Identity Management

A Need for ID

It's not hard to understand the need for security, and ID management has become increasingly more important in the government sector

• By Tim Cawsey
• May 01, 2006

THE articles and conferences abound, the national press talks about it, even grandma has heard about it -- identity theft is a mainstream concept. Whereas the all encompassing phrase has become a bit clichéd, it just goes to show that proving who we are along with safeguarding a person or organization?s assets has become a hot topic.

In the post-9/11 society, it's not hard to understand why security and, more specifically, ID management have become increasingly important. The drivers for its uptake have proved to be numerous, varied and often industry-specific. However, the overriding goal within many companies, federal agencies and other organizations is ensuring that only authorized personnel gain access to their buildings and IT networks.

A More Secure ID Badge
For many years, proving your identity has been done through some form of ID badge, and the latest programs are no different, it's just that the badge has got a whole lot smarter.

Smart cards resemble plastic credit cards and are embedded with a computer chip that permits an exchange of data with another system. The card can store identity credentials such as passwords, encryption keys, digital photos and even biometric information. As the chip governs access to PCs and networks, the system requires double authentication for access through something you have -- the card -- and something you know -- the PIN. In addition to network access, smart cards can be used for physical access to buildings and offices, making it possible to track where a person goes based on clearances through security checkpoints.

The ability to merge network and building security on a single device has made smart cards the de facto credential for identity management solutions for the storage and processing of user credentials and authentication to secure networks, applications, Web servers, e-mail communications and Internet transactions. They combine the privacy, integrity and authentication functionalities provided by cryptographic algorithms with the simplicity, portability and convenience of the card form-factor.

What's Driving Identification
The biggest single driver for identity management and smart ID adoption in the United States is the government. A large part of this is linked to a Bush administration's mandate known as the Homeland Security Presidential Directive 12 (HSPD-12). Issued on Aug. 27, 2004, HSPD-12 is a mandate to all federal executive departments and agencies to issue "secure and reliable forms of identification" to its employees and contractors. The initiative is part of a broader effort to keep terrorists, criminals and other unauthorized people from getting into federal buildings or hacking into computer systems. Beyond the HSPD-12 mandate, other less-mature programs, such as Registered Traveler, First Responder and Real ID, are ensuring that the government is highly active in the identity space.

However, the government is far from the only mover in protecting its assets through better management of identities. Many commercial enterprises are looking for ways to better protect their IT assets, restrict access to buildings and do away with weak passwords. Fortune 100 companies, such as Boeing and IBM, have deployed companywide smart employees' IDs, while the healthcare industry has seen deployments driven by HIPAA. Pharmaceutical companies, such as Pfizer, have turned to the technology as a response to the SAFE initiative.

In general, the move is towards stronger authentication, and the smart card provides the means to get there. Moreover, it has become considerably easier to integrate smart cards into the Windows® environment used in most organizations, and at the recent RSA show in San Jose, Bill Gates claimed that passwords should become a thing of the past to be replaced by multi-factor authentication using a smart card-like device.

The Government Push
The government has a long history in secure IDs, and outside the GSM cell phone industry, it has been responsible for some of the biggest deployments of smart cards in the country. In fact, federal chief information officers cite information technology security and privacy as their most important and daunting issue, according to a recent survey of CIOs across departments and agencies by the IT Association of America.

Independent from the HSPD-12 directive, the Department of Defense's Common Access Card (CAC) program and the Department of Transportation's Transportation Workers Identity Credential (TWIC) project both demonstrate improved security through smart card-based identity credential solutions.

DOD's CAC program is its biggest rollout to date with more than 4 million smart badges for military personnel and contractors since 2000. This card is used primarily for secure IT access with users inserting the card into a reader attached to the PC, which reads the microprocessor chip in order to authenticate the user with a PIN or biometry.

The TWIC program is established by the Transportation Security Administration to improve security at seaports, airports, rail, pipeline, trucking and mass transit facilities by creating a nationwide credential that will prevent unauthorized people from gaining access to secure areas.

To date, most ID initiatives, such as CAC and TWIC, have been agency specific, using non-interoperable technology. Therefore, one of the objectives of the HSPD-12 mandate is to not only enhance security, but also to create inter-agency interoperability.

The HSPD-12 Opportunity
At the front end of the government's solution is an interoperable multi-application smart card that will support a wide range of government and agency-specific services. The goal is that each federal employee will carry a single smart card, which they will use for multiple purposes -- identification, network and building access, travel, small purchases and other financial and administrative purposes.

Although no one has been able to put a total figure on the size of the population to be covered by the HSPD-12 mandate, everyone concurs that it is massive. In the first instance, it will be rolled out to all federal employees, which is more than 8 million people to equip. When contractors and other initiatives, such as First Responder, are added into the equation, this figure could easily double. Beyond this, the general consensus is that this de facto standard may be picked up by not only state and local government, but also industries that have close dealings with government, creating a huge potential market.

A critical element of HSPD-12 is the development of the security standards which each agency needs to comply. Thus, in response to HSPD-12, standardization agencies including National Institute of Standards and Technology have developed the Federal Information Processing Standard (FIPS) 201, which specifies security and interoperability requirements of the solution. The FIPS 201 specifications do not just encompass the card itself, but the whole solution needed to manage the user's credentials throughout their employment and the card's lifecycle. This includes many complex elements such as user enrollment, data capturing, card issuance and management. Needless to say, this is putting pressure on the deploying agencies, as well as the vendors expected to deliver the products required by the roll-out deadline of October.

Although analysts concur that the opportunity is large in scale, so are the interoperability challenges. As a result, any potential delay can be put down to the sheer quantity of products that need to be certified, the integration with legacy systems and the late publication of the biometric part of the standard. However, the government has put great emphasis on this initiative and better identification for their employees, which is why even if it is delayed, it will surely be rolled out sooner rather than later.

Beyond the Federal Space
So far, there is no unique standard for ID management, but many good solutions are out there and private enterprise has not been slow in adopting them. Some of the early adopters were those who frequently dealt with the government and therefore wanted a way of providing better security. An example of this is Boeing. This compounds the belief that HSPD-12 will start to spill over into these sorts of industries as soon as the interoperable standard reaches its critical mass.

However, the issue is not restricted to these sectors and has grown in importance as macro-environmental issues, such as terrorism and company infiltration, put pressure on organizations to safeguard their buildings and IT systems. What used to be an issue for security and IT departments has now become something that is leveling the boardroom because a vulnerable enterprise network also is an acute business risk.

Beyond the global security drive, companies also are finding other benefits of a smart ID program in terms of reduced paperwork, fewer costs related to password management and increased privacy. Two such industries that are already taking advantage of these benefits are pharmaceutical and healthcare.

Smart Healthcare in Dever
Similar to most large hospitals in the United States, Denver Health has several hundred workstations in strategic locations throughout its many facilities.

The system allows doctors, nurses and other staff to quickly and conveniently access patient records. However, residents at the hospital no longer log onto the computer network with a standard username and password. Instead, to electronically access patient data, they insert their personal smart card into a card reader attached to a workstation, and enter a PIN. A digital certificate on the card authenticates an employee to the network and launches the applications they are authorized to access. When the user pulls the card out of the reader, the system automatically logs them off the network.

In addition to enhancing security and efficiency, Denver Health uses smart cards to comply with the pending patient privacy requirements imposed by HIPAA.

According to David Boone, Denver Health's IT services manager, smart cards were the most secure and efficient means of meeting HIPAA requirements of patient privacy. But Denver Health also envisioned that smart cards could help them improve other aspects of its IT infrastructure to make everyday activities more efficient for their staff.

Uptake in Fortune 100
When Pfizer, the world's largest research-based pharmaceutical company wanted to implement a secure electronic system for digital signatures and employee network access, it too turned to a smart card-based solution.

Pfizer's initial incentive to deploy smart card technology was to create a platform for digital signatures. The pharmaceutical industry is highly regulated and there was a need to provide a consistent and an industry-wide method for managing and using digital signatures as an alternative to wet ones. In order to drive this initiative, Pfizer and several other pharmaceutical companies joined forces to promote the development of an industry standard, known as SAFE, for performing secure and non-repudiate transactions on the Web.

With one single smart badge, Pfizer employees can securely and conveniently gain access to buildings and offices, as well as log onto corporate networks and applications, and electronically sign e-mails and documents.

Roughly estimated, every digital signature used for regulatory and non-regulatory transactions eliminates the costs of approximately $125 required per wet signature -- a significant saving for any organization.

The Relentless Drive for Increased Security
All in all, the evident need for stronger protection of physical and logical assets within private and federal organizations continues to drive the identity management market forward. The risks and consequences associated with neglecting IT infrastructure security are simply too big, which explains why companies are investing accordingly.

In particular, the government's spending linked to the HSPD-12 initiative is generating excitement and large investments. Furthermore, smart cards continue to experience a boost in the corporate enterprise community. A recent Frost & Sullivan report showed 100-percent awareness among those interviewed, an extraordinary figure considering that only a few years ago most companies had never heard of smart cards. Only time will tell if HSPD-12 becomes the over riding standard beyond the federal space, but one thing is for sure, IT and building security has reached boardroom-level importance.