Introduction to Guidance and Standards (Continued)

In the United States in 2011, the United States government established the National Strategy for Trusted Identities in Cyberspace. This was an attempt to create trust and a standardized identity on the internet. It sought to ensure privacy of those identities, the security of transactions related to those identities, to make sure that they could be interoperable between different services, and therefore, ensuring a cost effective approach. So, these were the four founding principles of the initiative. It struggled with widespread adoption. Single credentials across government services in most countries are still not present. In one of our case studies, the second of our four case studies, we will look at Estonia, which actually is seen as a world leader in this area.

They have actually got that single ID across the public sector and the private sector. In 2007, the National Strategy for Trusted Identities in Cyberspace saw the launch of login.gov. And so, this was an environment where individuals could access all government services through a single site. Again, there has been some concerns raised around privacy when using a single identity online. Could people use it for tracking? Some of the standards that we’ll reference as well, we have the NIST Cybersecurity Practise Guide 1800-2 on Identity and Access Management for Electric Utilities. Utilities have become increasingly newsworthy recently as security attacks have focused on them as part of a nation’s critical national infrastructure.

There is also research for the next generation of biometric measurements and standards, NGBMS for Identity Management. How can we use biometrics more effectively? And we’ve seen biometric-use spiral over the past 10 years. Ten years ago it was unusual to see a fingerprint reader. Now most smartphones have some form of biometric recognition, whether it’s face recognition, fingerprints. One final standard we should be aware of relates to the use of cryptography. And this is a collection of different standards, different countries have different approaches here. But typically, there are restrictions on the export of strong cryptography.

When we move to look at SSL in section 11, we will see why this becomes important, in part because technologies like SSL and TLS require as strong an encryption as possible. And where we see a requirement to drop that back to a lower strength cryptography, it can present a vulnerability. And we see this with some attacks on SSL and TLS especially.