NSTIC Update

National Institute of Standards and Technology awards $9M to support trusted identity initiative

Introduction

The grants were awarded to five consortiums. All of the big. All of them representing different views and technologies with strong focus on identity, security, and trust.

NSTIC Background

The impetus for the NSTIC policy move by the Obama Administration is part of the Cyberspace Policy Review published in June 2009. The administration appointed Howard Schmidtin a new Cyber Security Coordinator position. Schmidt is a well-known security expert and is experienced in international security policies and technologies.

On Tuesday, December 22, 2009, Schmidt was named as the United States' top computer security advisor to President Barack Obama. Previously, Schmidt served as a cyber-adviser in President George W. Bush's White House and has served as chief security strategist for the US CERT Partners Program for the National Cyber Security Division through Carnegie Mellon University, in support of the Department of Homeland Security. He has served as vice president and chief information security officer and chief security strategist for eBay.

Prior to joining the Obama Administration, Schmidt served as President of the Information Security Forum and President and CEO of R & H Security Consulting LLC, which he founded in May 2005.He was also the international president of the Information Systems Security Association and a board member of the Finnish security company Codenomicon, the American security company Fortify Software, and the International Information Systems Security Certification Consortium,commonly known as (ISC)². In October 2008 he was named one of the 50 most influential people in business IT by readers and editors of Baseline Magazine.

Source: Wikipedia

The stated objectives of the NSTIC initiative are:

NSTIC is a White House initiative to work collaboratively with the private sector, advocacy groups and public-sector agencies. The selected pilot proposals advance the NSTIC vision that individuals and organizations adopt secure, efficient, easy-to-use, and interoperable identity credentials to access online services in a way that promotes confidence, privacy, choice and innovation. “Increasing confidence in online transactions fosters innovation and economic growth,” said Under Secretary of Commerce for Standards and Technology and NIST Director Patrick Gallagher. “These investments in the development of identity solutions will help protect our citizens from identity theft and other types of fraud, while helping our businesses, especially small businesses, reduce their costs.” NSTIC envisions an “Identity Ecosystem” in which technologies, policies and consensus-based standards support greater trust and security when individuals, businesses and other organizations conduct sensitive transactions online. The pilots span multiple sectors, including health care, online media, retail, banking, higher education, and state and local government and will test and demonstrate new solutions, models or frameworks that do not exist in the marketplace today.

The Announcement

“These five pilots take the vision and principles embodied in the NSTIC and translate them directly into solutions that will be deployed into the marketplace,” said Jeremy Grant, senior executive advisor for identity management and head of the NSTIC National Program Office, which is led by NIST. “By clearly aligning with core NSTIC guiding principles and directly addressing known barriers to the adoption of the Identity Ecosystem, the pilot projects will both promote innovation in online identity management and inform the important work of the Identity Ecosystem Steering Group.”

The grantees of the pilot awards are:

The American Association of Motor Vehicle Administrators (AAMVA) (Va.): $1,621,803 AAMVA will lead a consortium of private industry and government partners to implement and pilot the Cross Sector Digital Identity Initiative (CSDII). The goal of this initiative is to produce a secure online identity ecosystem that will lead to safer transactions by enhancing privacy and reducing the risk of fraud in online commerce. In addition to AAMVA, the CSDII pilot participants include the Commonwealth of Virginia Department of Motor Vehicles, Biometric Signature ID, CA Technologies, Microsoft and AT&T. Criterion Systems (Va.): $1,977,732 The Criterion pilot will allow consumers to selectively share shopping and other preferences and information to both reduce fraud and enhance the user experience. It will enable convenient, secure and privacy-enhancing online transactions for consumers, including access to Web services from leading identity service providers; seller login to online auction services; access to financial services at Broadridge; improved supply chain management at General Electric; and first-response management at various government agencies and health care service providers. The Criterion team includes ID/DataWeb, AOL Corp., LexisNexis®, Risk Solutions, Experian, Ping Identity Corp., CA Technologies, PacificEast, Wave Systems Corp., Internet2 Consortium/In-Common Federation, and Fixmo Inc. Daon, Inc. (Va.): $1,821,520 The Daon pilot will demonstrate how senior citizens and all consumers can benefit from a digitally connected, consumer friendly Identity Ecosystem that enables consistent, trusted interactions with multiple parties online that will reduce fraud and enhance privacy. The pilot will employ user-friendly identity solutions that leverage smart mobile devices (smartphones/tablets) to maximize consumer choice and usability. Pilot team members include AARP, PayPal, Purdue University, and the American Association of Airport Executives. Resilient Network Systems, Inc. (Calif.): $1,999,371 The Resilient pilot seeks to demonstrate that sensitive health and education transactions on the Internet can earn patient and parent trust by using a Trust Network built around privacy-enhancing encryption technology to provide secure, multifactor, on-demand identity proofing and authentication across multiple sectors. Resilient will partner with the American Medical Association, Aetna, the American College of Cardiology, ActiveHealth Management, Medicity, LexisNexis, NaviNet, the San Diego Beacon eHealth Community, Gorge Health Connect, the Kantara Initiative, and the National eHealth Collaborative. In the education sector, Resilient will demonstrate secure Family Educational Rights and Privacy Act (FERPA) and Children’s Online Privacy Protection Act (COPPA)-compliant access to online learning for children. Resilient will partner with the National Laboratory for Education Transformation, LexisNexis, Neustar, Knowledge Factor, Authentify Inc., Riverside Unified School District, Santa Cruz County Office of Education, and the Kantara Initiative to provide secure, but privacy-enhancing verification of children, parents, teachers and staff, as well as verification of parent-child relationships. University Corporation for Advanced Internet Development (UCAID) (Mich.): $1,840,263 UCAID, known publicly as Internet2, intends to build a consistent and robust privacy infrastructure through common attributes; user-effective privacy managers; anonymous credentials; and Internet2's InCommon Identity Federation service; and to encourage the use of multifactor authentication and other technologies. Internet2's partners include the Carnegie Mellon and Brown University computer science departments, University of Texas, the Massachusetts Institute of Technology, and the University of Utah. The intent is for the research and education community to create tools to help individuals preserve privacy and a scalable privacy infrastructure that can serve a broader community, and add value to the nation's identity ecosystem.

High Level Analysis

At the same time—9 million dollars spread across five initiatives; each with many mouths to feed—does not go very far and can be used up very quickly. It will be interesting to see how far each will proceed over the next twelve months. I chose 12 months because I can’t see how the money awarded to each group will last much longer than that.

Each group will need to put a plan together and execute in that time frame if they are to survive.

Over the next short period, we will take a closer look at each initiative, what their respective architectures look like, and what the specific objectives are in their roles in the identity ecosystem outlined my NIST.

Of course, I will be paying special attention to what each consortium has planned as an API Economy strategy. Each will need to have a solid API design that gives all of the other groups API access to all of the services through both the Web Services legacy (SOAP) and the emerging API Economy imperative (RESTful).

If each group does not have a solid SOAP/RESTful API strategy, they simply will not succeed—either individually or as a whole.

I know it sounds strange coming from me that an organization should continue embracing the SOAP legacy, but there are just too many government and non-profit organizations that cannot afford to jump to the real world quickly and must continue carrying the burden of the past. So it is sometimes.

Of course there are many more issues involved with success of this initiative beyond APIs, these issues will be covered more in depth in subsequent KuppingerCole reports and activities at the EIC Conference in May 2013.

Nonetheless, we see this movement by the NIST of granting these award as positive and will have reverberating impact on the Identity community—across the glove—for the good for some time to come.