Leadership can be characterized in many ways by many different people. It can be displayed by the local Boy Scout den leader, police and fire personnel, politicians or from an enterprise CEO. Leadership can be demonstrated both in words or actions and can be the expression of one’s own ideals. These ideals can be inspirational, and can provide critical insight.
One key leader in the field of security expressed his ideals on the direction identification and access control should take in the future and what we as security professional must do to secure individual identity and control access in key infrastructure systems.
In August of 2008 Michael Chertoff, then U.S. Secretary to the Department of Homeland Security, made a speech at the University of Southern California’s National Center for Risk and Economic Analysis of Terrorism Events. In his speech, Chertoff discussed his ideals on the protection of identity. He remarked that the protection of an individual’s identity is critical to national security and the security of financial markets.     

“The Core of What We Do”

“It (identity protection) lies at the core of a great deal of what we do protecting our financial security, our personal security, and our reputational security,” said Chertoff. Of course, was referring to how the U.S. will manage and protect personal identities going into the twenty-first century. This includes thinking about how to protect identity as individuals and as a nation, how to authenticate identities, provide tamper-proof credentials and control access into secure infrastructures. Failure to properly manage our identities will damage the nation its assets, reputation and stature throughout the world.      

Chertoff stated, “The entirety of our economic livelihood in the twenty-first century is going to turn in large measure upon our ability to verify identity for those who want to transact business. And, finally, our reputation and our privacy depend on our ability to control our identity. If people can pretend to be us, if they can speak in our name in an unauthorized way, they can do great, perhaps irreversible, damage to our privacy or to our reputation; and this again, from a personal standpoint, suggests that identity is increasingly going to become the asset that we have to be most careful to protect in the twenty-first century where the ability to get information, move it around the world and store it indefinitely creates greater and greater risks to personal reputation and personal privacy.”

The Three Ds

In the future, more extensive authentication of identity is going to become a necessity. Social Security numbers, passports, driver licenses and photo IDs will not be enough. Identity authentication will rest on what Chertoff describes as the three Ds: description, device and digit. Description meaning information that is unique and known only to an individual. It could be eye color, hair color, height, weight or information like a PIN, password, username or keyword. Device which could be a card, key fob, a token, cell phone or any other electronic device that is used to substantiate a user’s identity. However, it needs to be more secure and more difficult to counterfeit then current access technology. Digit means fingerprint or some form of biometric. Something that is unique to an individual. It can be a device or piece of equipment that can capture a specific, unique piece of information about an individual.
As Chertoff stated in his speech, “The way forward is to work with all of these tools (the 3 Ds) in combination, to combine these together, and I can envision a time in the not-too-distant future where, in order to authenticate yourself – whether it’s for purposes of getting on an airplane, whether it’s for purposes of transacting business at a bank, whether it’s for purposes of gaining entry into a student dormitory – that you will have some kind of device; it may be electronic that will combine two or three of these three Ds, as I call them, to increase the ability to be secure in the knowledge that nobody else can duplicate your ability to identify yourself.”

Not Quite There

Chertoff’s 3-Ds approach is even functioning today, such as HSPD-12, TWIC and REAL ID programs. Although these measures are a step in the right direction, they fall short of establishing a national standard for the use of the 3-Ds in all areas of accessing sensitive networks. These programs do not provide standards for both the private and public sectors, and a standard should encompass both.
As leaders in the security field, it is our duty to take the lead in the development and promotion of the use of the 3-Ds in controlling access and establishing identity. The future of our nation may depend on our ability to develop and implement sound access control and identity systems within our financial and high risk infrastructures. It is time for all of us in the security field to work toward the goal of establishing workable, security identity management systems.