Greg Gardner


It will take more than the President’s signature to make some things work. Many federal agencies and contractor enterprises, most of whom are already stretched for funding and resources, will be challenged to meet 2006 and future target dates. HSPD-12 is an intricate initiative (See previous column, this section.) that requires interoperability between complex federal government systems, the reevaluation of complicated business processes, and unprecedented collaboration between IT, human resources and physical security staffs.

A properly structured, thoroughly integrated enterprise identity management platform will also enable federal agencies, contractors and enterprises wishing to converge their security systems to establish a foundation for future initiatives, threats and technological advances. So consider the following implementation tactics:

Develop an integrated plan and identify roles. IT, HR and physical security teams need to work closely from the beginning to examine business processes, assign project responsibilities, evaluate and select potential solutions.

Avoid the quick fix. It may be tempting to apply a band-aid to the HSPD-12 challenge by developing a physical access system first to meet the initial requirements and then later seeking an identity management solution for IT systems. In the long-run, this approach only adds complexity – multiple systems, databases and directories.

A properly structured identity management solution provides a complete application security infrastructure for the enterprise.
Build for the future. By developing an enterprise-wide identity platform upon which to build the HSPD-12 solution, organizations can comply while building for the future. The platform must be standards-based and provide heterogeneous application integration across legacy, client/server and Web-based systems.

In sum, a properly structured identity management solution must include the following functionalities:

Access Control and Identity Management – providing single sign-on, identity management and delegated administration.

Federation – providing multi-protocol cross-domain single sign-on capabilities through standards such as Security Assertion Markup Language.

Provisioning – providing a framework for managing users, defining approval workflows, automating user creation, and life cycle management for credential revocation and reconciliation.

Directory – providing a scalable, robust Lightweight Directory Access Protocol (LDAP) v3-compliant directory service implemented on any open-standard database.

Virtual Directory – facilitating real-time integration of multiple directories and user repositories through a single LDAP service.

Web Services Management – providing Web services security and management for heterogeneous applications and services.

By approaching HSPD-12 compliance holistically, with an identity management infrastructure that supports both physical and logical security requirements, agencies and private enterprises can ensure that their employees will be able to use the same credentials.

Two-factor ‘Sun’ Also Rises

Santa Clara, Calif.-based Sun Microsystems is in the process of deploying converged identity management to its employees worldwide. The deployment will increase corporate security by requiring strong two-factor authentication – a Java Card platform-enabled smart card and a unique password – to access network resources. Security executives within the firm say it will also lower administrative costs and reduce help-desk calls by consolidating multiple user access credentials such as passwords and certificates onto a Sun employee’s ID badge.

Not surprisingly, Sun, in partnership with Fremont, Calif.-based ActivIdentity, will market the joint solution combining the Sun Java System Identity Management Suite with ActivIdentity’s Card Management System and Enterprise Single Sign-On, which will help agencies and enterprises comply with the HSPD-12 security directive. With such solutions, both physical security and IT administrators retain control of their own systems, yet they are linked to better recognize security risks before they can be exploited.