WELCOME! 17th IDESG Plenary June 8-9, 2016 Cloud Identity Summit – New Orleans

Welcome to the Revolution – Day Two Marc-Anthony Signorino, IDESG Executive Director

Agenda: Thursday June 9 IDESG: The Next Chapter – Sal D’Agostino Standards Registry Overview – David Temoshok Standards Vote – Jenn Behrens Framework Management Office Report – Jamie Bryce Clark Plenary Wrap-Up – Jenn Behrens & Rene McIver Lunch/Breakout Sessions !

Content

Jenn Behrens, Plenary Chair Rene McIver, Plenary Vice Chair Welcome to the 17th IDESG Plenary! I am very excited to facilitate this Plenary, in New Orleans, co-located with CIS, at this pivotal time for our organization. And with that, I now call this Plenary into session.

IPR All Contributions are subject to the IDESG transparency requirements. By making Contributions to IDESG or its Committees, each Organizational Member or Individual Member Consents to its public posting, circulation, and archiving and waives any rights to the contrary. Before we get too much further, let me take care of the IPR.

Building a Better Digital Ecosystem With The Identity Ecosystem Framework In addition, We are all here, volunteering, dialing into meetings, juggling committee participation, showing up for Plenaries, taking a stand on votes and making this vision happen. We have all worked and driven hard to deliver on the requirements and standards over the last year. We have an amazing set of baseline requirements with growing guidance and supporting documents, and the committees continue to work on deliverables that will propel the framework to the next level.

Moving the Identity Revolution Forward This week, we launched the Identity Ecosystem Framework Registry. The registry empowers organizations to improve the way they handle identities and thereby create a safer environment for online transactions. Companies that choose to self-certify measure themselves against the IDEF’s core requirements for trusted identity exchanges – benchmarks like privacy, interoperability, security and usability – as a yardstick for evaluation. Participants show their compliance based on their self-reported adherence to core standards. In a few minutes, you will hear from a few of our own about the IDEF, the Registry and how some of key players in the field are implementing or aligning with the IDEF and with the Registry.

Sal D’Agostino, IDmachines IDESG: Next Chapter Sal D’Agostino, IDmachines President, IDESG

Standards Registry Overview David Temoshok, NIST NSTIC National Program Office

IDESG Standards Registry IDESG Plenary June 9, 2016

Background -- SAP IDESG Standards Adoption Policy Version 1.0 approved December 2014 Version 2.0 approved May 2016 SAP defines the IDESG policies and processes for standards evaluation, approval, adoption for the IDESG IDEF Purpose EMPOWER It is the intent of the Standards Adoption Policy (SAP) to provide a formal Standards Adoption Process (Section 3) and Evaluation Criteria (Section 4) by which IDESG can support the development of the Identity Ecosystem Framework (IDEF) by: 1) adopting existing standards into a formal Standards Registry, and 2) promoting the development of new standards where gaps in standards exist.

IDESG Standards Inventory The Standards Inventory (“Inventory”) is a listing of standards, specifications, and similar guidance related to identity management and NSTIC's domain. Any IDESG member may submit an item for inclusion in the Inventory. This wiki-based resource is intended to serve as a tool for finding standards and artifacts of possible relevance to the identity ecosystem. However, inclusion of a document in the Inventory does not imply any endorsement by IDESG. Standards are listed in the Inventory as a precursor to their nomination and evaluation for inclusion in the Standards Registry. EMPOWER IDESG Standards Adoption Policy v2.0

IDESG Standards Registry The Standards Registry is a list of standards, specifications, and similar guidance adopted by IDESG to support systems that conform to baseline requirements of the IDEF. This registry lists all standards approved for adoption by the IDESG Plenary, along with metadata about each standard as specified by the IDESG Standards Coordinating Committee (SCC). Any standard adopted into the Standards Registry is in support of the creation and development of an identity ecosystem as described in the NSTIC Strategy. EMPOWER IDESG Standards Adoption Policy v2.0

IDESG Standards Wiki Pages IDESG maintains Wiki pages for the Standards Inventory and the Standards Registry. Category:Standards From IDESG Wiki Standards Inventory Welcome to the Standards Inventory! This is meant to be a compilation of known identity-related standards - a survey of the identity standards landscape. It is not an endorsement by the IDESG of any listed standard. Anyone with an idecosystem.org login may add a standard to the inventory, update information for a listed standard, or provide comments on a listed standard via the discussion tab. The following 108 pages are in this category, out of 108 total. A ABADSG ANSI X9.62-2005 ANSI X9.63-2001 ANSI X9.63-2011 B BAE Governance BAE Overview BAE SAML 2.0 Profiles EMPOWER

Key Points Standards Inventory is a listing of standards relevant to IDM domain. Standards Registry presents standards that have been approved (adopted) by the IDESG and are recommended for use in the Identity Ecosystem. The Standards Inventory is INFORMATIVE. The Standards Registry is RECOMMENDED. Neither is NORMATIVE. The only normative IDEF requirements are the Baseline Requirements. Baseline Requirements may require the implementation of a standard as a normative requirement. Any standard that is required to be implemented in the Baseline Requirements must be an adopted standard in the IDESG Registry. Standards that are included as “REFERENCES” in the supplemental guidance to the Baseline Requirements are not normative. EMPOWER

IDEF v1 – Use of Standards Registry Baseline Requirement INTEROP-4. STANDARDIZED DATA EXCHANGES Best Practice INTEROP-BP-B. RECOMMENDED EXCHANGE STANDARDS Entities that conduct digital identity management functions MUST use systems and processes to communicate and exchange identity-related data that conform to public open STANDARDS. Entities that conduct digital identity management functions SHOULD utilize systems and processes to communicate and exchange identity-related data that conform to public open STANDARDS listed in the IDESG Standards Registry, or if that Registry does not include feasible options, then to nonproprietary specifications listed in the IDESG Standards Inventory. EMPOWER SCC wanted to require that data exchange standards listed in IDESG Standards Registry MUST be used in federated AuthN transactions. However, Registry was not complete so use of Registry is RECOMMENDED as a Best Practice in IDEF v1 to become a Baseline Requirement in the future.

Questions?

Standards Vote Rene McIver, Plenary Vice Chair

Standards Coordination Committee Standards Adoption Standards Coordination Committee Chair: Rene McIver rene.mciver@securekey.com 416-568-9181

ISO 27002 ISO 27002 (based on ISO27001) provides guidelines for the selection, management, and application of Information Security controls designed to meet with an organizations security risk environment(s)

ISO 27002 Link to folder: Standards Nominations, Evals and Privacy Reports: https://workspace.idesg.org/kws/groups/standards/documents?folder_id=178 Nomination: Submitter: Adam Madlin Evaluation: SCC approved: November 19, 2015

SCC consensus that ISO 27002 is: Consistent with NSTIC principles: Privacy enhancing and voluntary Secure and resilient Interoperable Cost effective and easy-to-use Consistent with additional principles of: Relevance to the Identity Ecosystem Function-oriented description Affordability

ISO 27002 Privacy Report: No Privacy Issues noted. Comment is included however: We are concerned regarding the anticipated use of standards by members of the IDESG. It is not clear whether standards cited, including ISO/IEC 27002, are to be considered normative or illustrative for purposes of assessing whether an organization meets the IDESG Framework and requirements. Also a minority opinion expressed in the report

SCC Recommendation Consensus agreement to recommend ISO 27002 to the IDESG Plenary for approval to adopt into the Standards Registry

Jamie Bryce Clark, OASIS-Open FMO Report Jamie Bryce Clark, OASIS-Open Framework Management Office

Functional Requirements: Now what? Atlanta, January 2015

Functional Requirements: Now what? New orleans, june 2016

You Are Here (2015) (not a complete picture, but illustrative) Preliminary set; self-assessment Full set; 3rd party assessment Enabling projects … Enabling projects Strategy & IDEF Plan Committee Requirements Committee Requirements Iterated Requirements TFTM work TFTM work P … P P P P TFTM self-assessment planning UX self-assessment planning Other (?) self-assessment planning TFTM 3rd party assessment planning UX 3rd party assessment planning Other (?) 3rd party assessment planning Std … Standards adoption policy Std Std Std … Other Projects

You Are Here (2016) … … … … P P P P P Std Std Std Std Preliminary set; self-assessment Full set; 3rd party assessment Enabling projects … Enabling projects Strategy & IDEF Plan Committee Requirements Committee Requirements Iterated Requirements TFTM work TFTM work P … P P P P TFTM self-assessment planning UX self-assessment planning Other (?) self-assessment planning TFTM 3rd party assessment planning UX 3rd party assessment planning Other (?) 3rd party assessment planning Std … Standards adoption policy Std Std Std … Other Projects

You Are Here (2016) … … … … P P P P P Std Std Std Std Preliminary set; self-assessment Full set; 3rd party assessment Enabling projects … Enabling projects Strategy & IDEF Plan Committee Requirements Committee Requirements Iterated Requirements TFTM work TFTM work P … P P P P TFTM self-assessment planning UX self-assessment planning Other (?) self-assessment planning TFTM 3rd party assessment planning UX 3rd party assessment planning Other (?) 3rd party assessment planning Std … Standards adoption policy Std Std Std … Other Projects

You Are Here (2016) … … … … P P P P P Std Std Std Std Preliminary set; self-assessment Full set; 3rd party assessment Enabling projects … Enabling projects Strategy & IDEF Plan Committee Requirements Committee Requirements Iterated Requirements TFTM work TFTM work P … P P P P TFTM self-assessment planning UX self-assessment planning Other (?) self-assessment planning TFTM 3rd party assessment planning UX 3rd party assessment planning Other (?) 3rd party assessment planning Std … Standards adoption policy Std Std Std … Other Projects

You Are Here (2016) … … … … P P P P P Std Std Std Std Preliminary set; self-assessment Full set; 3rd party assessment Enabling projects … Enabling projects Strategy & IDEF Plan Committee Requirements Committee Requirements Iterated Requirements TFTM work TFTM work P … P P P P TFTM self-assessment planning UX self-assessment planning Other (?) self-assessment planning TFTM 3rd party assessment planning UX 3rd party assessment planning Other (?) 3rd party assessment planning Std … Standards adoption policy Std Std Std … Other Projects

You Are Here (2016) … … … … P P P P P Std Std Std Std Preliminary set; self-assessment Full set; 3rd party assessment Enabling projects … Enabling projects Strategy & IDEF Plan Committee Requirements Committee Requirements Iterated Requirements TFTM work TFTM work P … P P P P TFTM self-assessment planning UX self-assessment planning Other (?) self-assessment planning TFTM 3rd party assessment planning UX 3rd party assessment planning Other (?) 3rd party assessment planning Std … Standards adoption policy Std Std Std … Other Projects

You Are Here (2016) … … … … P P P P P Std Std Std Std Preliminary set; self-assessment Full set; 3rd party assessment Enabling projects … Enabling projects Strategy & IDEF Plan Committee Requirements Committee Requirements Iterated Requirements TFTM work TFTM work P … P P P P TFTM self-assessment planning UX self-assessment planning Other (?) self-assessment planning TFTM 3rd party assessment planning UX 3rd party assessment planning Other (?) 3rd party assessment planning Std … Standards adoption policy Std Std Std … Other Projects

You Are Here (2016) … … … … P P P P P Std Std Std Std Preliminary set; self-assessment Full set; 3rd party assessment Enabling projects … Enabling projects Strategy & IDEF Plan Committee Requirements Committee Requirements Iterated Requirements TFTM work TFTM work P … P P P P TFTM self-assessment planning UX self-assessment planning Other (?) self-assessment planning TFTM 3rd party assessment planning UX 3rd party assessment planning Other (?) 3rd party assessment planning Std … Standards adoption policy Std Std Std … Other Projects

You Are Here (2016) … … … … P P P P P Std Std Std Std Preliminary set; self-assessment Full set; 3rd party assessment Enabling projects … Enabling projects Strategy & IDEF Plan Committee Requirements Committee Requirements Iterated Requirements TFTM work TFTM work P … P P P P TFTM self-assessment planning UX self-assessment planning Other (?) self-assessment planning TFTM 3rd party assessment planning UX 3rd party assessment planning Other (?) 3rd party assessment planning Std … Standards adoption policy Std Std Std … Other Projects

Next steps More Outreach (trust frameworks, mapping) More Listings (customer development) More Tools (guidance, PEM, etc.) More Standards Beta Concierge Period Sequencing of Next Requirements Release Third Party Assessment

Plenary Wrap Up Jenn Behrens, IDESG Plenary Chair

Breakout Sessions PCC & PEM – Studio 1-2 TFTM Committee – Studio 3-4 Functional Model Group & Profiles – Studio 7-8

17th IDESG Plenary THANK YOU!