CIS14: NIST and NSTIC (New Directions in Identity)

Introduction

United States Department of Commerce National Institute of Standards and Technology Paul Grassi, CISSP Senior Standards and Technology Advisor, NSTIC Information Technology Laboratory 1401 Constitution Ave. NW, Rm. 2069 Washington, DC 20230 W: 202.482.8349 M: 703.786.8275 Email: [email protected]

Background  

Role  @  NIST  

Approach  

Standards and Technology Landscape

Well-­‐rounded  pilots  hi<ng  diverse  user  set  

Government  adop@on  

Market  Discovery  

ADribute  Providers  

Internet  of  Things  

Consumer-­‐Centric  Deployment  Costs  

Standards  Gaps  

Embedded  Privacy  

Iden@fica@on  of  policy  and  technical  overlays  

NSTIC  Launch  

IDE  Sustaining  

2012   2013   2014   2015  

Envision  It!?  

True  Interoperability  

NIST Coverage in Key Identity Services Key  No  coverage  

Par@al  coverage,  to  include  other  D/A  documenta@on  

Full  coverage  

Needs  refreshing  

Where We Will Focus in FY14/15

ü  Codify  privacy  enhancing  profiles  

ü  Enhance/Establish  ‘standard’  to  establish  confidence,  trustworthiness,  and  privacy  preserva@on  (zero  knowledge,  derived,  minimal  disclosure)  

ü  Address  portability  of  preferred  creden@als  and  relying  party  accounts  

ü  Revisit  and  retool  exis@ng  standards  to  address  current  market  state  and  flex  to  innova@on  

ü  Develop  new  standards  that  increase  IE  par@cipa@on  

ü  Increase  par@cipa@on  in  commercial  open  standards  

ü  Mobility,  Cloud,  Shared  Services  

ü  Simplify,  accelerate,  and  reduce  the  cost  of  ICAM  implementa@ons  

ü  Focus  beyond  the  PIV  

ü  Establish  RP  toolkits  ü  Iden@fy  and  foster  

innova@on  from  untapped  sources  

ü  Elevate  non-­‐person  en@@es  into  the  forefront  of  the  IDE/ICAM  discussion  

ü  Non-­‐intrusive  security  model  

ü  Con@nuous  monitoring  and  assessment  

Identity Assurance – What would you think if?

De-­‐coupled  proofing  strength  from  authen@ca@on  strength?  

NIST  just  measured  authen@ca@on  performance/strength/usability?  

Got  rid  of  LOA?  

What  else  could  we  do  to  turn  these  docs  on  their  head  to  enhance  the  IE?  

Developed  private  sector  companion  to  800-­‐63?  

Attributes – What Needs to Happen? Iden@fy  and  establish  market-­‐enhancing  aDribute  best  prac@ces,  guidelines,  and  standards  to  communicate  the  veracity  and  trustworthiness  of  aDributes  to  relying  par@es  or  iden@ty  and  

access  management  service  or  func@on.  

Meta-­‐ADribute  

Confidence/Assurance  

Liability  

Security  and  Privacy  

Governance  

Exchange  

Informs  

Dependent  Standards  

Performance  Metrics  

Risk  Tolerance  

Market  

ADribute  Registries  Focal  

The Need for a Privacy Profile

Broker

Authen@ca@on  Request   Authen@ca@on  Request  

Response  +  Encrypted  ADributes  

Double  Blind  Architecture  

Relying  Party  

CSP  

User  Consent  

ADribute  Provider  

Response  +  Encrypted  ADributes  

1   CSP/AP  can’t  know  the  RP  

2   Broker  can’t  see  the  a?ributes  

3   Standard  and  Protocol  AgnosBc  

4   RP  can’t  know  CSP  

5   Minimal  Changes  to  Infrastructure  

(but  we  may  soJen  this  requirement)  

Contact Information

United States Department of Commerce National Institute of Standards and Technology Paul Grassi, CISSP Senior Standards and Technology Advisor, NSTIC Information Technology Laboratory 1401 Constitution Ave. NW, Rm. 2069 Washington, DC 20230 W: 202.482.8349 M: 703.786.8275 Email: [email protected]