by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : May 2015
GCN MAY 2015 • GCN.COM 13 FIRST, A BIT OF GOOD NEWS. The National Institute of Standards and Technology met its March 16 deadline to produce baseline requirements for its Identity Ecosystem Frame- work (IDEF), the bedrock document aimed at revving up a move to more secure credentials that are interop- erable across the Internet and a big advance toward the holy grail of a single, Internet-wide sign-on for individuals. The first version of the IDEF will be launched sometime this summer. By defining the overall set of in- teroperability standards, risk models, privacy and liabil- ity policies needed to fully describe an identity-based ecosystem, both government and private organizations will be able to see how their identity efforts match up to IDEF’s requirements. IDEF springs from the Obama administration’s Na- tional Strategy for Trusted Identities in Cyberspace (NSTIC), which launched in 2011. The intent was for the government, through NIST, to bring together the private sector, advocacy groups and government agencies to create an environment that replaces the current one, which uses many different kinds of authentication to access online services. NIST has a rundown of the kinds of things such an identity ecosystem can be used for, and it does seem enticing when compared to today’s authentication sys- tems. IDEF by itself won’t be enough, of course, because such an ecosystem depends on a broad level of trust among parties, and that will be a huge nut to crack. But identity is increas- ingly the focus for future security platforms because — as has become obvious over the past couple of years — traditional network, data and systems protection tech- niques are of limited use against the focused efforts of today’s more sophisti- cated cyber criminals. Beyond security, a strong identity solution will also act as an enabler, said Jeremy Grant, who stepped down as leader of the NSTIC initiative at the end of April. “If we have easy-to-use identity solutions that enable secure and privacy- enhancing transactions, we can enable citizens to engage with government in more meaningful ways,” Grant wrote in an October blog post. “With a vibrant identity ecosystem — where citizens can use the same credential to access services at multiple sites — we can enable a wide array of new citizen-facing digital services while reducing costs and hassles for individuals and government agencies alike.” The trust needed to build that ecosystem should be at the top of the list of re- quirements, which is made clearer by a report from the Ponemon Institute that looked at the use of security certificates and cryptograph- ic keys around the world and found rampant abuse. In the institute’s survey of more than 2,300 security professionals, 58 percent believed their organiza- tions needed to do better in securing certificates and keys in order to stop man- in-the-middle attacks. More than half of the respondents didn’t even know where all their certificates and keys were located. In the past two years, the number of keys and certificates deployed on Web servers, network appliances and cloud services grew to almost 24,000 per enter- prise, the survey found. The major fears respondents listed were of a “cryptopoca- lypse” and misuse of mobile certificates, all of which could cost organizations $53 million over the next couple of years, up by 51 percent from 2013. NIST has already funded four rounds of pilot pro- grams aimed at developing the technologies needed for the identity ecosystem, for a total so far of around $30 million. According to Grant, the intent is that by 2019 consumers “will think it’s quaint” when online service providers ask them to cre- ate a new account, and the NSTIC program office will have become “a blessed memory.” • Progress toward an identity ecosystem BY BRIAN ROBINSON CYBEREYE The key to online trust 23,922 keys and certificates on average per company $1,000 price tag for a stolen certificate in the underground marketplace 54% of organizations do not know where all their keys and certificates are located, up from 50% in 2013 Sources: Ponemon Institute and Venafi 0515gcn_013.indd 13 4/29/15 1:09 PM