Security Magazine

‘PIVed’ Yet? Trusted Identity Moves Forward

September 1, 2011
credentials

While some see security video as the current fair-haired security solution, well, look again.

Today, and into the future, a primary driving force comes wrapped in the concept of identity, credential and access management. It goes way beyond the early days of pioneering Wiegand effect cards, interestingly owned by Echlin, a car parts manufacturer that first used the technology in vehicle distributors.

Through interviews and research by Security magazine, it appears that – really this time, and finally for some – enterprise security leaders, ranging from corporate, government and military to institutions, healthcare and contractors, are finding business reasons for moving to a credential instead of a card world.  

The sweet spot is personal identification verification or PIV cards, rolling out for federal government and contractor users, but catching on with diverse enterprises. The business bottom line: more varied information on the credential, often including biometrics of some kind; more decision making between the reader and credential instead of total dependence on the physical access control systems or PACS; better integration with traditional and legacy access control systems; and the ability to more securely access doors or networks.

 

Numerous PIV Applications

There are other PIV card approaches somewhat more application specific, such as the Transportation Worker Identification Credential or TWIC and the First Responder Authentication Credential or FRAC.

There have been successes and failures along the development road, not surprisingly.

During the early days of common access cards within military organizations, the U.S. Navy was infamous for trying to go it alone, as compared to others.

But continued discipline through overarching federal plans such as the Homeland Security Presidential Directive (HSPD-12) and Federal Information Processing Standard FIPS-201 have kept a fine focus on identity for federal government, military and their contractors. More recently, PIV i (for interoperable) designs have started spreading, thanks in part to the efforts of the Smart Card Alliance, to state and local government and corporate use.

Upcoming is what some industry experts predict a major revision of FIPS-201.

 

FIPS 201 Gets Revised

FIPS 201-2 specifies more detailed architecture and technical requirements for a common identification standard for federal employees and contractors. The overall goal is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed identity of individuals seeking physical access to federally controlled government facilities and electronic access to government information systems.

In a recent Security magazine interview with CertiPath CEO Jeff Nigriny, he noted there are major changes in the proposed revision of FIPS 201-2. “Iris biometrics will become a valid biometric in addition to finger.” Biometrics is embedded on the personal identity verification or PIV cards. In addition, physical access must match what is taken at the door to what is in the PACS. And the unique identifier within the badgeholder ID kind of shifts things around with the power to check everything on the card and not necessarily in the PACS.

White papers from the Smart Card Alliance have encouraged potential users beyond the federal government, the military and their contractors to see value in PIV.

One paper, “Personal Identity Verification Interoperability (PIV-i) for Non-Federal Issuers: Trusted Identities for Citizens across States, Counties, Cities and Businesses,” was developed by the Alliance’s physical access council and identity council, with input from the National Association of State Chief Information Officers. It is available for download at http://www.smartcardalliance.org.

“Many of the components of PIV-i policies and processes, such as strong identity vetting procedures, public key infrastructure (PKI) and smartcards, are already being used by numerous states and jurisdictions. It isn’t a big leap for these organizations to embrace the PIV-i framework,” contends Randy Vanderhoof, the Alliance’s executive director. “Moving from issuing multiple credentials for a variety of state programs to issuing a single, multipurpose, trusted PIV-i credential can greatly improve efficiency and enhance citizen privacy for state and local governments.”

 

Trusted Services, Too

The new, more secure world of trusted identity has recently spurred Web-based enrollment services. For example, HID Global’s PIV-i service is a quick source to obtain PIV-i cards for enterprise employees, thanks in part to its acquisition of ActivIdentity, a provider of PIV issuance and verification software to the U.S. government.

Certified by CertiPath, the card services make it easy for government contractors and other appropriate enterprises to continue to gain access to government facilities with no interruption to daily business.

Another DHS mandate through its Transportation Security Administration is the Transportation Worker Identification Credential or TWIC. It is a vital security measure to ensure individuals who pose a threat do not gain unescorted access to secure areas of the nation’s maritime transportation system. Established by Congress through the Maritime Transportation Security Act, TWICs are tamper-resistant biometric credentials issued to workers to secure areas of ports, vessels, outer continental shelf facilities and all credentialed merchant mariners.

“There are about two million workers who have applied or should apply,” says Tom O’Connor, Security Industry Association’s manager of government relations. “The TWIC card reader program is in pilot but, according to the General Accounting Office, there is a high degree of failures.”

FRAC or first responder access credentials have an even greater challenge. Numerous local, state and federal agencies and security at private enterprises are first responders. Various obstacles will have to be overcome for these first response forces to fully adopt FRAC cards, including the administrative burden and costs of issuing and maintaining federally approved ID cards. One way to accelerate adoption is to provide greater utility to the end user, specifically, to take FRAC beyond just site access to also initiate resource accountability functions.

In addition, the newest ID daddy is identity, credential and access management or ICAM.

This mandate’s mission is to foster effective government-wide identity and access management, enabling trust in online transactions through common identity and access management policies and approaches, aligning federal agencies around common identity and access management practices, reducing the identity and access management burden for individual agencies. Emphasis is on common interoperable approaches, ensuring alignment across all identity and access management activities that cross individual agency boundaries and collaborating with external identity management activities through inter-federation to enhance interoperability.

  

An Integrated Identity Approach

The principals and tools of ICAM can be replicated by enterprise security leaders, too. And the benefits associated with implementation of ICAM are:

•  Increased security, which correlates directly to reduction in identity theft, data breaches and trust violations. Specifically, ICAM closes security gaps in the areas of user identification and authentication, encryption of sensitive data and logging and auditing.

•  Compliance with laws, regulations and standards as well as resolution of issues highlighted in GAO reports of agency progress.

•  Improved interoperability, specifically between agencies using their PIV credentials along with other partners carrying PIV-interoperable or third party credentials that meet the requirements of the federal trust framework. Additional benefits include minimizing the number of credentials requiring lifecycle management.

•  Enhanced customer service, both within agencies and with their business partners and constituents. Facilitating secure, streamlined and user-friendly transactions – including information sharing – translates directly into improved customer service scores, lower help desk costs and increased consumer confidence in agency services.

•  Elimination of redundancy, both through agency consolidation of processes and workflow and the provision of government-wide services to support ICAM processes. This results in extensibility of the IT enterprise and reduction in the overall cost of security infrastructure.

•  Increase in protection of personally identifiable information by consolidating and securing identity data, which is accomplished by locating identity data, improving access controls, proliferating use of encryption and automating provisioning processes.

 

It appears that PIV will soon be a requirement when purchasing any future products and systems. That will likewise seep into private enterprise use.

For instance just last February, the Office of Management and Budget issued Memorandum M-11-11 directing agencies to require the use of PIV credentials as the common means of authentication for access to facilities, networks and information systems. Requirements include:

•  Effective immediately, all new systems under development must be enabled to use PIV credentials, prior to being made operational.

•  Effective the beginning of FY2012, existing physical and logical access control systems must be upgraded to use PIV credentials.

•  Procurements for services and products involving facility or system access control must be in accordance with Homeland Security Presidential Directive HSPD-12 policy and the Federal Acquisition Regulation.  In order to ensure government-wide interoperability, “Acquisition of Products and Services for Implementation of HSPD-12” requires agencies to acquire products and services that are approved as compliant with federal policy, standards and supporting technical specifications.

•  Agency processes must accept and electronically verify PIV credentials issued by other federal agencies.

•  The government-wide architecture and completion of agency transition plans must align as described in “Federal Identity, Credential, and Access Management Roadmap and Implementation Guidance.” (The report is at www.idmanagement.gov)

 

Purchasing Constraints

There is coming a time, says Bartolac, when government agencies – local, state and federal – as well as government and military contractors and other enterprises will not be able to purchase products, systems, or services without complying with myriad existing and emerging directives, rules and regulations. 


 

Help On the Way

HID Global will display a planned family of simple-to-deploy, cost-effective, turnkey FIPS 201 compliance solutions at ASIS International this month. What the firm calls its federal identity compliance initiative aims at making it easier for agencies to upgrade an existing physical access control system to support government identity verification standards.

It combines access control solutions and technology migration the enhanced cryptographic security of its next-generation reader platform, and extensive identity assurance.

The Next Biometrics Battle

Smartcards in government often have a biometric. Enterprises, slowly but surely, are moving more fully to smartcards with a biometric, in addition to niche applications at data centers, for example.

But an emerging biometrics battleground may be the federal voluntary E-Verify program. U.S. law requires companies to employ only individuals who may legally work in the United States – either U.S. citizens or foreign citizens who have the necessary authorization. E-Verify is an Internet-based system that allows businesses to determine the eligibility of their employees to work in the United States. Congress is considering changes to the program.

That Privacy Thing, Again

The big guys have weighed in. HP, Microsoft, eBay and Intel say they now support a U.S. Senate proposed piece of legislation centering on a commercial privacy bill of rights. In a statement, the technology companies stated: “We are pleased that Senator Kerry and Senator McCain, both long-time  advocates for strong consumer privacy protections, have  introduced  the Commercial  Privacy  Bill  of  Rights  Act  of  2011. We support the bill and look forward to working with Congress as it moves forward. We have long advocated for comprehensive federal privacy legislation, which we believe will support business growth, promote innovation and ensure consumer  trust  in  the  use  of  technology. The complexity of existing privacy regulations makes it difficult for many businesses to comply with the law.

“We  support  the  bill’s  overall  framework,  which  is  built  upon  the  Fair Information  Practices  principles. We appreciate that this legislation is technology neutral and allows for flexibility to adapt to changes in technology. The bill also strikes the appropriate balance by providing businesses with the opportunity to enter into a robust self-regulatory program. We look forward to continuing our engagement to improve the effectiveness of the U.S. legal framework for the protection of privacy.”

It is expected that, with the passage of the act, there will be even greater need for trusted identity tools.

‘Refining’ Access Through TWICs

Refinery

At Pasadena Refining, a TWIC system integrates into the traditional card access control system. Photo courtesy of Codebench

For some facilities, the trick is to not only launch an effective Transportation Worker Identification Credential (TWIC) program but also blend it into a legacy card access control system.

Pasadena Refining Systems, a subsidiary of Petrobras America., shows it can happen. It deployed a FIPS 201 solution to register TWIC into its physical access control system. With PIVCheck Plus (from Codebench), the refinery is able to read, validate, authenticate and register TWIC cards into the facility’s physical access control system while verifying the authenticity of TWICs presented to a Datastrip mobile biometric reader. The software can also tell the operator whether that TWIC is already registered in the traditional access system and, if so, whether the cardholder is allowed into the facility at that time. 

“We’re being proactive with our TWIC usage at our facilities,” says Eric Finck, security supervisor at Texas’ Pasadena Refining Systems.

The facility uses two desktop biometric smartcard readers to register TWICs and six handheld readers to check TWIC cards of employees and visitors.