders invited, including CERCA chair.
National Strategy for Trusted Identities in Cyberspace
19
Next Steps
Select Pilots
• NSTIC Pilot Programs
– $10M in grants to address barriers to implementing the Identity Ecosystem
• 5 – 8 awards later this summer
Early Adoption by Government to Stimulate Demand
• Ensure agency alignment with FICAM
– White House Initiative: Federal Cloud Credential eXchange (FCCX)
– IRS and other large eGov agencies collaborating on NSTIC projects
National Strategy for Trusted Identities in Cyberspace
20
What Your Firms Can Do
Participate
Be early
adopters
Give us your
ideas!
National Strategy for Trusted Identities in Cyberspace
• TALK: about the value of NSTIC to leaders in your firm
• SUPPORT: NSTIC Pilots by volunteering to be a relying party
• JOIN: the Identity Ecosystem Steering Group
• Leverage trusted identities to move more services online
• Consider ways to support identity and credentialing in
partnership with trusted third parties
• You are a key partner, we want to hear from you
21
Questions?
Jeremy Grant
jgrant@nist.gov
202.482.3050
IRS / NSTIC Coordinator
Richard Phillips
richard.w.phillips@irs.gov
202.482.8349
National Strategy for Trusted Identities in Cyberspace
22
Download