Trust Elevation through Contextual Authentication Regional Arab Forum on Cybersecurity Giza (Smart Village)-Egypt, 18-20 December 2011 Abbie Barbir,

Slides:



Advertisements
Similar presentations
FFIEC Agency Supplement to Authentication in an Internet Banking Environment
Advertisements

ICT research priorities and recommendations for strategy development in the WBC Ulrike Kunze / PT-DLR, Germany Consultation session on recommendations.
Service Oriented Architecture Reference Model
Cyber Defence Data Exchange and Collaboration Infrastructure (CDXI)
© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.
Committed to connecting the world Bridging The Standardization Gap for Africa Africa Regional Preparatory Meeting for WTSA-12 Bridging the standardization.
ITU-T activity in ICT security
Use of Public-Key Infrastructure (PKI) Erik Andersen Association for the Directory Information and Related Search Industry (EIDQ -
International Telecommunication Union An Insight into BDT Programme 3 Marco Obiso ICT Applications and Cybersecurity Division Telecommunication Development.
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Multi-factor Authentication Methods Taxonomy Abbie Barbir.
Supporting National e-Health Roadmaps WHO-ITU-WB joint effort WSIS C7 e-Health Facilitation Meeting 13 th May 2010 Hani Eskandar ICT Applications, ITU.
International Telecommunication Union Developing a Cybersecurity Strategy that Supports National Policy Goals “Regional Arab Forum on Cybersecurity,” Giza.
Electronic commerce EDI (8 decade) – base of EC – “Netscape” – propose SSL (Secure Sockets Layer) 1995 – “Amazon.com” “eBay.com” 1998 – DSL (Digital.
TFTM TFTM Committee working call to discuss how to describe the “IDESG-Acknowledged Identity Ecosystem” in its interim or long term state October.
Cloud computing security related works in ITU-T SG17
Copyright © 2011 Cloud Security Alliance Trusted Cloud Initiative Work Group Session.
IDESG Goals & Work-plans for 2013 and beyond Brett McDowell IDESG Management Council Chair
Standardization Framework (Myanmar) Ye Yint Win President Myanmar Computer Professionals Association Chair-Standardization Committee, Myanmar Computer.
Information Security Policies and Standards
Halifax, 31 Oct – 3 Nov 2011ICT Accessibility For All ITU-T Identity Management Update Bilel Jamoussi, Chief, SGD/TSB ITU Abbie Barbir, Q10/17 Rapporteur.
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
Intra-ASEAN Secure Transactions Framework Project Progress Report
Geneva, Switzerland, 4 December 2014 ITU-T Study Group 17 activities in the context of digital financial services and inclusion: Security and Identity.
Geneva, Switzerland, September 2014 Introduction of ISO/IEC Identity Proofing Patrick Curry Director, British Business Federation Authority.
Wildman Harrold | 225 West Wacker Drive | Chicago, IL | (312) | wildman.com Wildman, Harrold, Allen & Dixon LLP Identity Management: The.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
DOCUMENT #:GSC15-PLEN-08 FOR:Presentation SOURCE:ISACC AGENDA ITEM:Opening Plenary (4.5) CONTACT(S):Jim MacFie ISACC Activities Since GSC-14 Jim MacFie.
OASIS Trust Elevation Elevate Trust in Electronic Identities Abbie Barbir, Ph.D Co-Chair OASIS Trust Elevation TC.
Policy, Trust and Technology Mitigating Risk in the Digital World David L. Wasley Camp 2006 © David L. Wasley, 2006.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Functional Model Workstream 1: Functional Element Development.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Identity and Privacy: the.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
TFTM Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.
A DESCRIPTION OF CONCEPTS AND PLANS MAY 14, 2014 A. HUGHES FOR TFTM The Identity Ecosystem DISCUSSION DRAFT 1.
Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.
A National approach to Cyber security/CIIP: Raising awareness.
ITU-T X.1254 | ISO/IEC An Overview of the Entity Authentication Assurance Framework.
HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.
Technology Supervision Branch Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008.
1 International Telecommunication Union ITU CHALLENGES AND RESPONSES (Fabio Bigi – TSB Deputy Director) (
Cloud Computing, Policy Management and Standardization Europe Identity Conference 2011 John Sabo, Director Global Government Relations, CA Technologies.
Identity Assurance Emory University Security Conference March 26, 2008.
Geneva, Switzerland, September 2014 ITU-T SG 17 Identity management (IdM) Progress Report Abbie Barbir Ph.D., ITU-T Study Group 17 Q10/17 (Identity.
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Jeju Island, Korea, 13 – 16 May 2013Identity Management and Identification Systems GSC17-PLEN-43 ITU-T IDENTITY MANAGEMENT UPDATE Bilel Jamoussi, Chief,
19-20 October 2010 IT Directors’ Group meeting 1 Item 6 of the agenda ISA programme Pascal JACQUES Unit B2 - Methodology/Research Local Informatics Security.
ITU-T Activities in Bridging The Standardization Gap Vijay Mauree Programme Coordinator, TSB ITU ITU Regional Standardization Forum for Asia-Pacific (Jakarta,
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
Trust in Trust Frameworks, the missing link  Abbie Barbir, Ph.D  OASIS Board of Directors,
International Telecommunication Union ICT Security Role in National Trusted Identities Initiatives Abbie Barbir, PhD ITU-T Study Group 17 Identity Management.
Inter-American Telecommunication Commission
Inter-American Telecommunication Commission
Identity on the Internet
Federated IdM Across Heterogeneous Clouding Environment
Standards for success in city IT and construction projects
The ITU-T SG 17 Q10/17 IdM standardization activity
Introduction of ISO/IEC Identity Proofing
Dashboard eHealth services: actual mockup
ITU-T SG17 Q.3 Telecommunication information security management
ITU-T Study Group 17 Security
Appropriate Access InCommon Identity Assurance Profiles
Martin Euchner, Advisor, ITU-T Study Group 17
ITU-T activity in ICT security
Jeremy Grant Coordinator Better Identity Coalition
Presentation transcript:

Trust Elevation through Contextual Authentication Regional Arab Forum on Cybersecurity Giza (Smart Village)-Egypt, 18-20 December 2011 Abbie Barbir, PhD ITU-T SG 17 Identity Management Rapporteur Abbie.Barbir@ties.itu.int Co-chair OASIS Trust Elevation TC http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=trust-el Elected Member of OASIS Board of Directors http://www.oasis-open.org/board

ITU-T Study groups (2009-2012) ITU-T Objectives Established 17 May 1865 Decisions by consensus Participation through national Government Telecom does not mean that focus is only on Telecom Develop and publish standards for global ICT interoperability Identify areas for future standardization Provide an effective forum for the development of international standards Truly global public/private partnership 95% of work is done by private sector Continuously adapting to market needs SG 2 Service provisioning and Telecom management SG 3 Tariff , accounting telecom economic & policy issues SG 9 Television, sound and integrated broadband cable networks SG 5 Environment and climate change SG 11 Signalling requirements, protocols and test specifications SG 13 Future networks including mobile and NGN SG 16 Multimedia coding, systems and applications SG 17 security, identity management (IdM) and languages

SG 17 Q10/17 Identity management Interoperability of identity management X.giim, Generic IdM interoperability mechanisms X.1250, Baseline capabilities for enhanced global identity management trust and interoperability X. 1250 Baseline capabilities for enhanced global identity management trust and interoperability X. 1251 A framework for user control of digital identity   X. 1252 Baseline identity management terms and definitions   X.1253 (X.idmsg), Security guidelines for identity management systems Trust of identity management X.EVcert, Extended validation certificate X.eaa, Information technology – Security techniques – Entity authentication assurance X.atag, Attribute aggregation framework X.idmcc, Requirement of IdM in cloud computing X.mob-id, Baseline capabilities and mechanisms of identity management for mobile applications and environment X.oitf, Open identity trust framework Discovery of of identity management information X.discovery, Discovery of identity management information Protection of personally identifiable information X.1275, Guidelines on protection of personally identifiable information in the application of RFID technology X.priva, Criteria for assessing the level of protection for personally identifiable information in identity management Working with OASIS SAML 2.0 and XACML and their equivalent ITU-T recommendations

Q10/17 Coordination and collaboration ITU-T Joint coordination activity in IdM JCA-IdM

OASIS Trust Elevation TC OASIS Electronic Identity Credential Trust Elevation Methods (Trust Elevation) TC http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=trust-el Works to define a set of standardized protocols that service providers may use to elevate the trust in an electronic identity credential presented to them for authentication Respond to suggestions from the public sector, including the U.S. National Strategy for Trusted Identities in Cyberspace (NSTIC). Promotes interoperability among multiple identity providers--and among multiple identity federations and frameworks--by facilitating clear communication about common and comparable operations to present, evaluate and apply identity [data/assertions] to sets of declared authorization levels

National Strategy for Trusted Identities in Cyberspace (NSTIC) Called for in President’s Cyberspace Policy Review (May2009) Promotes the development of an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities Usernames and passwords are broken People have many different passwords Password reused Strong passwords vulnerable Identity Theft on the rise Large increase in financial institution Suspicious Activities $17.3 billion estimated cost to economy over 2 years (BJS,2008) Cybercrime is on the rise Phishing is increasing with more sophisticated attacks Guiding Principles Privacy Enhancing and Voluntary Secure and Resilient Interoperable Cost Effective Easy To Use Main issue How to verify the Carbon entity on the other end of an online transactions Identities are difficult to verify over the internet Problem is more complicated in North America due to the lack of a government based national identity system

Entity Authentication Assurance Entity Authentication Assurance Framework* Joint work of ISO JTC1/SC 27/WG5 and ITU-T SG 17/Q.10 Expected to reach Committee Draft status this year Standardizes Levels of Assurance (LoAs) to promote trust, improve interoperability, and facilitate identity federation across organizations ISO/IEC 29115 | ITU-T X.1254 provides a framework for managing entity authentication assurance in a given context. In particular, it: specifies four levels of entity authentication assurance; specifies criteria and guidelines for each of the four levels of entity authentication assurance; provides guidance concerning controls that should be used to mitigate authentication threats; provides guidance for mapping the four levels of assurance to other authentication assurance schemes; provides guidance for exchanging the results of authentication that are based on the four levels of assurance. Level Description 1 Little confidence the asserted identity 2 Some confidence in the asserted identity 3 High confidence in asserted identity 4 Very High confidence in asserted identity

Entity Authentication Assurance Why so the work? Provides a consistent basis for trust Promotes identity federation Helps organizations make informed decisions Enables credential re-use in different contexts Promotes efficiency and reduces costs Enables cross-organization and cross-border services Provides framework for further standardization Federal Financial Institutions Examination Council (FFIEC)

Entity Authentication Assurance Structure and Contents Four Levels of Assurance Entity Authentication Assurance Framework Management and Organizational Considerations Threats Based on Framework Components Required Controls for Each LoA Privacy and Protection of PII Operational Service Assurance Criteria

scope boundary of this standard Rights, Access Controls, etc. EAA Framework scope boundary of this standard Proofing Rights, Access Controls, etc. Authorization Risk Assessment LoA Selection Application / Initiation Verification Registration Enrollment Usage Record- Keeping Authentication Credential Management Binding Revocation Issuance 10 10

Authentication Towards Digital Trust FFIEC Supplement to Authentication in an Internet Banking Environment Layered Security to eliminate Customer Authentication for High-Risk Transactions Retail/Consumer and Business/Commercial Banking Detect and Respond to Suspicious Activity Device Identification Challenge Questions (KBA) False Sense of Security Need to move away from it Federal Financial Institutions Examination Council (FFIEC)

More on Authentication How to define Authentication Strength ? Simply counting authentication factors Something you know you have you are (or inherit ) does not inform us about the strength of a given authentication method Authentication methods can be based on a single authentication attribute or on any two or more attributes of different kinds Many vendors and enterprises do not implement true two-factor authentication and do not have a consistent definition of the term. Consider measuring a method strength to attacks, for example: Masquerade attacks and man-in-the browser attack Evaluate the strength of an authentication method to confirm that it meets the needs for assurance or authorizations request. Based on Gardner paper G00219391

Device Identifications From Smart Device perspectives Cookies are increasingly becoming obsolete for device and user identification IP address is not reliable Different Approaches are used Identification in Browser based technologies (SAML, OpenID) is different from Native Application (Aouth2.0 and OpenID connect) Standards are needed Need to move towards interoperable cookie-less device independent identification methods in order to prevent fraud in financial transactions Support for cloud based interactions Support for interoperable token based services “one-time” cookies Eventually  every device needs an immutable, provision-able, isolated  NVM to store its identity Programmable RD/WR/OTP/ERASE capable Scalable cross devices (power, form factor, standard) Ultimately needs to have appropriate crypto support

Current Basic “Trust Triangle” User has direct trust relationship with IDSP and RP How can the IDSP and RP trust each other? * Source OIX

Should we have Trust in Trust Frameworks Key question how much do we trust the identity enrolment stage Do we Trust Breeder Documents and verification process? The Elephant in the room; The rise of Synthetic ID So what are Synthetic ID? Synthetic identity happens when a criminal steals bits and pieces of info from different people and creates a new identity with No Carbon Copy. A social security number is used with a different name and date of birth. Difficult to detect because of all the mismatched pieces of information. Criminals are getting bold Trend to claim ID Theft as opposed to account busting Need better means of validating breeder documents Not all breeder documents are Trustable

Directions Some Pain Points Internet transactions are anonymous (low trust) Value transactions are identity based Anonymous to identity enabled Need strong authentication and contextual identification of identities Enable Identity based systems while protecting privacy (PII) Isolation of Issuer and target Identity Enable the right to forget Identity dashboard for user to keep control identity and related data (Data Ownership) Consumer Protection and Identity Service Provider Liabilities Audit, compliance and policy enforcement And yes…..Simple to use system

Current Trends OIDF WG on Street Identity (see www.streetidentity.com ) OAuth2 and OpenID Connect Focus on Eliminating password reuse (one password) Identity verification Use of Relationship Manager or Attribute provider to share legal identity (name/address) with a requesting party Toward Strong authentication Secure the "one password" with additional protection Potentially the use of Secure Vault technology in devices an immutable, provision-able, isolated  NVM to store its identity Programmable RD/WR/OTP/ERASE capable Scalable cross devices (power, form factor, standard) Ultimately needs to have appropriate crypto support

Q&A