The path to comprehensive ID management

There have been many changes since enterprises first looked at implementing smart card-based common access card programs in the 1990s. Although some large corporations successfully deployed such programs, smart card-based identity solutions never fully penetrated the enterprise or consumer markets. Looking back, it is clear that a lack of standards as well as the ensuing incompatibility between different proprietary products led to one-off projects, rather than solutions that would consistently drive prices down and make implementation straightforward.

Post September 11th, the U.S. government issued the Homeland Security Presidential Directive (HSPD)-12, a “policy for a common identification standard for federal employees and contractors.” Under the HSPD-12 mandate, all federal employees and contractors would be issued a Personal Identity Verification (PIV) card, a smart card with contact and contactless interfaces to be used as their identity credential for both logical access to information systems and physical access to facilities. In response to HSPD-12, the National Institute of Standards and Technology, published the Federal Information Processing Standard (FIPS) 201, specifying the architecture and technical requirements for this common identification standard, finally providing the standards missing for so long.

Due to the need to define and set up processes, such as the ones for vetting card recipients and for card issuance, the initial roll-out of PIV cards has been slower than expected. However, by early 2009, critical mass was finally reached with more than 1.5 million cards issued. This increased deployment was in part driven by the October 27, 2008 deadline for agencies to issue cards to all employees and contractors with 15 years or less of service.

With FIPS 201 in place, common access cards are now also spreading outside the Federal government environment, and a first foray is in the market for state and local emergency management solutions. Here DHS FEMA efforts have led to the First Responder Authentication Credential (FRAC) as well as the availability of critical infrastructures to accurately identify emergency responders and their credentials.

Additionally, the Transportation Worker Identification Credential (TWIC) is being implemented in the transportation and maritime industries primarily to identify truck drivers and port workers and to mitigate the effects of a transportation security incident. Moreover, major contractors to the Federal government such as Lockheed Martin, Northrop Grumman and SAIC, are being required to provide PIV cards to a number of their employees, and are now looking to implement such programs company-wide.

In parallel to the above developments, the last several years has seen many discussions about security convergence, and, in fact, nowadays no industry conference is complete without at least some sessions addressing the issue.

The basic idea is that agencies and enterprises will greatly benefit from jointly considering both logical security for information resources and physical security for facilities in order to implement a successful risk management strategy. With physical security comes the concept of an access card, and an example of concrete progress in this space is the recent announcement by HID Global at the ASIS Conference in Atlanta of a contactless smart card reader to be built-in to the palm rest of select Dell laptops.

Furthermore, in the meantime, billions of smart cards have been introduced throughout the world, used as payment cards in most of the world outside the U.S. and as the identifier in GSM mobile phones.

With hindsight, it is now clear that one of the key issues which inhibited the breakthrough of smart cards on a larger scale in the identity and access management domain was the lack of clear standards as well as the lack of interoperability among disparate, proprietary products. Each project ended up being a one-off, specific to the company doing the implementation with different data formats on the smart card chip and specific ties to peripheral equipment such as smart card readers.

Today, PKI has evolved from a complicated infrastructure which had to be deployed in-house, to just another solution provided as a service by a number of service providers such as Verizon Business or Entrust. Also, with HSPD-12 and FIPS 201 there are now clear standards for identity cards, standards to which a whole eco-system of vendors are now committed, given the multi-million user market the directive is guaranteeing.

As HSPD-12 also applies to all Federal contractors and as related programs such as FRAC and TWIC are impacting industries such as healthcare, critical infrastructure, finance and transportation, we are finally seeing renewed interest by enterprises in the concept of smart card-based identity infrastructures.

Indeed, a recent survey of 200 IT decision-makers by Datamonitor found that 80 percent recognize smart cards would provide benefits to their enterprise. The survey confirms that a converged smart card credential can reduce administrative overhead and deliver a high ROI.

2010 promises to be the year when common access card programs will get another chance at conquering the enterprise market due to a number of these described factors, including the government’s drive to implement PIV cards for all employees and contractors, the availability of standards and compatible products, the spread of standards beyond the scope of the Federal government to state and local entities as well as government-linked enterprises, and, finally, the concept of security convergence receiving traction in the market.

Therefore, the recent Report on Identity Management Strategy by the President’s National Security Telecommunications Advisory Committee calling for comprehensive ID management comes at a very opportune time. As the report states, “A need has emerged for a national, comprehensive identity management strategy that would recognize and protect the roles and interests of private citizens and commercial participants while enabling collaboration among key stakeholders”.

A national ID management office in the Executive Office of the President with the power to integrate national ID management policies and processes would be able to build upon the foundation established by the HSPD-12 and FIPS 201 efforts of the last several years.

Now is the time to take these initial government focused efforts and extend them to the private sector, and, ultimately, to the level of the individual citizen through a federation of interoperable ID management systems.