May 08 2014

Organizations Seek Strong ID Solutions

NSTIC projects aim to improve the security of online transactions.

Imagine a world in which users don’t have to remember dozens of different passwords for various government portals and e-commerce sites with which they interact and conduct business. If the National Strategy for Trusted Identities in Cyberspace (NSTIC) pans out, this could be the reality in just a few short years.

“The problem with identity today is that you don’t know who you’re talking to or how many people are listening,” says New Hampshire CIO Peter Hastings. Launched by the White House in 2011, NSTIC seeks to change that by enabling the private sector and states to authenticate with each other.

Moderating a panel discussion at the NASCIO 2014 Midyear Conference this week in Baltimore, Hastings said the goal is to improve the privacy, security and convenience of sensitive online transactions.

A Matter of Trust

Michael Garcia, deputy director of NSTIC implementation for the National Institute of Standards and Technology, said the private sector must lead the charge on establishing an identity ecosystem, with the government catalyzing the marketplace and facilitating the development of standards. “The private sector is in the best position to drive solutions and ensure that the identity ecosystem offers improved online trust and better customer experiences,” Garcia said.

The NIST identity ecosystem steering group awarded $20 million in grants for 12 pilot identity management projects. The pilot projects include state entities and infrastructure to seek diverse solutions.

The Virginia Department of Motor Vehicles is participating in the Cross Sector Digital Identity Initiative (CSDII) pilot with the American Association of Motor Vehicle Administrators, AT&T, Biometric Signature ID, CA Technologies and Microsoft.

Trust frameworks have been around for quite some time, but trustmarks are fairly new, said Dave Burhop, CIO for the Virginia DMV, who pointed to online examples such as electronic court seals, McAfee Secure, TRUSTe and VeriSign. “I view trustmarks as the glue that holds everything together in the interoperability framework,” he said.

Consider the example of a driver’s license. “We look at our credential as being the standard for getting into federal buildings, getting on airplanes and so forth,” Burhop said. “Why not extend that to the online world?”

One example of a use case is the Inova Health System in Northern Virginia, which next month will implement a pilot to issue credentials for patient and provider access to electronic health records. The healthcare provider will begin with the VIP patients who pay a premium for extra care.

Other use cases include research and development for access to clinical trials across multiple test sites, student and faculty access to academic records and educational resources, and in government, providing citizens with greater access to services and information. “Eventually we’ll get to where DMV is the issuer of electronic credentials,” said Burhop.

Hurdles Ahead

John Wandelt, a fellow for the Georgia Tech Research Institute, concedes the task of creating a trustmark marketplace is challenging. “The scope and scale is broad with a lot of people involved and a lot of herding cats,” he said.

However, NASCIO research shows that the largest barrier to adoption of enterprise identity access management is the decentralization, followed by cost, complexity and the lack of governance. And it’s decentralization that leads to the other challenges. “If we can solve that problem with a framework, that allows us to make progress toward our strategic objectives.”

The goal is to gather trust and interoperability requirements, break them down and reassemble them into modularized components to encourage broad reuse. So far, researchers have identified 95 different trustmarks and are building about 50, Wandelt says.

IT professionals can expect to see NSTIC solutions taking off once there’s mass adoption within two major industry sectors, such as state government, federal government, banking and other types of businesses, said Garcia. In the meantime, the hope is that pilot projects in Virginia, Michigan and Pennsylvania will demonstrate value to other states.