In-Depth
Cloud, Mobile, and the Fed: How the Government is Shaping Open Identity
Changing identity and access management needs are pressuring IT to revise its security strategies. Why is the federal government involved?
By John Fontana, Identity Evangelist, Ping Identity
As the enterprise network expands across partner domains, out into the emerging "cloud" and on to mobile devices, a new take on identity and access control is getting an assist from an unusual source: the federal government.
The feds it turns out don't want to give you a national ID card, a witness-protection class identity, or even a simple credential. Instead, under a directive from President Obama and with help from the National Institute of Standards and Technology (NIST) and stewardship by the Department of Commerce, the feds are working within the industry to create a model for trusted online identities and enticing private-sector companies to build and operate the infrastructure across industry and government.
The move comes at a time when the changing identity and access management landscape on corporate networks is pressuring IT to revise its strategies to stretch authentication over network, cloud, and mobile computing.
Of course, the big question is: why is the government involved?
The feds have two concerns. First, they must take steps to ensure cyber-security in an increasingly online world. Second. they need a mechanism to allow citizens to privately and securely interact with government and its myriad of agencies. A trusted digital identity is one giant step toward both objectives.
To that end, the Obama administration unveiled in April, 2011 its National Strategy for Trusted Identities in Cyberspace (NSTIC). In June it published the first draft of the initiative and began collecting and incorporating public input. In November 2011 it accepted a $16.5 million allocation as part of the 2012 federal budget.
Early this year, the first NSTIC steering committee meeting will convene stakeholders from outside the government.
Game On
NSTIC proposes a system of public or private identity providers (IdP) that create identities for users; relying parties (RP) – Web sites, government agencies, etc. -- that accept those identities for authentication; a mechanism for securely exchanging that data; a user control component for privacy; and a choice of credentials for different types of online transactions with varying levels of security ratings.
The framework is designed to blanket both the corporate and online worlds.
"It's time for something different, passwords don't work," said Jeremy Grant, leader of the NSTIC effort, in July. (Watch video of Jeremy Grant describing NSTIC here.
Perhaps the most crucial portion of NSTIC is the call for the private-sector to implement the framework; the government only wants its little part in that process, which will include policy work on issues such as liability and privacy.
The encouraging aspect is that NSTIC is not revolutionary. It's inclusive as part of a larger industry effort. The initiative's description in a 52-page document is peppered with words familiar to the identity and IT community: attributes, interoperability, user-centric, standards, policy, privacy, trust, and compliance.
The creation of NSTIC aligns with the current evolution in identity and access management. The framework was largely crafted on input from private-sector companies (such as Google, PayPal, and Facebook) that already serve identity and authentication to tens of millions of users, and with identity architects from corporate IT shops and experts from major security vendors
The experts are already working toward an interoperable identity "ecosystem" that NSTIC mirrors. And the companies have helped craft and are implementing standards such as the Security Assertion Markup Language (SAML), OpenID Connect, Open Authentication (OAuth), and others that are foundational to NSTIC's goals.
Why Does IT Care?
NSTIC, in part, is an answer to a dramatic shift happening in IT fueled by cloud computing, the consumerization of IT, and the proliferation of mobile and tablet devices.
Employees and applications are no longer constrained by corporate boundaries -- either physical or virtual. Partners not only need access to whole applications on internal IT networks but increasingly specific data sets via APIs; and Web-based applications such as Salesforce.com and providers such as Google are servicing departmental users under authentication schemes outside the view of IT.
End users are showing up with their own devices to access network resources and social networks such as Facebook and Twitter are fast becoming identity providers issuing authentication keys to web-based resources.
Fortune 500 companies such as Bechtel and GE are already accommodating users who "bring their own IDs" and finding operational and cost benefits such as letting retirees access services with Facebook identities rather than those the corporation must issue, maintain, and support.
"Identity is now part of IT formally, we are now going to need foundational architectures, mechanisms, and standards instead of being ad hoc rogue style," said Earl Perkins, research vice president in the security and privacy team at Gartner. "Cloud computing offers an opportunity for alternative means to deliver this [identity] capability, but we have to assess the readiness and availability before we can embrace it."
Tough Questions
Indeed, there are still a number of tough questions about NSTIC and the intersection of corporate and consumer identities. In addition, issues such as authorization, user provisioning, and trust frameworks are open discussions.
"NSTIC is going in the right way, [and] people are thrilled it is creating an environment, but it's time to start solving the problem, to start discussing regulation, policy, legislation, and tools and rules," said Jay Unger, an independent consultant and identity expert.
When NSTIC was introduced in April, Susan Landau, a security and policy expert and a fellow at the Radcliffe Institute for Advanced Study, pushed for NSTIC to close gaps in the strategy. "I want to see more support for identity federation," she said. She emphasized privacy and data accountability as issues that must become hallmarks of the NSTIC strategy.
Some say that NSTIC may already be having an impact -- it has accelerated the development of open standards.
Next year, the Internet Engineering Task Force will ratify OAuth 2.0, a key authentication framework that addresses application security and, most important, allows IT to extend authentication out to native mobile applications their road-warrior populations are falling in love with. Work is underway to link OAuth and SAML, which many companies use today to share identities with partners or to leverage corporate IDs to access software-as-a-service applications.
In addition, the OpenID Foundation is expected early this year to finalize OpenID Connect, which provides a standard way to deliver user data/attributes and level of access information on the back of OAuth.
All those standards are foundational to the NSTIC framework.
NSTIC Part of a New Attitude
NSTIC is just one part of the government's technology push that includes its marquee open innovation program, which recently unveiled the Veterans Job Bank to help soldiers returning from Iraq and Afghanistan.
Aneesh Chopra, the White House CTO, describes
how the government is abandoning tired old internal processes and reaching out to entrepreneurs, innovators, and developers to jumpstart projects that produce results, revenue, and jobs. Current open innovation programs are working in energy, education, health, and manufacturing.
NSTIC follows the same private-sector gospel but on a much larger scale and across industries. The government also is using NSTIC concepts of sharing identities.
In early October 2011, federal CIO Steven VanRoekel signed a memo stating that all new government web sites needed to support IDs not issued by the government. Currently, the National Institutes of Health is the poster child for accepting IDs issued from outside the government. Whitehouse.gov will join them by the end of 2011 by accepting simple credentials issued by government-certified external ID providers. In the next six months, more agencies will link with government-certified credential providers, which include Google, PayPal, Symantec, Equifax, and Wave Systems.
The GSA is expected to sign up its first high-level (Level of Assurance 3) certified provider by the end of the year, which is likely to be Verizon. In December 2011, Verizon became the first provider to earn federal certification to provide Level of Assuarance (LOA) 1-3 credentials to government agencies. LOA 3 provides a high confidence an identity is accurate.
In 2012, NSTIC will add a chief privacy officer.
Regardless of what happens in the future, NSTIC is already creating identity and access management waves that are likely to lap at the eroding security perimeters of corporate networks.
John Fontana is the Identity Evangelist for Ping Identity and editor of the PingTalk Blog. Prior to joining Ping, he spent 11 years as a senior editor at Network World. You can contact the author at PingBlog [at] pingidentity [dot] com.