The National Cybersecurity Center of Excellence (NCCoE), in partnership with the National Strategy for Trusted Identities in Cyberspace National Program Office, is seeking comments on a new project focused on protecting privacy and security when reusing credentials at multiple online service providers.
Many organizations now allow online customers to use third-party credentials to create and manage accounts and services. For example, your social media account login can be used to access your fitness tracker account. In effect, the social media company is vouching for you with the tracker company.
Allowing third-party credentials saves businesses time and resources in managing identities. For users, the benefit comes from not having yet another username and password to manage and remember.
As these arrangements become more common, a growing number of organizations are laboring to manage—and integrate—each third-party relationship. So now a new service, called brokered identity management, has emerged. Organizations can engage identity brokers to manage multiple third-party credentialing options on their behalf.
The benefits to organizations and individuals are significant, but there is also a concern that these connections meant to improve security can create opportunities for increased tracking of users.
This new collaborative project will examine how commercially available privacy-enhancing technologies can be integrated into identity broker solutions. The NCCoE is seeking comments on a draft document that describes a potential "building block"—one of a series of solutions that address cybersecurity concerns for multiple industry sectors. The document, Privacy-Enhanced Identity Brokers, describes the technical challenges of adding privacy-enhancing technologies to existing products or services, and the technical controls needed to address the privacy risks inherent in them.
Feedback from businesses and the public will inform the project and solution development. This will ultimately result in an 1800-series NIST Cybersecurity Practice Guide that will demonstrate the example solution and provide all the information necessary to replicate the reference design.
The NCCoE addresses businesses' most pressing cybersecurity problems with practical, standards-based solutions using commercially available technologies. The center collaborates with industry, academic and government experts to build modular, open, end-to-end reference designs that are broadly applicable and repeatable.