Tuesday, May 17, 2011

Federal Standards for the Identity Ecosystem
by Sally Ewalt, Anakam Identity Services

A month ago, the federal government issued its long awaited National Strategy for Trusted Identities in Cyberspace (NSTIC). We have been following the development of NSTIC since the idea was first announced. In fact, Equifax executives participate in many of the standards groups whose work is foundational to the successful execution of NSTIC. The basic idea of the NSTIC is a federated identity framework founded on strong proofing of the electronic identities to ensure the trustworthiness of claims behind them. The federated framework allows users to log-in to different, unrelated sites using one ID credential backed by a trusted provider.

An example from the NSTIC website shows how, “… student Jane Smith could get a digital credential from her cell phone provider and another one from her university and use either of them to log-in to her bank, her e-mail, her social networking site, and so on, all without having to remember dozens of passwords….People and institutions could have more trust online because all participating service providers will have agreed to consistent standards for identification, authentication, security, and privacy.”

The ‘consistent standards of identification’ are currently being developed by the North American Security Products Organization (NASPO) at the request of the American National Standards Institute (ANSI). Equifax is a member of the authoring committee, which is developing voluntary standards applicable across industries and for both online and face-to-face identity proofing. This national standard will include a set of consistent and transparent policies and processes that will permit a relying party in a transaction to know the extent to which the credential used in a transaction has been bound to the real person presenting the credential.

Kantara, an international organization dedicated to ensuring “secure, identity-based, online interactions while preventing misuse of personal information so that networks will become privacy protecting and more natively trustworthy environments”, has developed the first trust framework for a federated identity structure at levels of assurance beyond self-asserted identity. Equifax participates in the Kantara privacy and public policy workgroup (P3WG), as well as on several industry-specific teams, such as healthcare. The federal government has accepted the Kantara trust framework for NIST level 1, level 2, and non-PKI level 3 identities. This ensures that any agency would accept a user’s log-in credential from a Kantara certified credential provider at those levels of assurance.

We see great promise in the security of trusted credentials that allow users both the ease of a simplified log-in process, and the strong authentication of both their own identity and that of the organization with which they are doing business. For citizen-facing federal portals, banking and financial sites, and the very sensitive data in electronic healthcare records, this protection is paramount.

For more information about NSTIC and secure credentials, please click here to contact us.

Readers' Comments



Be the first to post a comment!

Please fill in the form below.