For over a decade, the Federal Government has had numerous efforts and initiatives on identity and access management (IAM). These efforts morphed into identity, credential, and access management (with of course its own acronym, ICAM), underscoring a fundamental principle of having some credential or token (physical or digital) in order to prove and authenticate the identity that an individual is claiming. Many of you will recall the famous cartoon “On the Internet, no one knows you’re a dog”.
On the one hand, this cartoon underscores the privacy and anonymity that the Internet provides. The flip side is that for many type of transactions and ecommerce applications, it is absolutely critical for security and privacy purposes to have assurance and trust in the identity that is being provided – by an individual or by a machine. Banking, electronic commerce, and health care are but a few examples where it is necessary to know that you ARE who you are claiming to be, by providing the minimum amount of attributes (data) to prove it.
The National Institute of Standards and Technology (NIST) is now leading the charge with its National Strategy for Trusted Identities in Cyberspace (NSTIC) program office. NSTIC envisions a cyber world – the Identity Ecosystem – that improves upon the passwords currently used to log-in online. It would include a vibrant marketplace that allows people to choose among multiple identity providers – both private and public – that would issue trusted credentials that prove identity. There are several goals in mind: single sign-on to multiple web sites versus the current user name/password per site; convenience; security; privacy; and, voluntary.
While NIST runs the program office for NSTIC, the vision is for the identity ecosystem to be managed and operated by the private sector. The program office supports through stakeholder coordination, ensuring interoperability, and supporting policy requirements. It also has a small amount of grant funds that it distributes to qualified pilot efforts. The Identity Ecosystem Steering Group recently approved its first set of governance and intellectual property rights documents. Not a small undertaking for a robust community that includes ecommerce sites, financial institutions, health care organizations, non-governmental organizations, electronic payment groups, software companies, and many others.
After a decade of observing this space slowly develop (with some initiatives such as Real ID grinding things to a complete halt at times), it’s exciting to see the NSTIC efforts really developing momentum. There is still much work to be done, with efforts such as architecture, policies, governance and frameworks still to be worked through.
This is so exciting to me because of the vision that this ecosystem enables. The enablement of more types of critical transactions in the digital world, across multiple ecosystems, while improving the security of those transactions, improving the privacy of the data, while enabling me, the OWNER OF MY IDENTITY DATA, to have control over what attributes about myself I choose to release to whom.
While this end-state vision is so exciting, the data geek in me understands the overall quality of the data systems (the data, the attribute data, data interoperability, the data distribution system, the LDAP and other IDM systems in place, data security classifications, etc.) also will require a lot of work to get the identity ecosystem where it wants to be.
I will continue to write on these efforts and on my observations of how the worlds of identity, data, and security need to come together. I continue to be optimistic on the progress forward and what this means not only for a simplified digital life, but an improved world of privacy and security.