A few years ago, I drafted the first version of a paper for the Federal Public Key Infrastructure Policy Authority (FPKIPA), entitled “The Realized Value of the Federal Public Key Infrastructure (FPKI).[1]” At that time, we declared it mature and proudly documented its value to the Federal PKI community. The laundry list included strong digital signatures, authentication and encryption; and “Trusted Interoperability between Disparate Systems.” We also spoke of “Increased Industry Adoption.” We thought all the battles were over and that PKI, once adopted, would provide a trusted, secure environment for Federal transactions.

A recent survey calls those assumptions into question, especially the veracity of the trust fabric that underpins PKI and much of our government and economy.

I refer to the Ponemon Institute survey -- underwritten by Venafi -- of 2,342 respondents from mainly Global 2000 enterprises, “2013 Annual Cost of Failed Trust Report:  Threats and Attacks.[2]” This is reportedly the first attempt to quantify the potential cost of flawed PKI-based trust over the next two years, which the Ponemon Institute estimates to be $400 Million per enterprise.

The Ponemon Institute maintains that “no enterprise is safe.” All the Global enterprises surveyed have experienced an inability to control trust. The report summarizes how failure to control trust in the face of increased threats and breaches, places all global enterprises, including governments, at risk. “A few kilobytes of cryptographic data is all that stands in the way of millions lost in sales, grounded airplanes and closed borders,[3]” the report states.

The report goes on to relate the cost of each type of breach and breaks down the percentage of financial losses incurred by PKI-enabled global enterprises per threat type in five countries: the U.S., the U.K., Australia, France and Germany.

The threat and potential losses for cloud-based services is probably even higher, but that remains to be seen.

I’d like to stop now and ask you to read the Ponemon Institute report, so that we can open a dialogue on its findings and potential fixes. And, I’d like to elicit information about how well you think the U.S. Federal Government is doing in regard to measures being taken to avoid erosion of the Federal PKI.

-Judy Fincher

[1] http://www.idmanagement.gov/documents/RealizedValueFederalPKI.pdf

[2] http://www.venafi.com/ponemon-institute-first-annual-cost-of-failed-trust-report/?ls=gg&cid=70150000000ni9Q&gclid=COv4-PiE5LYCFc0WMgodtBwA_w

[3] Ibid., p. 3.

The concept of reusing credentials is nothing new. A host of standards and technologies have grown up over the last decade. SAML, WS-Federation, OAuth, OpenID, and others, have matured from nascent concepts to standards with broad adoption in COTS products. These standards continue to evolve to support new cloud and mobile use cases. Despite these developments and ongoing evolution, the average user has dozens of credentials from a host of industries such as: 1) online merchants, 2) social networks, 3) banks and financial institutions 4) insurance companies 5) email providers 6) utility services, 7) and on and on the list goes.

The Problem

The failure has not been at a technology level, but a story of failed businesses models, liability confusion, user privacy concerns, and marketplace inertia. Here is a brief overview of the challenges faced:

Business Models: The promise of reduced credentialing is to allow application owners to end, or at least greatly reduce their costs for lifecycle management of credentials. Yet most providers of federation operation offer a mix of locally managed credentials, and reusable credentials. How much does this mixed mode actually save the application owner? How do they compensate external Identity Providers for use of their credentials? Without compensation, either direct in the form of payment for issuing credentials, or indirect, such as collecting user data to resell, Identity Providers have little reason to exist.

Liability: When a credential is compromised, and sensitive data lost, who is liable in a federated environment? Is it the provider of the credential? Is this a loss for the application owner’s to absorb? Can financial losses be capped? What federal and state laws apply? What if the access occurs from an international location? What about insuring these losses to mitigate the risks? All common questions asked by Identity Providers and application owners. Without clear answers, application owners often issue their own credentials as the safe play.

User Privacy: How much do you want an Identity Provider to know about the end user, and where their credentials are being used? What privacy policy should be in place? If I accept external credentials, will users even want to use them at the risk of allowing the Identity Provider to profile their activity?

Marketplace Inertia: In the face of uncertainty and risk, keep doing what we have been doing! Change is hard, following the crowd is easy.

Potential Forces of Change

More than in the recent past, business leaders understand the challenges to reusing trusted identities that extend well beyond technology. As such we are seeing a host of changes, both driven by business needs and government policy.

Social Network Credentials: User expectations are changing, driven by the convenience of using social credentials to access applications that host low risk information.

Joint Government/Private Sector initiatives: At the current time there are numerous bodies looking to create an interwoven fabric of trusted credentials, based on Trust Framework Providers. A Trust Framework provider is an organization that defines or adopts an on-line identity trust model and then, certifies Identity Providers that are in compliance with that model.

Government Sponsored Organizations

• National Strategy for Trusted Identities in Cyberspace - http://www.nist.gov/nstic/
• Federal Identity, Credential, and Access Management (FICAM) - http://www.idmanagement.gov/pages.cfm/page/ICAM-TrustFramework 

Private Sector Trust Framework Providers

• InCommon - http://www.incommonfederation.org/        
• Kantara Initiative:  - http://kantarainitiative.org/    
• Open Identity Exchange (OIX) - http://openidentityexchange.org/        
• SAFE-BioPharma - http://www.safe-biopharma.org/        

Will efforts catch fire?

The good news is that it is hard to recall a time when so many separate efforts were cooperating to drive towards the same goals around reusable online identities. Will these current initiatives break the marketplace inertia, or will they go the way of previous well intentioned efforts, that have done little to move the needle on creating ubiquitous reusable trusted identities. What do you think?

-Steve Skordinski

The White House has received considerable praise for highlighting Critical Infrastructure Cybersecurity in the State of the Union speech this year, and the Executive Order that accompanied the speech takes several important steps in resolving the complex problems facing industry, governments and consumers to secure the systems upon which our economy and personal safety depends.

Critical Infrastructure is defined as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."  Such systems include the electric distribution system, water management systems and energy pipelines.  Traditionally such industrial control systems have relied upon a combination of obscurity and network separation to ensure stable and secure operating environments, but modern systems are leveraging ubiquitous connectivity and cloud services in ways that open previously protected components and communications channels to attack.

The Executive Order instructs the Secretary of Commerce to direct the National Institute for Standards and Technology (NIST) to develop a voluntary framework for Cybersecurity that will address "standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks."  This framework will be developed with opportunities for open public review and comment, and Electrosoft Services looks forward to participating in that process.

The electric distribution system brings power from generation sources to consumers, and the metering device that measures and controls the flow of electricity is a vital component of that system. A secure process for remotely upgrading the firmware of smart meters is necessary for assurance that the meters are being controlled by appropriate software as intended by the utility.  In 2009 the National Electrical Manufacturers Association (NEMA, now The Association of Electrical Equipment and Medical Imaging Manufacturers) published Requirements for Smart Meter Upgradeability (NEMA SG-AMI 1-2009). Electrosoft Services supported NIST in developing conformance test requirements that may be used voluntarily by testers and/or test laboratories to determine whether smart meters and upgrade management systems conform to the requirements of NEMA SG-AMI 1-2009.   We are supporting Oak Ridge National Laboratory which is validating the test framework in cooperation with multiple smart meter vendors.

The Executive Order also promotes voluntary industry participation in adoption of the Cybersecurity Framework and identification of critical infrastructure at greatest risk.  These measures will make significant improvements in information sharing within the industry, advancement of security best practices and improve the protection of vital systems upon which we all depend.  We look forward to these important developments are are excited to have an opportunity to contribute.

-Scott Shorter

Have you ever thought about the accuracy of your health records? How secure do you think they are as they are used by and exchanged between various health providers? At Electrosoft, we are currently working with the National Cybersecurity Center of Excellence (NCCoE) to provide interoperable approaches for securing electronic health records. Under contract to NIST, we are supporting the NCCoE initiative to identify methods to support health professionals who view and transfer your confidential information using mobile devices.  

In today’s environment, doctors are relying on mobile devices more than ever to send referrals, e-prescriptions, patient lab results, view hospitalized patient’s charts, and order clinical tests. It’s imperative that the transmission of your personal information is done in a secure manner.   

As a team, we are excited to have the opportunity to work with the NCCoE to help improve the overall security of health information exchange. As security professionals, it’s important for us to assist in the development of practices that will allow secure transfers of your patient records.

The benefit that this project provides could potentially change the way professionals think about their mobile environments. Mobile security threats are increasing daily and one of our goals is to make people aware of these dangers. As more health professionals switch over to mobile platforms to perform their duties, it is vital that they understand the risks associated with mobile devices.

If you or anyone you know is interested in learning more about our involvement within the NCCoE, please Contact Us

For more information regarding Electrosoft’s various Cybersecurity Strategic Services, Click Here

  - Vince Johnson, NCCoE Team Member