Challenges in Operationalizing Privacy in Identity Federations

A critical part of the job of an identity/information management professional is to operationalize privacy in the systems they architect, build and deploy. Unfortunately, it is easier to make that statement than to come up with a rigorous and repeatable process to do it. It is hard because privacy is contextual in nature, and data often moves across organizational and system boundaries where shared context may not exist. This blog post is an attempt to articulate some definitions and considerations regarding operationalizing privacy within the narrow realm of identity federation.

NIST, in its DRAFT SP 800-130 "A Framework for Designing Cryptographic Key Management Systems" (PDF) articulates the three privacy characteristics (Section 4.7) of Anonymity, Unlinkability and Unobservability:

An information management and security policy may state that users of the secure information processing system can be assured of anonymity, unlinkability, and unobservability, if these protections are required. Anonymity assures that public data cannot be related to the owner. Unlinkability assures that two or more related events in an information processing system cannot be related to each other. Finally, unobservability assures that an observer is unable to identify or infer the identities of the parties involved in a transaction.

In his write-up of the NIST CKMS Workshop, Dr. Francisco Corella had this to say as it relates to identity federation:

"[...] One way of reducing the number of passwords to be remembered is to rely on a third-party identity provider (IdP), so that one password (presented to the IdP) can be used to authenticate to any number of relying parties. The Federal Government allows citizens to access government web sites through redirection to several Approved Identity Providers.

But third party login has privacy drawbacks. In usual implementations, anonymity is lost because the relying party learns the user’s identity at the IdP, unlinkability is lost by the use of that identity at multiple relying parties, and unobservability is lost because the IdP is informed of the user’s logins. Profiles of third-party login protocols approved for citizen login to government sites mitigate some of these drawbacks by asking the identity provider to provide different identities for the same user to different relying parties. This mitigates the loss of anonymity, and the loss of unlinkability to a certain extent. (Relying parties by themselves cannot track the user, but they can track the user in collusion with the IdP.) But the loss of unobservability is not mitigated, because the IdP is still informed of the user’s activities.

I believe that the Government should work to develop and promote authentication methods that eliminate passwords while preserving anonymity, unlinkability and unobservability."

Agreed.

The Fair Information Practice Principles (FIPPs) are a core part of the NSTIC vision for the Identity Eco-System, and more concretely, a critical part of the Federal Government's implementation of that vision (FICAM). The FICAM Identity Schemes (i.e. Protocol Profiles for Authentication) require the use of pair-wise pseudonymous identifiers to mitigate the loss of anonymity and loss of unlinkability. The loss of unobservability is still very much a concern, which is why as we move out on our FCCX initiative, we are specifically calling out the issue of "panopticality" as something that is critical for us to address.

We are investing both attention and resources to this area, but have little desire to build a closed eco-system of proprietary technologies with limited interoperability that becomes expensive technology road-kill due to lack of support in the marketplace.

We need the help of standards bodies, technology vendors and other stakeholders in making sure the ability to support these privacy characteristics are baked into the current and future generation of identity protocols and standards. Even more so, we need support for these privacy enhancing characteristics to be adopted and used in the implementations of the same protocols and technologies by the identity thought leaders in this space so that Government can leverage and utilize them as part of delivering Citizen facing services.

RELATED POSTS

• Challenges in Operationalizing Privacy in Identity Federations - Part 2
• Challenges in Operationalizing Privacy in Identity Federations - Part 3

:- by Anil John

GSA OGP Announces an Industry Day on Federal Federated Identity Solutions

Earlier this year, the White House convened the Federal Cloud Credential Exchange (FCCX) Tiger Team comprised of several federal agencies that have a vital need to better assist the public and reduce Federal costs by moving more services online. In alignment with President Obama’s National Strategy for Trusted Identities in Cyberspace, the FCCX Tiger Team’s objective is to facilitate the Federal government’s early adoption of secure, privacy-enhancing, efficient, easy-to-use, and interoperable identity solutions.

Over the past few months, the FCCX Tiger Team has worked on the use cases and the functional requirements necessary for the operation of an identity federation capability that can be integrated with a government agency web application to support and consume a full range of digital credentials such as PIV, PIV-I, and other third party credentials issued under a FICAM-approved Trust Framework Provider.

In simple terms, the Federal government is interested in leveraging one or more commercially available cloud service providers to streamline the burden agencies face in trusting and integrating with FICAM-approved credentials.

As the next step, the FCCX Tiger Team would like to hear from industry vendors on how they might implement a privacy-enhancing, cloud-based, federated credential exchange service.

If you are a product or solutions provider that has the ability to offer these capabilities and would like to help inform the service, please submit your name and company via e-mail to icam [at] gsa [dot] gov by Wednesday, August 1, 2012 and we will provide more information about the requested written response and associated logistics.

In addition, for those who contact us, GSA Office of Governmentwide Policy (GSA OGP) will be holding an Industry Day on Tuesday, August 7th, 2012 (9am – 12:30pm EST) at GSA OCS, 1275 First Street NE, Washington DC, Room 1201B (NoMa-Gallaudet Station – DC Metro Red Line) to gather more information and answer questions from industry vendors regarding the FCCX initiative. We will be able to host both virtually and in person. In person space is limited, so let us know your preference when you contact us.

As an overview, the following topics should be addressed in your written response which will be due by 5 P.M. EDT on Monday, August 13 20, 2012:

• Proposed high level architecture for enabling authentication to an Agency application using third party credentials to include:
• Shared service operated in a cloud environment servicing multiple Agencies
• Operation in an Agency-hosted environment
• User interface approaches for selection of approved credentials
• Credential registration and authentication strategies for citizens with multiple approved credentials
• User enrollment approaches
• Assurance level escalation approaches
• Attribute request/consumption approaches
• Supported protocols, profiles and schemas for creating and sending assertions
• Abstracting and streamlining business relationships with FICAM approved credential providers at all levels of assurance
• Preserving privacy (minimize storage of personal information and “panopticality” of the service)
• Auditing
• Scalability of the service
• Costs models (Pay per User or application using tiered volume discounts, O&M)
• Other relevant information

UPDATE (8/3/12): We've had a couple of questions about what is meant by "panopticality" above.

Within the context of FCCX it means two things:

1. It is the ability of Credential Providers to "see" all the Service Providers to which a citizen authenticates
2. It is the visibility that the FCCX service itself may have into the citizen information that is flowing thru it

:- by Deb Gallagher (GSA) & Naomi Lefkovitz (NIST) - FCCX Tiger Team Co-Chairs