KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Transitioning the NSTIC from the 2nd goal to the 4th and how we plan to finish the job, as, US President Barack Obama stated it, NSTIC was really a 10-year effort. In this keynote, Paul Grassi talks about modularization and performance-based standards, future proofing by leveraging a diverse marketplace, transition to the next phase of Connect.gov which will be moving from pilot to production, and landing high-risk, large user volume of transactions.
Transitioning the NSTIC from the 2nd goal to the 4th and how we plan to finish the job, as, US President Barack Obama stated it, NSTIC was really a 10-year effort. In this keynote, Paul Grassi talks about modularization and performance-based standards, future proofing by leveraging a diverse marketplace, transition to the next phase of Connect.gov which will be moving from pilot to production, and landing high-risk, large user volume of transactions.
Hold on this, please. Welcome Paul. Thank You. Good morning. Good morning. If you think NS stick is a bad Ackerman, you should have seen what they were before we came up with hens stick. I think our latest nights when we were writing that were to pick this acronym. So sorry about the complexity, but you're right only in the us. So we're in a transformation and transition phase right now, given where we are with the administration, given where we are with implementation five years ago, we put this strategy out very ambitious, and I think we got it right.
We wrote this in a very open, transparent manner. I would like to say that the private sector actually had a significant hand in writing this as opposed to other government strategies, where a few agency staff members go in a back room, put something out, drop it and call it, call it done. We went through multiple iterations of comment, periods and advisory meetings with, with almost every sector in the us. And the goal of course is to enhance online choice, efficiency, security, and privacy. We've put out four guiding principles.
Identity solutions must be privacy enhancing and voluntary, secure, resilient, interoperable, cost effective and easy to use. And, and I wish I could claim ownership of the slide that Paul put up earlier.
I cannot, but we know it's complex. Identity is not easy. Boiling it down to these four were very difficult for us, but we think the representative of those core areas that we need to focus identity, identity solutions on, especially when it relates to the citizen. So our model coming out of the release of the strategy itself, the model we've been operating over the past five years has really been broken into three pillars. Private sector, convene them. This is to gotta be private sector led. It will not be successful. If it was government led, we have a material stake in it.
We are a, a stakeholder, but one that is of no less or more importance than anybody else coming to the table from the private sector to include individuals. So the DSG was formed, very slow start there, but over the past year has made some pretty significant progress that I'll talk about in a minute, we fund a lot of pilots. So catalyzing the marketplace.
Again, those pilots are not focused on the government, obtaining a service or providing something for our agencies. We are looking at putting solutions into the market, the private sector market that may not exist without that. In some cases we've been looking at innovation in a lot of cases, we've been looking at what we can do from a privacy enhancing perspective, really trying to make a, a market for things like privacy enhancing technologies that are, are really, really hard.
And again, I've got a little bit more on that as we talk about what our model is as we transition and then the government as early adopter, we we've had a pilot of connect.gov. That's moving into full blown production. I think over the, the summer we'll, we'll be announcing more and more GSA just made an announcement this week. And we're really targeting now coming out of that pilot phase and targeting our bigger, bigger agencies and our bigger consumer and citizen populations.
So IRS VA, our social security rather than dealing with thousands of citizens here or there and again, connect.gov was a model very similar to, to what is in the UK for those that are aware of it. We are very serious about the privacy enhancing capabilities of that. Our goal with all of our solutions now is that privacy isn't built into the policy framework. It's built right into the technology and we're seeing some lessons learned from that and what we need to do from a standards and guidelines perspective.
And again, I've, I've got some, some slides on that moving forward. So it's 2016, we've had some fits and starts. We've been successful. We've had some lessons learned, we've had some failures, but I think we're out of the, the trough, if you will.
I, I know that this is kind of a rebranding of the, of the, the, the, the hype cycle. So I apologize for, for ripping it off. As I mentioned, some of the successes, the ideas G put out the framework framework has four key elements, a functional model that kind of tries to decompose what is a very complex environment into something that's easy to consume. What hangs off that functional model or mandatory requirements out of those requirement came guidance. That guidance used to be requirements.
But when we looked at those requirements as an entire set, it was quite difficult for any entity in, in the us, let alone internationally to attest that they met them all. So our guidance is really aspirational requirements that guidance that we hope one day as this ecosystem evolves, moves into actual mandatory requirements, and then scoping statements on, on a registry that we plan to, to stand up over the course of this year.
And again, this is to highlight that while we have been we're claiming success with IDF, we're claiming it because we knew that this was gonna be hard. We knew at the, the onset, we weren't gonna be able to accomplish all of our goals outta the gate. So the president asked us to set a minimally set of, of commonly agreed upon requirements and standards. We've done that, but we are absolutely looking to move and advance beyond what's there today.
So again, some success, but not accomplished. This happened, this is the OPM breach last year, very significant if you are a past or present federal employee. And I would imagine, or I not imagine, I know this extends far beyond just those employees and contractors that were in that database as somebody that, that holds a position with the government and also has a clearance. I can tell you that my parents' information was breached.
My siblings, my neighbors, my friends, my fingerprints are out there, bad results from a polygraph, whatever the background investigator found on me that is all out there in the wild and Andy from DHS, who was actually part of the unstick as well, subtly told Congress, this was not an encryption problem. The data was encrypted. This was a identity issue. It was a username and password that had access to that database to decrypted, but never waste a good crisis. We have been able to elevate identity to what I've been calling identity as a first class citizen.
It has kind of in the us been out there as, is it a, is it a business process, enabler? Are we getting efficiencies? Is it a cybersecurity thing? We don't know. It lives in weird places and organizations OPM finally brought it to the, to the forefront of the cybersecurity discussion.
So I, I, I looked this, this definition up online and said, yep, this is exactly where we are from an identity perspective. So while that was a horrible event in, in our history and in data breach, we do have some good progress coming out of it as a result where identity is now part of the cybersecurity conversation. It's part of our congressional discussion part of our funding. And we're really making some, some good progress going forward. On the consumer side though, I would, I would almost argue we're, we're worse off than, than we were. Yes. We have two factor in a lot of places.
That's a good thing. We've shifted from passwords to multifactor. It's private, sector's adopting it. The uptake of, of multifactor credentials is pretty significant. We're very, very proud of this.
However, I, I do think we've got an economic problem and, and what I've been experiencing experiencing this entire week while being overseas, I think is, is an example of that. For example, I'm here with a loaner laptop and I'm here with a loaner phone. That means I can't get to any of my data. I can't get an SMS to do two factor. I don't have my Fido token, so I can't get access to services. So therefore I'm not participating in the market for the, for the next two weeks. And this happens at home as well, when I'm downstairs watching TV or eating dinner.
And my phone's upstairs, I bail out of transactions because of some of the usability issues with two factor. So until we can accommodate and, and fix this, I still think we've got a major issue that has impact on the economy.
So, as I mentioned, the administration is leaving the ends stick, as we know and love it. I think we could say is officially over. As a matter of fact, that's what we wanted. This was expected. This is a good thing, but we still exist. We will exist for another five years. That has always been the plan. I'm proud of being part of a program in the government that actually has a shelf life that will not live on forever. We will not be requesting taxpayers, money infinitum.
We, we have a mission and we're gonna accomplish it. And we have a 10 year window to do that. So we're converting from that three step model to something that looks very much like this, where we're continuing to evolve, sustain, and ultimately go away and have this completely handed off to the private sector. Smarter engagement is how we are going to accomplish this. We are getting much more technical, more deep dives, more outreach. We are working globally. There's some com some, some topics I'll bring up in a little bit. We are focused on metrics and the market.
I, you know, the NS stick was initially written because we knew that there was an issue, but we weren't really steeped in good metrics. And now we are all about the science of, of gathering metrics and measurement, and really reacting as a result of that.
And again, global industry alignment on the standard side To be risk based. So these, this is just a, a high level snapshot of the portfolio of work that we have in our, in our office.
And it's, it's significant. This is, as we've seen identity identity is hard international pilots. We've been talking this week with our UK and EU brethren. We will be looking at doing international pilots with them. It's not enough to just have Federation within a single jurisdiction.
We, we want to be able to go and offer these citizen services beyond just us or, or UK government services. So there's a few things that we are taking on inside of the, of N itself N state hundred 63 is, is our E authentication guidelines. It is going through a major transformation right now. This past Monday, we posted the, the public draft online, much like we did with the NS stick. We've learned our lessons and we are not doing this in a, in a back office. In some federal office. We plan on doing this iteratively with the public and the private sector. So we released it on GitHub.
We will be writing that document for the next couple of months in the open based completely off of feedback we get from the private sector. We put the initial draft out there, cuz we would, we wanted to have some sort of starting point and, and we wanted to get to that starting point quickly. So for those that have been part of consensus based standards, sometimes it takes longer to get to that starting point. So we did the initial draft on our own based on feedback from, from our stakeholders.
And now it's essentially out there as a public document that I would like to think N no longer owns, even though we own the hosting of it. And we will, we will be doing the edits. This is your document. Now those that have have stake in what this thing says, it is focused on government services only, but we know the impact it has on the private sector. So we cannot treat it as if we, as the us government are special and we have special requirements if we do that, we'll fail. So this draft is an attempt to align with the private sector in a much more significant way, just given time.
I, I won't go through all of these, but there are some major updates to this that we've been asked to make over the past years that we've been slow to do. We've separated, decoupled, a level of assurance into its component parts. There's an asterisks there because unfortunately that definition of levels of assurance is bound by white house policy.
However, they are in process of updating that policy to align with what we're putting in 863. So we feel very confident that the white house will be able to make this update. And the other nice thing about where this lives at the white house is it's not administration base it's career. So hopefully the politics of an administration change won't impact it.
However, we have backwards compatibility in case it that memo never gets updated. We can still move forward with this model, regardless of what is in policy. We've totally rewritten the proofing side for a lot of reasons. I talked about the OPM breach. I talked about all of our data being out there in the wild, the predominant method of doing identity proofing in the us right now is with credit data. And that is woefully insufficient to gain the level of confidence we need to protect critical assets.
And then at the same time, it gives us an opportunity to be aligned with our international partners. So that doing that trust mapping moving forward, isn't as complex as it's been in the past 863 in the past has been silent on privacy. We've basically added privacy, normative standards based privacy requirements to all of the, the documents.
Now, why did we do that? We've got a lot of lessons learned from the connect.gov pilot, where we have agencies that are resistant to adopt some of these privacy enhancing technologies. And we have private sector partners that are resistant to do it too. So we've not being able to get it all done in technology. We decided to make requirements in 863 to implement mandated technology approaches to protect privacy.
So for example, pseudonymity at all levels of assurance, what that means is I can come to a, I could use a very, very strong credential that may have information about me on it, but go use that at a low assurance site and have all that information hidden from the relying party, no leakage of personal information. And we'll make that a requirement, other areas on the privacy side and, and the draft is out there. So you can see is, is adopting more of a claims based model.
So mandatory man mandating that our identity providers provide APIs to get claims about identities, not obtain all of their data. So what do I mean by claims? I'm not sure there's a really good industry term for this yet, but rather than exposing an API that says here's somebody's birth date expose an API that returns bullions is older than 18 is born in X year, true, false rather than exposing the actual data.
And, and that right now is in there as a shell statement so that it has to be implemented by our IDPs. And then again, use user experience requirements, primarily because of what I said earlier, bad usability could have an economic issue impact bad usability.
Also, I believe is a security threat. So we wanna make sure that as we are evaluating threats to authentication systems, usability comes in. And for those that care, we're a lot more biometric friendly, just given the state of the market and the state of technology than we've been in the past three other efforts. I'll talk about very quickly given the amount of time I mentioned metrics in terms of how we react to the market. We're also trying to apply metrics to identity solutions as well. We are nest. Our only mission in fostering competitive and open market is to do measurements.
And right now, for those of you that, that know at least our guidance, identity guidance is kind of soft. We feel that things are a certain strength. We have loose terminology, high confidence, some confidence. What does that mean? We're trying to accomplish that with this effort.
So, so what does it really mean to have high confidence and identity? We're looking at that from a, a strength of proofing. What does it really mean when you have this authenticator versus that authenticator, which is stronger, which is better, and then attribute confidence.
And, and the first thing that we're biting off and attributes is metadata. And, and the goal here is, is to be able to communicate, to relying parties, the information they need to make their own risk based decisions. Another thing that we're doing coming back to the international side in the open ID foundation, not we, but the, the international community actually proposed a working group it's named IGOV international assurance profile.
Again, we've got, I don't know, maybe 13 or 14 proposing countries on that. The UK is co-chair us co-chair as well as ping identity. We've gotten off to a slow start here, just given all the activity, but we really are excited about doing an open ID connect profile in an open body with an international interoperability as our singular singular goal. So real quickly, what's next I mentioned earlier, we only hit the low water mark of what the president asked us to do in terms of requirements and the identity ecosystem. So we have to go further, and this is right out of the strategy.
This is what we'll be focusing the next year or two on. And then we see a, a range of this is just a subset of the possibilities coming out in the future. Bring your own authenticators, formally known as tokens from a citizen-centric perspective.
I, I think the government needs to get out of the, the business of identity altogether. And we, we, I think our identity providers may need to get outta the business of issuance, especially when we have consumer based devices that can serve as authenticators talked about a registry trust marks, whatever that may look like in the future. And then dynamic discovery and registration of entities that do good things in the ecosystem. So that as a consumer or as a business, I can find a provider that does what I want them to do.
And then on the end user notification side, it's kind of the green bar of, of, of the web. If I use a credential that's issued by a provider that does X and I go to a relying party that does, Y I'll get some sort of notification of the gaps, the, the requirement gap there, maybe they don't handle personal information the way I want, based on the credential I'm showing, and the user would be made aware of that, and then can make their own decision whether to move forward or not. That is the end. So we are done in 2021. We know we're not gonna be done. We know we continue to evolve.
Our office will go away and we hope we have transitioned completely to the private sector by then. Thank you for your time today. Thank you quickly. Two questions. Do you consider the EU data protection regulation In a way or any Way in, in a way?
I think, Yes. And, and it depends on the context of that question.
I mean, from a, from a data protection perspective, we are looking at privacy from a risk management perspective. I think the first speaker talked about privacy by design. We are building a, a risk management framework that's focused in on privacy risks. Individuals N is created what we've been calling the corollary to the security CIA from a privacy perspective, so that engineers can build privacy controls based on risks to individuals based on those objectives that, that we've created in our, in our framework, it doesn't call out any given regulatory regime.
It's focused, purely on risks, tend users as a result of their data being used in, in ways that may not have been intended by, by the application itself. Okay. The next question is a little more tangible. What do you think?
So N is, is non-regulatory so we have no, nor do we want have any way to make the FBI do, do things like this. I mean, FBI, as a, as a executive branch agency needs to follow our guidelines and our guidelines certainly wouldn't allow this, but we have no role in, in enforcing what they do and Ken cannot do. Okay. Thank you so much. Thank you. Thanks.
