Federating credentials across enterprises
The Transglobal Secure Collaboration Program (TSCP) was born out of a challenge shared by aerospace and defense companies: the need to be able to securely collaborate with suppliers, teammates and government customers.
So together, they agreed to work on ways to securely email and share documents as well as how to trust each other’s issued credentials. “The work really involves creating specifications, a sort of ‘rules of the road’ on how to prove an individual is who they claim to be, how to issue a very secure credential to be able to assert that identity and then how to use that credential with the common everyday collaboration products,” says Steve Race, vice president of operations for TSCP.
Early on, these collaborative products weren’t built to accept high level of assurance identity credentials. So TSCP expanded its membership to include many of the leading technology companies, like Microsoft, and incorporated those new specifications into new products. The roster of TSCP members includes four governments, 19 technology companies and seven corporations. It is also expanding beyond the aerospace and defense industries to include others verticals such as oil and gas, Race explains.
This would seem to make TSCP a natural to lead a pilot project for the National Strategy for Trusted Identities in Cyberspace (NSTIC) and indeed the group did receive funding. TSCP’s pilot will deploy trusted credentials to conduct secure business-to-business, government-to-business and retail transactions for small and medium-sized businesses and financial services companies, including Fidelity Investments and Chicago Mercantile Exchange.
As part of this pilot, employees of participating businesses will be able to use their existing credentials to securely log into retirement accounts at brokerages, rather than having to obtain a new credential. Key to enabling these cross-sector transactions will be TSCP’s development of an open source, technology-neutral Trust Framework Development Guidance document that can provide a foundation for future cross-sector interoperability of online credentials.
TSCP will work on the liability and privacy areas, as well as the other common operating rules that the trust environment needs. The collection of models and rules will be packaged into a Trust Framework Development Guidance document that will be available to industry and government to facilitate adoption of a more secure, easy to use and affordable way to access systems.
“We will be setting up demonstrations using tabletop environments first, then pilots and finally small scale production. This will allow us to really test and prove out the new models and rules for using higher level of assurance identity credentials,” Race says.
He expects a difficult journey. “Fundamental and legitimate concerns exist across the industry, across the government and the private citizens,” Race says. “They range from privacy, legal liability, cost, ease of use … the list goes on and on.”
TSCP has engaged a wide range of partners beyond its membership to help develop the trust guides and test secure transactions with real systems. They’ll utilize a $1.2 million grant from NSTIC for the first year and the same amount for year two provided the project’s benchmarks are met.
Race says the most difficult step will be finding those brave initial adopters. “My hope is that our efforts will accelerate the early adopters’ willingness to step up and adopt,” Race says. “I mean the bad guys are out there. They’re damaging our economy. They’re threatening our national security every day, and moving to a more secure identity ecosystem will have a very positive impact going forward.”
TSCP did what Race considers to be groundbreaking work a few years ago around federation. “This is a concept of taking a credential that one entity issues and having another entity trust their credential and accept it to gain access to their system,” Race says. “One of the fundamental challenges with doing this is determining who is liable if there’s a problem.”
TSCP worked with its members and the American Bar Association to create the basis for law, describing a third-party assurance model. The work was published and has allowed federation to be adopted more widely.
“There’s really much more work that needs to be done to ground our identity and access management framework – or the Identity Ecosystem as NSTIC refers to it – to common law,” Race says. “That’s a large part of what we propose to do for the NSTIC grant.”