On October 13th, 2011, Sean Deuby wrote for WindowsITPro on how NSTIC works, the concept of the identity ecosystem, and possible issues that need to be addressed in order to make NSTIC a reality. Noting that even though our use of the web for sensitive transactions has grown dramatically, there's still many online transactions we can't perform because of the question of identity. Phishing malware attacks and news stories about hacking always leaves the question "Is this person who he says he is?" Unfortunately, passwords just aren't cutting it anymore. As Jeremy Grant, manager of the NSTIC program office, likes to say, “We think the password is fundamentally insecure and needs to be shot.”
This is where NSTIC and the Identity Ecosystem comes in. The Identity Ecosystem is a user-centric online environment made up of a set of agreed upon standards, policies, and technologies that support transactions ranging from fully authenticated to anonymous and high or low value. NSTIC isn't necessarily a national ID system, but more of an acknowledgment that secure transactions on the Internet need a common framework that both identity providers and service providers agree to work within. Moreover, NSTIC isn't inventing any new technology, but rather, using existing technology like smart cards and digital certificates to create a network supporting trust IDs that can be used by all parties. The identity ecosystem could allow the consumer to make secure online transactions by using a smartphone.
Of course, the successful implementation of NSTIC would be a boon for businesses; with more online security, consumers would be more likely to do their business online, and new areas of online business like online healthcare could open up. Further, Mr. Deuby notes that NSTIC would also have to be voluntary: "consumers must have choices for who they want as an identity provider, and consumer demand will encourage more identity providers and service providers to join the ecosystem." However, NSTIC comes with its drawbacks. First, an identity ecosystem is far from deployment. Second, the concept of creating identities warehouses raises both privacy concerns and the prospect of "hyper-identity theft" if someone were able to break into an identity provider. Even so, Mr. Deuby finds that NSTIC is a vision of how things should be; the private sector just has to step it up and figure out how to make it a reality.
The source article can be found here.
Comments