Cisco Blogs


Cisco Blog > Security

Credential and Attribute Providers in the NSTIC

This is part of an ongoing series on the National Strategy for Trusted Identities in Cyberspace. The introduction to this series can be found here.

The National Strategy for Trusted Identities in Cyberspace (NSTIC) describes two types of intermediaries between subjects (users) and relying parties: identity providers and attribute providers. This is a separation not frequently found in identity systems. In order to emphasize this distinction, I often use the term “credential provider” or “authentication provider” rather than identity provider to refer to a service that provides authentication services and makes assertions resulting from authentication but does not directly provide attributes about the subject.

A credential provider can be thought of as a key cabinet. The subject authenticates to the credential provider in order to “unlock” the cabinet of credentials. As with a physical key cabinet where different keys inside are used for different things, the credential provider serves different credentials to different services. Ideally, the identifiers used for each of these services would be different; a good identifier is also opaque, meaning that the identifier itself provides no additional information about the subject. Provided that the choice of credential provider itself does not reveal significant information about the subject, a subject can be generally pseudonymous with respect to the relying party until the subject authorizes the release of identifying attributes.

Read More »

Tags: , , , ,

The Gap Between Policy and Implementation

Mark Twain once wrote, “Everybody complains about the weather, but nobody ever does anything about it.” Security policy is a lot like that. Creating a security policy is at the top of the list for anyone looking to really secure their network. But the devil is in the details.

Among the things a security policy needs to cover are:

  • All users
  • All physical and virtual devices
  • All access methods
  • All resource classifications and locations
  • All compliance requirements
  • All of the OSI layers, from the physical layer up the stack to the application layer
  • AND the policy needs to be applied uniformly across the entire distributed enterprise

Read More »

Tags: , , , , ,

Fundamentals of Cisco’s Identity Services Engine

May 2, 2011 at 5:42 am PST

The Cisco Identity Services Engine continues the relentless march on both policy definition and the all-important, yet difficult to deliver -- policy enforcement.  This is a first generation product with a multi-generational pedigree granting it a maturity worth considering for many networks.  We created another one of our fundamental’s explanations for this one humbly think it does a good job of explaining both what the ISE is for and what you should be able to get out of it.

Couple of great places for more information of course.

Read More »

Tags: , , ,

Giving identity back to Indians

HUNDREDS of millions of Indians cannot prove they exist. They have no birth certificate, no driving licence, no social-security number. So they find it hard to open a bank account, borrow money or draw on government services.”

Read More »

Tags: , , , , ,