|
|||||
|
|
|||||
A Need for IDIt's not hard to understand the need for security, and ID management has become increasingly more important in the government sector. Who’s who? Vouching for identity The articles and conferences abound, the national press talks about it, even my Grandma has heard about it - Identity theft is a mainstream concept. Whereas the all encompassing phrase has become a bit clichéd, it just goes to show that proving who we are along with safeguarding an individual or organization’s assets has become a hot topic. Although in the post 9/11 society it’s not hard to understand why security and more specifically ID management have become increasingly important. The drivers for its uptake have proved to be numerous, varied and often Industry-specific. However, the over-riding goal within many companies, Federal agencies and other organizations is ensuring that only authorized personnel gain access to their buildings and IT networks. A more secure ID badge For many years proving your identity has been done through some form of ID
badge and the latest programs are no different, it’s just the badge itself that
has got a whole lot smarter. What’s driving identification? The biggest single driver for identity management and smart ID adoption in the USA is the US Federal government. A large part of this is linked to a Bush Administration mandate known as the Homeland Security Presidential Directive 12 (HSPD-12). Issued in August 27, 2004, HSPD-12 is a mandate to all federal executive departments and agencies to issue “secure and reliable forms of identification” to its employees and contractors. The initiative is part of a broader effort to keep terrorists, criminals and other unauthorized people from getting into federal buildings or hacking into computer systems. Beyond the HSPD 12 mandate other less mature programs such as Registered Traveler, First Responder and Real ID are ensuring that the government is highly active in the identity space. However, the government is far from the only mover in protecting their assets through better management of identities. Many commercial enterprises are looking for ways to better protect their IT assets, restrict access to their buildings and do away with weak passwords. Fortune 100 companies such as Boeing and IBM have deployed companywide smart employees IDs, while the Healthcare industry has seen deployments driven by the HIPAA, and large Pharmaceutical companies such as Pfizer have turned to the technology as a response to the SAFE initiative. In general the move is towards stronger authentication and the smart card provides the means to get there. Moreover, it has become considerably easier to integrate smart cards into the Windows environment used in most organizations, and at the recent RSA show in San Jose, Mr. Bill Gates himself claimed that passwords should become a thing of the past to be replaced by multi-factor authentication using a smart card-like device. The Government Push The US government has a long history in secure IDs, and outside the GSM cell phone industry it has been responsible for some of the biggest deployments of smart cards in the country. In fact Federal chief information officers cite information technology security and privacy as their most important – and daunting – issue, according to a recent survey of CIOs across departments and agencies by the IT Association of America. Independent from the HSPD-12 directive, the Department of Defense’s Common Access Card (CAC) program and the Department of Transportation’s TWIC (Transportation Workers Identity Credential) project both demonstrated improved security through smart card-based identity credential solutions. The DoD’s CAC program is its biggest rollout to date, with over 4 million smart badges to military personnel and contractors since 2000. This card is used primarily for secure IT access with users inserting the card into a reader attached to the PC, which reads the microprocessor chip in order to authenticate the user with a PIN code or biometry (e.g. fingerprints). The TWIC program was established by the TSA (Transportation Security Administration) to improve security at seaports, airports, rail, pipeline, trucking, and mass transit facilities by creating a nationwide credential that will prevent unauthorized persons from gaining access to secure areas. To date most ID initiatives such as CAC and TWIC have been agency-specific
using non-interoperable technology. Therefore, one of the objectives of the HSPD-12
mandate is to not only enhance the security but also create inter-agency
interoperability. The HSPD-12 Opportunity At the front-end of the U.S. Federal Government’s solution is an interoperable multi-application smart card that will support a wide range of government and agency-specific services. The goal is that each federal employee will carry a single smart card, which they will use for multiple purposes – identification, network and building access, travel, small purchases and other financial and administration purposes. Although no one has been able to put a total figure on the size of the population to be covered by the HSPD-12 mandate, everyone concurs that it is massive. In the first instance it will be rolled out to all Federal employees, which is just north of 8 million people to equip. When contractors and other initiatives such as First Responder are added into the equation, this figure could easily double. Beyond this the general consensus is that this de facto standard may be picked up by not only State and Local government but also Industries who have close dealings with government, creating a huge potential market. A critical element of HSPD 12 is the development of the security standards
with which each agency needs to comply. Thus, in response to HSPD-12,
standardization agencies including National Institute of Standards (NIST) have
developed the Federal Information Processing Standard (FIPS) 201 which specifies
security and interoperability requirements of the solution. The FIPS 201
specifications do not just encompass the card itself, but the whole solution
needed to manage the users’ credentials throughout their employment and the
card’s lifecycle. This includes many complex elements such as user enrollment,
data capturing, card issuance and management etc. Needless to say this is
putting pressure on the deploying agencies, as well as the vendors expected to
deliver the products required by the roll-out deadline of October 2006. Beyond the Federal Space So far there is no unique standard for ID management but many good solutions are out there and private enterprise has not been slow in adopting them. Some of the early adopters were those who frequently dealt with the government and therefore wanted a way of providing better security, an example of this is Boeing. This compounds the belief that HSPD-12 will start to spill over in these sorts of industries as soon as the interoperable standard reaches its critical mass. However, the issue is not restricted to these sectors and has grown in importance as macro-environmental issues such as terrorism and company infiltration put pressure on organizations to safeguard their buildings and IT systems. Hence, what used to be an issue for security and IT departments has now become something that is decided leveling the boardroom, because a vulnerable enterprise network is also an acute business risk. Beyond the global security drive, companies are also finding other benefits of a smart ID program in terms of reduced paperwork, fewer costs related to password management and increased privacy. Two such industries that are already taking advantage of these benefits are Pharmaceutical and Healthcare Smart Healthcare in Denver Similar to most large hospitals in the U.S., Denver Health has several hundred workstations in strategic locations throughout its many facilities. The system allows doctors, nurses and other staff to quickly and conveniently access patient records. However, residents at the hospital no longer log onto the computer network with a standard username and password. Instead, to electronically access patient data they insert their personal smart card into a card reader attached to a workstation, and enter a PIN (Personal Identification Number). A digital certificate on the card authenticates an employee to the network, and launches the applications they are authorized to access. When the user pulls the card out of the reader, the system automatically logs them off the network. In addition to enhancing security and efficiency, Denver Health uses smart cards to comply with the pending patient privacy requirements imposed by the U.S. data security law known as “HIPAA” (Health Insurance Portability and Accountability Act). According to David Boone, Denver Health’s IT Services Manager, smart cards were the most secure and efficient means of meeting the HIPAA requirements of patient privacy. But Denver Health also envisioned that smart cards could help them improve other aspects of our IT infrastructure, to make everyday activities more efficient for their staff. Uptake in the Fortune 100 When Pfizer, the world’s largest research-based pharmaceutical company wanted to implement a secure electronic system for digital signatures and employee network access, they too turned to a smart card-based solution. Pfizer’s initial incentive to deploy smart card technology was to create a platform for digital signatures. Given that the pharmaceutical industry is highly regulated, there was a need to provide a consistent and industry-wide method for managing and utilizing digital signatures as an alternative to wet ones. In order to drive this initiative, Pfizer and several other pharmaceutical companies joined forces to promote the development of an industry standard for performing secure and non-repudiate transaction on the web. This project is referred to as “SAFE” – Secure Access For Everyone. With one single smart badge, Pfizer employees can now securely and conveniently gain access to buildings and offices, as well as log onto corporate networks and applications, and electronically sign emails and documents. As a result of digital signing capabilities, Pfizer is able to drastically cut down the costs associated with wet ones. Roughly estimated, every digital signature utilized for regulatory and non-regulatory transactions eliminates the costs of approximately $125 dollars required per wet signature - a significant saving for any organization. The relentless drive for increased security All in all, the evident need for stronger protection of physical and logical assets within private and federal organizations continues to drive the identity management market forward. The risks and consequences associated with neglecting IT infrastructure security are simply too big, which explains why companies are investing accordingly. In particular the US Federal Government’s spending linked to the HSPD 12
initiative is generating excitement and large investments. Furthermore, smart
cards continue to experience a boost in the corporate enterprise community. A
recent Frost & Sullivan report showed 100% awareness among those interviewed, an
extraordinary figure considering that only a few years ago most companies had
never heard of smart cards. Only time will tell if HSPD-12 becomes the over-riding
standard beyond the Federal space but one thing is for sure, IT & building
security has reached board level importance so watch out for more smart IDs in
the hands of US workers. |