Federal agencies have a hard enough time already trying to develop a strong digital identity system. These systems often sit at the nexus of security, risk-based management, and user experience. Ryan Galluzzo, the digital identity lead for the Applied Cybersecurity Division at the National Institute of Standards and Technology (NIST), addressed these challenges and outlined strategies for agencies to navigate the complexities of digital identity during a recent discussion on Federal Monthly Insights: Identity Security in the Public-Private Sector.
Context and User Understanding
Galluzzo emphasized the importance of context, user rights, and understanding user characteristics and available devices when building a digital identity system. He highlighted the need to consider the application context, user types, data access levels, and potential impact of user actions.
"The whole point of the digital identity risk management process is to want to understand what is the application context you’re working in? What are the different users that you have? What kind of data are you accessing? What kind of rights do you have once they are in the application? Can they modify things, just view things, and what’s the potential impact?" - Ryan Galluzzo
Galluzzo stressed the need for phishing-resistant multifactor authentication. He thinks it’s critical for federal government cybersecurity and for realizing zero trust strategies.
Phishing-Resistant Multifactor Authentication and Device Security
Galluzzo’s vision for a full-scale security strategy starts with securing the devices that are accessing the system. He explained to Federal News Network’s Justin Doubleday the important work of the National Cybersecurity Center of Excellence.
Galluzzo further emphasized the need to strike a balance between security and user experience. He remarked that innovations which are able to blend an effortless user journey with added protection are considered to be gold and propensity to be successful. He showed specific excitement about passkeys, FIDO authentication, and mobile wallets and the credentials that live inside them.
Balancing Security and User Experience
He points out that these innovations in this area are particularly important to the industry as a whole.
"Any technology that can start to consolidate a smooth user experience with increased security is the kind of thing that can show a lot of value and gain a lot of traction. That’s why were’ so interested in things like passkey and FIDO authentication, as well as things like mobile wallets, and the credentials that reside inside them." - Ryan Galluzzo
Galluzzo outlined the advantages of attribute-based access control, which enables organizations to control access dynamically based on user and transaction attributes. Description of picture These characteristics that can affect the user experience include the user’s location, device type, network connection and time of day. These attributes allow policies to be used more precisely depending on the resource being protected or the development being avoided.
"Wherever you can find that nexus of secure and usable, I think is a really interesting innovation point for the overall industry, as well as for folks like us who are looking to help standardize those things and make sure they’re interoperable and make sure they are providing a consistent degree of protection, as well as that usability," - Ryan Galluzzo
Attribute-Based Access Control
Galluzzo pointed out that NIST is in the process of revising SP 800-63, version 4. This underscores their commitment to ongoing improvement and development of digital identity standards. Security of passkey storage and export He expressed concern over the security of how passkeys are stored and exported, calling for protections against unauthorized access.
"The big thing with attribute-based access control is it really allows you to manage access based on both the attributes of the user and the transaction, like where I’m originating from, the kind of device I’m using, the networks I’m connected to and the time of day. Then applying policies that support that based on the attributes of the resource you’re attempting to protect," - Ryan Galluzzo
NIST's Ongoing Efforts
Galluzzo mentioned that NIST is actively working on SP 800-63 revision 4, indicating their commitment to continuously updating and improving digital identity standards. He also raised concerns about the security of passkey storage and export, emphasizing the need to prevent unauthorized access.
"If you can sync or copy a pass key, how do you make sure that doesn’t end up in the wrong kind of storage or export it out of the enterprise?" - Ryan Galluzzo
