ID management: A matter of trust (Federal Computer Week)
In April 2011, the Obama administration launched a plan called the National Strategy for Trusted Identities in Cyberspace (NSTIC) to encourage the private sector to develop, with federal support and input, online ID and authentication systems that people could use and government agencies, other organizations and commercial players could accept without each needing to create their own vetting systems.
At this point, NSTIC supporters are making headway, though perhaps not in a headline-grabbing way. Earlier this month, the Identity Ecosystem Steering Group, a federally supported committee led by the private sector that will guide creation of NSTIC-style systems, met for the first time in Chicago to hash out plans for addressing privacy, standards, usability, contracts and other key components.
National Strategy for Trusted Identities in Cyberspace (NSTIC) is being run by National Institute of Standards and Technology (NIST) to encourage the development and adoption of standards for ID management. The recent Apple-Amazon hack points to why this is important.
In an environment where everyone has to create their own ID management system, it is inevitable that organizations will create exploitable gaps in the way they emphasize the importance of information. In this case, Amazon (like many other companies, just check your restaurant receipt) treated the last four numbers of a credit card as non-secure information, while Apple used the same information for logical access control.
Initiatives like NSTIC hope to facilitate companies and government agencies to work through ways to make this kind of thing less likely.