Opinion: NIST Guidelines make Digital Identity all about Risk

Contributing writer Chip Block of the firm Evolver says the new NIST Digital Identity guidelines do much more than rethink passwords. They help solve an age old problem: how to prioritize security spending. 

Editor’s Note: NIST’s updated guidelines on Digital Identity mostly got noticed for the changes to password recommendations and original author Bill Burr’s mea culpa in the Wall Street Journal. But contributing writer Chip Block of the firm Evolver said they can also solve an age old problem: how best to prioritize security spending. 

I have just completed a review of the NIST Special Publication 800-63-3, Digital Identity Guidelines, and I have come to realize how important this document is to both government and commercial organizations.  The document got a lot of press because it changed the recommendation for the creation of passwords (emphasized by recent regrets of the originator of the current password guidelines).  In reality, this was a minor element of the publication.

Chip Block of Evolver
Block, of Evolver Inc., says that NIST’s new identity guidelines provide a way to quantify risk and return on security investments.

As I walked through how an implementation of this publication would be executed, another critical element became apparent.  The new 800-63-3 publication and the monetary quantification of cyber risk provided by the Factor Analysis of Information Risk (FAIR) model were made for each other.

Identity and Risk

The inability to distinguish between identity proofing and accessibility has led to either highly vulnerable systems or extremely expensive and wasteful security implementations often confusing authentication with authorization.  Organizations either use weak username password single sign on or they make everybody in the organization buy hardware tokens that costs millions of dollars to purchase and costs even more to maintain.  Neither of these approaches meet the needs of securing the organization.

What the publication recognizes is that identity and authorization are both a function of risk.  The document states “These guidelines describe the risk management process for selecting appropriate digital identity services and the details for implementing identity assurance, authenticator assurance and federation assurance levels based on risk.” 

FAIR and the Implementation of 800-63-3 Exercise

The emergence of the Digital Identity Guidelines from NIST and the use of the FAIR model as a de facto standard for monetary quantification makes for the perfect match.  As many know, FAIR is the open standard being adopted across commercial and government organizations to determine cyber risk in monetary terms.

We conducted an exercise based on a hypothetical company with 10,000 employees.  By combining the power of FAIR with the guidelines in 800-63-3, the company would be able to save millions of dollars a year while achieving a measurable $50M reduction in risk.

Identity and authorization is the cornerstone of any security program and by providing decision makers with clear, understandable investment strategies, the board is no longer faced with that scary statement “it will cost a lot and we hope it will be better.”  Instead, they are presented with a reasonable cost and an expected amount of reduced risk.  Additionally, they can conduct tradeoff analysis of other solutions to see if the impact on monetary risk is worth the investment.

Read the rest of Chip’s blog post on FAIR and NIST 800-63-3 here.


Comments are closed.