The Gluu in an NSTIC Pilot - PowerPoint PPT Presentation

About This Presentation
Title:

The Gluu in an NSTIC Pilot

Description:

The goal of this blog is to shed some light on how the Gluu Server will help this project come to life. Note, these are my thoughts as CEO of Gluu, and don’t necessarily reflect the opinion of MorpoTrust, the lead contractor, NIST, the State of North Carolina, or any of the other contractors. – PowerPoint PPT presentation

Number of Views:18

less

Transcript and Presenter's Notes

Title: The Gluu in an NSTIC Pilot


1
  The Gluu in an NSTIC Pilot
  • Last week, there was a lot of press around the
    the announcement of this years NSTIC pilots.
    Here at Gluu, we are excited to participate in
    one of these projects, and are hopeful that it
    will be a nice showcase for free open source wam
    software and the power of open standards for two
    factor security. The goal of this blog is to shed
    some light on how the Gluu Server will help this
    project come to life. Note, these are my thoughts
    as CEO of Gluu, and dont necessarily reflect the
    opinion of MorpoTrust, the lead contractor, NIST,
    the State of North Carolina, or any of the other
    contractors.
  •  

2
So what is this pilot about? In my opinion, its
about one thing electronic enrollment. You can
think of enrollment as a kind of online
registration. You know the drillyou need an
account on a website, you fill out a form, pick a
password, validate some CAPTCHA, perhaps
validate your email, and youre off to the
races. However this ritual has a few weaknesses
there is not a strong link to an actual person.
With a plethora of ways for hackers (or your
friends) to figure out your passwords, control of
an email account hardly provides much of an
assurance that the actual person filled out the
registration form. In identity geek parlance, we
call identity proofing the process where you
correlate a person to an electronic credential.
Email validation is a very weak form of identity
proofing, sufficient for only low value
transactions.   Today, in many situations,
identity proofing requires you to show a printed
government issued ID. As a person needs to
transact more important business online, the
strength of that identity-proofing process needs
to also increase. Here is an extreme example, but
it makes a point. Recently I was issued a US
Dept. of Interior smart card. It was really a
pain in the neck. I had to drive to Temple TX
from Austin, which is 70 miles north. This was
the nearest DOI office that was authorized to
issue these cards. I presented two forms of valid
ID. At that meeting, they collected high quality
biometrics (fingerprint and photo). Subsequently
I was interviewed by the FBI at my office, and I
provided contact information for my family and
childhood friends. After background checks, my ID
was ready. I asked for it to be FedExs.
3
No way I had to drive 70 miles back to Temple,
TX. At which point, they verified the previously
collected biometrics. And after some chit-chat, I
was handed my smart card280 miles and four hours
of driving later. Ill say one thing they were
pretty darn sure that they handed that ID to
Michael Schwartz. But it was an expensive and
inconvenient process.   The North Carolina Food
and Nutrition Services Program online also needs
to issue electronic credentials to citizens. As I
understand it, some people in North Carolina who
need the benefits offered by this program might
be quite far from a physical office. Wouldnt it
be great if there was some way we could save them
the drive? There are many reasons why this makes
sense. But there is only one problem there is no
alternative to the in person identity
proof.   The magic in this pilot would be to
develop an alternative to the in person identity
proof by leveraging the sensors of a mobile
device. Can the camera of a mobile device collect
enough data to identify me as well as a person
could do it? Its not that far-fetched,
especially for me (when I passed age 40, lets
just say my visual acuity isnt what it used to
be) The precedent for electronic non-in person
enrollment just doesnt exist. But once it does,
we could see many services that required in
person identity proofinglike votinghave a
better chance of becoming a reality.
4
So what is the Gluu Server going to do to help
make this magic happen? For those who have never
heard of Gluu, we publish free open source
Internet security software that is used by
universities, government agencies and companies
to enable Web and mobile applications to securely
identify a person, and manage what information
they are allowed to access.   In this pilot,
there are two critical authentications the first
time you enroll, we need to identify you using
information gathered from the mobile device, and
compared against information held by the State of
North Carolina, and other contextual information
(like your location). This authentication might
be a little bit inconvenient, but it may save you
hours of driving! After this initial
authentication, we will use crypto techniques to
enable you to re-authenticate very
convenientlywithout even using a password.   The
algorithms to do this identification (to do the
image processing for example), or to detect
fraud, are proprietary. I understand that these
will be supplied by MorphoTrust and the
University of Texas Identity Center.
5
The Gluu Server is used to communicate with the
mobile device, to communicate with servers that
analyze the data secured inside the state
environment. It is the glue (no pun intended)
between the mobile device and the backend
identification engine.   Identifying a person is
only half the battle. The second half of the
battle is authorizing the person to web access
management tools software certain protected APIs
that will be used by the mobile application to do
its business. The Gluu Sever provides a way for a
domain (in this case the State of North
Carolina), to define policies that can control
which people, using which devices, can access
which APIs. IT veterans may not be impressed.
Oracle, IBM, and Computer Associates all have
software that can perform this function. However,
the Gluu Server is the only free open source
platform that uses open standards to enable
centralized access management.   Ultimately, the
vision of Gluu, and the vision of NSTIC area
aligned to make the Internet a safer place. Its
an honor to participate in such an effort, and
were looking forward to serving the citizens of
North Carolina to the best of our
ability.   Article resource-https//sites.google.
com/site/thegluuserver/the-gluu-in-an-nstic-pilot
Write a Comment
User Comments (0)
About PowerShow.com