Cisco Blogs


Cisco Blog > Security

Adapting Levels of Assurance for the NSTIC

This is part of an ongoing series on the National Strategy for Trusted Identities in Cyberspace. The introduction to this series can be found here.

One of the goals of the National Strategy for Trusted Identities in Cyberspace (NSTIC) is to support a wide range of use cases. These might include everything from low-value purchases to making adjustments to critical infrastructure, like power systems, where someone might get hurt if an unauthorized action takes place.

Read More »

Tags: , , , ,

Credential and Attribute Providers in the NSTIC

This is part of an ongoing series on the National Strategy for Trusted Identities in Cyberspace. The introduction to this series can be found here.

The National Strategy for Trusted Identities in Cyberspace (NSTIC) describes two types of intermediaries between subjects (users) and relying parties: identity providers and attribute providers. This is a separation not frequently found in identity systems. In order to emphasize this distinction, I often use the term “credential provider” or “authentication provider” rather than identity provider to refer to a service that provides authentication services and makes assertions resulting from authentication but does not directly provide attributes about the subject.

A credential provider can be thought of as a key cabinet. The subject authenticates to the credential provider in order to “unlock” the cabinet of credentials. As with a physical key cabinet where different keys inside are used for different things, the credential provider serves different credentials to different services. Ideally, the identifiers used for each of these services would be different; a good identifier is also opaque, meaning that the identifier itself provides no additional information about the subject. Provided that the choice of credential provider itself does not reveal significant information about the subject, a subject can be generally pseudonymous with respect to the relying party until the subject authorizes the release of identifying attributes.

Read More »

Tags: , , , ,

iPhone Location Tracking: Important, Even if it Doesn’t Matter to You

Apple’s iOS mobile device operating system has recently come under fire in the media for tracking user location, recoverable from device backups of a file called consolidated.db. As we discussed in the Cyber Risk Report, even though Apple has disclosed location tracking via their Privacy Policy, significant commentary online suggests that users are surprised to learn how it is accomplished. The researchers whose efforts have brought this location tracking to wide attention were aware that forensics experts knew about it, but developed their tool to bring this to a wider attention. By all accounts, they have succeeded in raising awareness; what remains is to understand what should be done from here.

Update: Apple responded with a press release on April 27, 2011

Read More »

Tags: , ,

Are you really secure ?

Yes, the question is “Are you really secure?” Now that I’ve asked a loaded question, let me get to the point.

The term “secure” sure has a lot of different meanings depending on the context in which it is used. If we take it from a corporate security perspective, your options are somewhat limited to physical security, as in video surveillance or physical access, or logical security, as in your laptop or data access. But, when you ask a security professional if they are secure, they will most certainly take that in the context of what they can control, and will most likely answer “yes”.

Well, what about the things you cannot control? You can control which products you buy to provide security, you control how they are installed and configured, and you control the processes and procedures that identify how they are managed and updated. But, can you control how they are manufactured?

Read More »

Tags: , , , , , , , , , , ,

NSTIC Strategy Released

Last June, I blogged about a draft of the National Strategy for Trusted Identities in Cyberspace (NSTIC) that had been released for public comment. This past April 15, the finalized NSTIC strategy document was released at an event at the US Chamber of Commerce.

For those of you that aren’t already familiar with the NSTIC, it is a US government-facilitated initiative that seeks to simplify and strengthen user authentication and to provide trustable assertions about principals in online transactions through the creation of an ecosystem that includes identity and attribute providers. More information is available at the NIST NSTIC website, particularly the animation video. NSTIC seeks to improve trust in use in the Internet and to enable new uses that depend on trusted attributes and higher assurance transactions.

Read More »

Tags: , , ,