Trust Framework Development Guidance for Small and Medium-sized Businesses and Financial Sectors Pilots
Today, weak username and password combinations are used by thousands of Small- and Medium-sized Businesses (SMBs) as well as online users in the financial sector who engage in over 3 billion online trading transactions annually, with a value estimated at more than $1 Quadrillion.1 To protect online transactions, industry is moving to the use of trusted identity credentials. However, there is a lack of understanding and guidance regarding how to structure the necessary identity trust frameworks and how to address the critical liability and privacy issues they raise. Moreover, existing identity trust frameworks operate in silos, are inconsistently structured, are not interoperable, and often do not follow all the NSTIC guiding principles, meaning they are not easy to use, voluntary nor inexpensive. The end result is increased fraud and abuse, cost and inefficiency along with enhanced susceptibility to cyber threats. Industry and government alike recognize that a robust and tested trust framework is required to address these deficiencies while reducing the barriers of entry for citizens, businesses and government.
TSCP Inc., a 501(C)(6) non-profit technical trade association, has partnered with SMBs and with Financial Services sector companies to form the TSCP-NSTIC Team (the Team). Our Team will: (1) develop an open source, technology-neutral Trust Framework Development Guidance (TFDG) document that can provide a standard for consistent trust framework development; (2) stress test the TFDG in a Proof-of-Concept (POC); (3) update the TFDG with POC results that could be implemented in the TSCP-NSTIC Team’s Pilot environments; and (4) provide a production-ready TFDG for developing and operating new trust frameworks or updating existing ones. The TFDG can also serve as a foundation document for the development of the NSTIC Ecosystem Framework and for future legal and regulatory development.
The proposed project and its relationship to the Identity Ecosystem (IE) are depicted in Figure 1.
TSCP has successfully used a similar process to pioneer a Third-Party Assurance Model for Federated Identity Management that was deployed into TSCP member production environments. This process also created a referenceable precedent for a trust framework’s contractual structure that solved major enforceability problems. The results of this process were published in the Jurimetrics Law Journal,2 and subsequently used by the Commonwealth of Virginia as the basis for new legislation.3
Our proposal will leverage the approach of this past success and expand on it. We will provide a referenceable standard for the development of trust frameworks, and significantly advance the NSTIC goals by providing guidance to accelerate identity ecosystem framework development.
1 Financial Services
2 The Third-Party Assurance Model: A Legal Framework for Federated Identity Management, 50 Jurimetrics Journal 509, Summer 2010.
3 Commonwealth of Virginia House Bill Nos. 2189 and 2259, and Senate Bill 827