NIST: No uniform approach to identity management


Identity management is a major cybersecurity consideration for agencies but there is no standard approach to federated identity management, according to the National Institute of Standards and Technology.

Given the array of digital credential providers and agencies' unique business requirements there are no uniform methods for revoking credentials or their associated attributes, finds a recently-published National Institute of Standards and Technology interagency report (.pdf), NIST IR 7817.

While NIST doesn't recommend a single, tried-and-true approach to credential and attribute revocation, it does make suggestions for assessing credential reliability and revocation services. Different approaches apply to different provider models, which NIST categorizes by the number of parties involved in authentication.

For the two-party model--involving only the service provider and the credential holder, or user--there are two approaches to revocation. For enterprise single sign-on, or SSO, a service provider that detects suspicious activities should prevent further malicious activities by reporting the incident to the enterprise's SSO authentication server, resulting in a suspension of the credential.

With the other two-party approach, a service provider's delegation credentials will allow access to some data or processes but block rights to others.

"Should malicious third party activities occur, the primary service revokes the delegated credential, while the user credential remains valid," says NIST.

This protects the user from a denial of service attack. The user or service provider should also have a delegation revocation procedure in place to terminate a delegated service, recommends the publication.

On the other end of the spectrum, the four-party model for revocation must consider far more players: the credential holder, the independent identity provider, the service provider, and one or more independent attribute providers that vouch for attributes requested by the service provider, says NIST.

Given the complexity of such an arrangement, the IR recommends attributes be verified and up-to-date--meaning the identity provider should check the authoritative source, or sources, for attribute updates regularly. By using the same credential and assessing service provider feedback, the authentication decisions by the attribute provider and identity provider should be based on the same status of the credential, adds NIST.

For more:
- download the publication, NIST IR 7817 (.pdf)

Related Articles:
'Work to be done' in common secure-area credentials
IRS two-factor authentication system nearly 2 years behind schedule, finds TIGTA
CMS looks to NSTIC for identity management