Making The Leap
The logical and physical access worlds are converging at an ever-increasing rate. One badging standard for physical access and another standard for logical access are becoming more expensive and less timely as more applications begin to rely on trusted smart credentials. Collecting and maintaining multiple sets of information for one individual just introduces more opportunities for misuse, fraud and compromise. One single identity – trusted across a secure, federated exchange – is becoming the clear answer for both the public and private sectors.
Directives central to these issues are in place for the Federal Government and contractors. Building on two of the Homeland Security Presidential directives — HSPD-12 (Policy for a Common Identification Standard for Federal Employees and Contractors) and HSPD-24 (Biometrics for Identification and Screening to Enhance National Security) — the President has required that the Federal Government move from badging access processes to more secure and interoperable credentialing systems. For first responders, this effort represents a possibility for significant improvement in on-site response times and resource coordination. It also enables recognition of the need for timely, actionable intelligence at the response scene and provides the tools to create trust relationships quickly across all levels of government. This is a direct result of trust relationships established between credentialing authorities and systems. Creating these trusted agents should become central to the credentialing processes at all levels of government – the difficulty is that the payoff doesn’t come until a response to an attack or natural disaster occurs. As these credentialing systems become more ingrained in daily government business operations, the economies of scale from collecting one set of biometrics and breeder documents will begin to demonstrate valuable returns on investment.
Private sector responders, however, are on a slower path to inclusion unless the infrastructure under their care has been recognized as critical (chemical facilities, telecommunications hubs, ports, etc.). The issue here is the fundamental differences between the government model and the private sector model around identity and credentialing. Government responses are guided by the need to protect and respond to threats against citizens. Private sector responses are guided by the need to protect stock holder equity and competitiveness. Credentialing systems, like the Transportation Workers Identification Credential (TWIC), are being used to bridge the interface between private sector transportation workers and government-mandated secure infrastructures, but private sector companies are not required to integrate the TWIC card with their access control systems – leaving the worker with the potential of having multiple access and credential cards. Integration of these public and private systems into one federated identity services model will provide the embedded trust relationships needed to fully develop the security and financial benefits that are possible under this new way of managing identities and roles.
One of the other critical foundations for acceptance and broad implementation of credentialing systems is the protection of information from a privacy standpoint. Information stored in federated services databases will contain the core elements of identity for millions of citizens. The accidental disclosure of this information could result in massive identity theft crimes until the trust relationships between systems and citizens are restored. This means that the core elements of identity must be secured at the highest levels and the system policies used to manage and administer the federated services must be defended throughout the life of the identity – literally a lifetime.
Congress is beginning to look at reforming the tapestry of privacy policies and laws that are quickly becoming outdated in the e-world of today. Until this legislation is crafted, we are left with making the current systems as secure as possible. Credentialing data elements are as vulnerable as other citizen records, and the safeguards needed are as much about people, politics and policies as they are about technology. The transition model will be challenging, but the payoff in security and privacy will be worth the effort.
Bruce Walker is the director of Homeland security for Los Angeles-based Northrop Grumman Corp. He is an information technology executive with 26 years of experience, including enterprise programs such as the Homeland Secure Data Network, MAXHR and TEAMS.