Government funding and wide private-sector participation show promise for this cloud identity vision
In my Enterprise Identity column in October 2011, I talked about the National Strategy for Trusted Identities in Cyberspace (wisely abbreviated to NSTIC, pronounced "n-stick"). At the time I thought NSTIC's concept of a government initiative to spur development of a widely-adopted, next-generation secure identity environment showed a lot of promise. But it had some significant obstacles to overcome. Today, I'm pleased to say NSTIC is healthy and moving forward, to all our benefit. And it's something you should know about.
The NSTIC vision is an answer to the security mess we all deal with in this current phase of the Internet's life. We all have too many passwords and they're far too easy to crack, security is inconvenient and therefore avoided, high-security transactions are just not safe enough, users are trained to click "yes" to everything they see or, conversely, are afraid to click "yes" to anything…it's a long list of failings.
NSTIC describes “a vision of the future—an Identity Ecosystem—where individuals, businesses, and other organizations enjoy greater trust and security as they conduct sensitive transactions online. The Identity Ecosystem is a user-centric online environment, a set of technologies, policies, and agreed upon standards that securely support transactions ranging from anonymous to fully authenticated and from low to high value. Key attributes of the Identity Ecosystem include privacy, convenience, efficiency, ease-of-use, security, confidence, innovation, and choice.” NSTIC has a list of scenarios that demonstrate how much simpler and more secure our hybrid real/cyber world of the future would be with such a framework.
Let me be clear: NSTIC's idea is that of an identity ecosystem, not a draconian government identity system. The government is not developing these standards and the ecosystem framework; instead it's providing fertile ground for the big players in internet identity (such as Google, PayPal, IBM Global Services, Microsoft, Verisign, Adobe, CA, Ping Identity, and Symantec) to develop the system themselves by providing federal funding to meet, determine standards, and begin pilot programs. As incentive to prove out these emerging standards, NSTIC is also offering government organizations as early adopters.
As an IT pro, why should you care about what sounds like a mainly consumer-oriented initiative? First, if you work for a business to consumer (B2C) company, you already know the lines between enterprise and consumer identity are increasingly becoming blurred as your external services are adapting to accept credentials from identity providers such as Google, Twitter, and Facebook. If your company focuses on business to business (B2B), meeting identity ecosystem criteria may make it far easier to set up efficient and secure business operations with other trusted companies.
There was some doubt as to whether a government project towards such a utopian goal would survive a budget deficit and a partisan Congress. But on November 18, 2011, President Obama approved $16.5 million for the initiative to continue (though far less than the $24.5 million requested). Since then, the National Institute of Standards and Technology (NIST) released a new, $10 million Federal Funding Opportunity (FFO) for pilot programs to support the NSTIC. The goal of the grant program is to test or demonstrate new solutions, models, or frameworks that don't exist in the marketplace today, and that will advance the NSTIC vision.
On February 7, 2012, NIST published a report entitled Recommendations for Establishing an Identity Ecosystem Governance Structure (aka the Steering Committee). How you actually govern (in the private sector sense) a loosely federated group of cooperating companies is critical to the success of the entire endeavor, and more than 57 stakeholders from private industry, consumer advocacy groups, privacy protection organizations, state government, and members of the financial and health care communities provided formal input to the report. In mid-March, NSTIC held a governance workshop and announced $2.5 million in funding for the building and management of the Steering Committee.
NSTIC is something that needs to happen. To quote the NSTIC strategy document, "A secure cyberspace is critical to our prosperity." It has broad participation in its evolution—remember, the government is providing coordination and incentives, but it's handing over control to the private sector—so that the final structure that emerges will be broadly usable. And you can still participate; hop over to the NSTIC site and have a look around to better understand where the initiative is going. You can also sign up for occasional emails to keep up with NSTIC's progress.