Meets FIPS 201, nearly.. .A review of PIV-I physical access control at ASIS.

IDmachines spent time with dozens of vendors of physical access control products, systems and related system integrators at the recent ASIS 2009 event in Anaheim, CA. This is an ongoing exercise that IDmachines conducts several times a year and has been doing so for nearly four (4) years (or as long as the standard has existed), In a nutshell, FIPS 201 and HSPD-12 are now mainstream requirements that drive the solutions being developed in the marketplace.

This blog has pointed out that there exists a very wide range of performance provided by vendors who claim they meet the FIPS 201 specification. As the number of vendors who support the standard grows this remains the case. The big difference is the number of vendors and integrators that finally realize that supporting the standard matters. And as a result there exists a wide range of conformity to the specification and the related security and assurance levels and interoperability and trust that are described in the related NIST special publications.

When I first started asking the physical access control world about how they support HSDP-12 and FIPS 201 several years ago most of them looked at me as if I was from Mars. A year ago there still existed many vendors who thought IDmachines' was focused on an edge issue. The big deal at this ASIS conference was that every single vendor knew something about the question being asked. Even those that did not support the standard knew about it and in most of these cases intended to support it. This is not surprising since millions of credentials that leverage this standard have been issued in the last year. And a number of commercial sectors have adopted the standard in the last year. I am sure that a year from now there will be even greater breadth and depth to the standard's adoption.

Two other things for now.

First, it is still incredibly surprising that some major vendors of access control systems and reader technology either still do not support the standard at anything other than a basic (read dangerously low) level of assurance and/or still lack the domain expertise to understand how to meet/address the recommendations for the use of PIV credentials. In some cases the "second tier" of providers has passed the major players in the extent of their solutions and knowledge.

Second, there still exists a lack of understanding of the differences between, PIV (Personal Identity Verification), TWIC (Transportation Workers Identification Credential) and PIV-I (PIV-Interoperability) among major vendors. IDmachines ran into multiple cases (including major vendors) where claims that TWIC solutions address the needs of PIV cards and that because they can implement the higher TWIC assurance levels that they can do the same for PIV. In most cases those making false and broad claims about the applicability of their solutions also failed to understand the difference in establishing trust among credential issuers. There is a failure to understand the difference between a TWIC solution (which is monolithic) and PIV and PIV-I (which are at times federated). A future blog will drill down on this, if in the mean time someone wants the details about how and who get in touch with IDmachines.

And caveat emptor.

NSTAC Report to the President on Identity Management Strategy. How can you not mention FIPS 201 and PIV-I? NSTAC meet NIST!

IDmachines recently had the opportunity to go through the National Security Telecommunications Advisory Committee (NSTAC) report to the President on Identity Management. This is an encouraging document in that it calls out:

1. Cabinet level position for identity
2. Funding
3. Interoperability, trust and choice as basis for implementation.

What is confusing is the document's miss on the efforts to date that address most of these needs. The following analysis provides further details on what's in and out of the document and IDmachines' interpretation.

To reinforce a couple of major points. Power in DC and the Federal government is all about budget. Other countries are making serious identity investments. The US government with the President's leadership and Congress' backing needs to step up and fund these recommendations.

NSTAC meet NIST! Where are the acknowledgments of Federal Information Processing Standard 201 and the related efforts of the National Institute of Standards and Department of Commerce as required by Homeland Security Presidential Directive 12 (HSPD-12). FIPS 201 provides an architecture to meet the NSTAC recommendations.

Finally, look at and leverage how FIPS 201 has grown into Personal Identity Verification - Interoperability (PIV-I). Look at how other critical infrastructure sectors and other industries that interact with the Federal government have leveraged FIPS 201 and the Federal Bridge Certificate Authority to achieve these goals.

For those that follow these posts I know I am repeating things here but I am a little surprised that those involved in these recommendations could not make this connection. In fact we are very close to being able to achieve the goals, industry and government have partnered to make real progress. Significant sums have been invested. State and local governments and commercial enterprises are on board an moving ahead. Identity matters.

THE PRESIDENT’S NATIONAL SECURITY TELECOMMUNICATIONS ADVISORY COMMITTEE (NSTAC)

NSTAC Report to the President on Identity Management Strategy

IDmachines’ Analysis

The NSTAC is an important policy body made up of up to 30 industry chief executives from telecommunication, network, information technology, finance and aerospace companies. It addresses critical national security and emergency preparedness (NS/EP) issues. It published its identity management strategy report to the President on 21 May 2009. The report is now generally available at:

http://www.ncs.gov/nstac/reports/2009/NSTAC%20IDTF%20Report.pdf

It makes the obvious but important statement that National Security/Emergency Preparedness users have the same characteristics as Internet users and importantly they take advantage of a common infrastructure. It proceeds to state that there is a need to identify NS/EP emergency responders and facilitate their authentication and authorization on these networks. In fact the need is even more widespread as many of us depend on so-called cyber applications in some way. Secure, privacy protected and efficient identification is a quid pro quo for anyone to fully leverage the information, applications and services of the Internet and other modern means of communications. In any case the recommendations will necessarily have to take this wider need into account.

The report highlights the following statement in its Executive Summary:

“The evolving threat environment, coupled with the increasing reliance on communications networks, requires the development of a national, comprehensive Identity Management vision, strategy, policy and implementation procedures. “

It calls for a federation of interoperable Identity Management (IdM, their acronym) processes and that this federation would involve three operational characteristics:

1) Interoperability
2) Trust Anchors
3) Choice-based participation.

The executive summary goes on to say the identity management strategy should embrace commercial providers, address privacy and civil liberties, allow choice by the enterprise, program and individuals, yet maintain standards. As far as IDmachines can tell this is exactly what a large number of organizations, across end-users, integrators and vendors have been doing for the last 5 years since HSPD-12 was published. IDmachines is glad to hear there is clear direction to stay the course, even if the directive is not recognized. Also, in the report’s Executive summary:

“With respect to Governmental organization and coordination, establish a single, authoritative and comprehensive IdM governance process with a dedicated mission and office under an accountable official reporting directly to the President, embracing all Federal policy, technology, and IdM application activities related to both screening and access controls. The established lead official should have control over defined IdM programs and resources across Government, including budget, as needed to advance Federal IdM under a single coherent strategy.”

Centralizing identity in a single office is an excellent though not new idea and follows a lead set by other countries including very recently India. The one word that matters for a change above is “budget”. The progress that has been made to date has been the result of an unfunded mandate. Taking this into account the evolution of Federal Information Processing Standard 201 (FIPS 201) Personal Identity Verification and its 2.0 evolution into Personal Identity Verification - Interoperability (PIV-I) is pretty impressive. Now if there was program and project funding, guidance on grants (where funding already exists) and recognition of the economic and social benefits then we might really be getting somewhere. In addition this remains a national competitiveness issue particularly given the significant investments being made in dozens of other countries.

Also in the introduction it calls out:

With respect to public-private programs, direct the appropriate Federal Government departments and agencies to work with the private sector to develop and advance a comprehensive and progressive IdM Research and Development agenda, focusing on Government-civil IdM interoperability. While a research and development agenda is a reasonable part of the policy (IDmachines believes that the evolution of PIV-I holds tremendous opportunities for innovation across sectors and application) at the same time the report makes it sound like federated identity management is not ready for prime time. This is far from the case, in fact there are commercial off the shelf (COTS) solutions for credentialing, logical and physical access control and other related applications. There exist both products and services that scale to the enterprise and federation and meet the type of IdM called out in this report. Simply take a look at the General Services Administration Approved Products List to see the breadth of solutions based on FIPS 201. It is disappointing in the extent to which this document does not reference Homeland Security Presidential Directive 12 (HSPD-12), FIPS 201 or PKI other than one footnote reference the Federal Bridge. How can the council ignore/fail to highlight billions invested directly related in its recommendations to the President!

Yes, the government needs to put its house in order. It needs to stop making the silly mistake of developing multiple identity credentials that do not meet the basics set out above in particular interoperability and trust. At one point there were (and there may still be) more than 40 ID programs in DHS alone and the last time IDmachines checked there was little, if no, interoperability.

IDmachines agrees with the recommendations:
1. Leadership on IdM
2. National office under the Executive Office of the President
3. Develop an agenda to address:
a. Government organization and coordination
b. Public-private IdM programs
c. Policy and legislative coordination
d. National privacy and civil liberties culture

IDmachines applauds the broad definition of identity adopted in the document, specifically: “IdM covers a broad scope, including both digital and physical identification of individuals, applications, devices, objects, and information.“ As mobile devices expand their functionality the need for strong authentication of the device as well as the user becomes one of the most important short term challenges facing the information technology, identity and security industries (which in fact are one and the same).

At the same time the report identifies IdM as a critical enabler of homeland security priority agenda items and it reinforces the need to bring physical access control under the IdM umbrella. IDmachines applauds the NSTAC for repeating and reinforcing this need as it did in 2003. In doing so this report defines identity and convergence as the combination of people and device and logical and physical domains. IDmachines has long held this is the only way to view identity and security. This approach has relevance across critical infrastructure and forms the basis for any modern network importantly including the electrical or “smart” grid.

On privacy the report simply highlights the need for protection of privacy to be foundational to any IdM strategy. This simple statement is welcome. In this same section it makes the point that requiring identification for anonymous activity does not make sense. Again a very good piece of design advice and it calls out web browsing as an example. Some recent actions by the government are contrary to this point and should take the NSTAC guidance into account.

The report provides a useful list of IdM benefits. It includes both hard and soft economic benefit categories. It would be more useful to have included an overt statement on the return on investment but the emphasis and highlighting of the benefits provides a citable list that members of the industry can call on when making the argument about their business, enterprise activity or IdM investment.

The report discusses the problems in the current operating environment yet fails to discuss the opportunities that exist. This point is the same as the earlier one about “ignoring” FIPS 201. Clearly in the discussion of commercial and government factors it bears discussion of the interoperability and trust anchors that are in place, particularly in the context of PIV-I. The same issue exists with the next section (5.0 Need for an Identity Strategy), it open with an all inclusive statement: “Current Government and private sector IdM systems are numerous and stove-piped, causing redundancy and inefficient and uncoordinated IdM efforts. ” In fact interoperability among government agencies and between DoD and CertiPath organizations exist today. FiXs recently aligned for the same reason. While stove pipe may be true for some information and communications technology (ICT) companies, it is not, as an example, true for aerospace and should not be for the defense industrial base.

The report does call out at the beginning of 7.1 “Realistic potential exists for the private sector and individuals to benefit from participation in a federation of interoperable IdM processes. ” In fact it should call out the fact that real progress has been made already. As an example the SAFE BioPharma Association has cross-certified to the Federal Bridge Certificate Authority and promotes benefits that include risk mitigation, IT system interoperability, facilitates the use of regulatory compliant digital signatures as well as green benefits. In fact both CertiPath and SAFE are part of the 4 Bridges Forum an organization and that seems to be ignored by this report.

In 8.0 Findings and Conclusions the report correctly points out that: “The administration’s commitment to broadening transparency throughout Government will likely have cybersecurity implications and increase the need for an implementable federation of interoperable IdM processes. ” While not directly related to the communications sector there clearly exists a need for strong identity management and authentication in association with the desire for transparency of the bail out and stimulus monies being spent. A very small percentage of the monies dedicated in these areas could likely provide the foundation of the IdM (and even better for strong identity credentials that adhere to FIPS 201) required by the relevant businesses involved in receiving these government funds.

IDmachines completely agrees with the statement in Conclusions that “If IdM stakeholders do not address the fundamentals now, then more isolated IdM systems will emerge and it will become more difficult to adopt viable comprehensive and interoperable IdM solutions in the future. ”. Again, recognition needs to take place of those who are addressing the fundamentals of strong authentication, interoperability and trust anchors as mentioned earlier in this analysis.

The Recommendation reiterates the need for a national IdM office. IDmachines strongly backs this goal and the associated statement: “to develop a coordinated programmatic agenda to implement a comprehensive IdM vision and strategy to address, at a minimum, four component areas, specifically: Government organization and coordination; public-private IdM programs; policy and legislative coordination; and national privacy and civil liberties culture. ” IDmachines would add the statement that the IdM office should look to build off the work already done and the investment made in PIV-I to achieve this goal.

FIPS 201 and PIN, Don’t store secrets! Never replicate or put a PIN in the clear!

IDmachines recently has run across a number of situations in which people want to leverage the PIN on a FIPS 201 (HSPD-12) credential. The idea is to use a PIN on system as a second factor in combination with contactless components of the credential. Multi-factor authentication is a great idea for any access control application. Something you have plus something you know is simply more secure than something you have.

But let’s be clear, it’s something YOU have and something YOU know, not something WE (as in anyone with access to a database or application) know. The PIN on a FIPS 201 credential is something you set and then is locked away. You should never tell anyone and certainly you should never store it in a database for use in another application. In particular under no circumstance use the PIN that is associated with and provides access to your private keys as a PIN on system for a physical access control application. End of story no further discussion please.

It’s not the worst thing in the world to have a second PIN for the physical access control system particularly given the increase in security it brings to contactless applications in the FIPS 201 world. Further, this is where you can be creative, there are certainly ways to USE the PIN but not STORE it on the physical access control system (PACS). This is where you need to dig into your cryptographic tool box and do something neat (surprise… IDmachines and its clients would be glad to help). Just don’t compromise your FIPS 201 credential and do something silly such as store the PIN on the system. It doesn’t matter if it’s only accessible by administrators or security officers. It’s your PIN it protects a PRIVATE key, policy states never give it to anyone. This is not a case where it’s OK to bend the rules.

FIPS 201 and India National ID, interoperability anyone? Unique Identification Authority of India names “Secretary of Identity”.

A race is on, not unlike the race to the moon and we will see if the United States can catch up with the rest of the planet when it comes to identity credentials. This blog and IDmachines continue to tout the progress that has resulted from Homeland Security Presidential Directive 12 (HSPD-12), its expansion to the private sector as evidenced by the activities of the 4 Bridges Forum and the continued expansion and evolution of Federal Information Processing Standard 201 (FIPS 201). However, in terms of strong digital IDs, the EU is at 100 million (as opposed to 10 million in the US) and India just upped the ante.

The recent announcement states that India will roll out a national identity credential for 1.1 billion citizens and to get it going by 2010. The India Congress Party actions bode well for the Indian and hopefully global identity industry. It’s not surprising that one of the world’s most dynamic economies and the world’s largest democracy has decided to make identity infrastructure a priority. While not surprising it is impressive that the Indian government leveraged the mandate of the recent election (are you listening President Obama…). India will create a cabinet level position for the Unique Identification Authority of India and has already named their “Secretary of Identity” touting entrepreneur, Nandan M. Nilekani, a founder and former chief executive of Infosys Technologies. Mr. Nilekani will leave his post as a co-chairman of the board to take on the ID card project.

Here in the US we rightfully want to address finance reform, economic stimulus, expanded health care, climate change and other initiatives. It’s great that the Obama administration has decided to show leadership on these important topics. This blog repeats that creating a national identity infrastructure should be the first step in addressing most of these issues (even emission trading is facilitated by a multi-purpose credential). It seems that the rationale for the investment is well understood in India and articles in the NY Times, Financial Times, Independent, India Times, DNA India, all make points of the benefits of investing in identity.

These sources site (among other things) that the program will create 100,000 new jobs, stream line government to citizen disbursement, reduce fraud in benefits to the citizens (e.g. think savings in Medicaid, Supplemental Nutrition Assistance Program, Unemployment Benefits, etc.), and enable secure citizen to government transactions among other things. All represent goals in play in this session of the US Congress. In the US we have yet to realize that identity runs across these programs. Neither Congress or the Obama administration fully realize the leverage an identity investment gives to all of these legislative, policy and economic goals. There are bits and pieces of identity in different bills and no coherent overarching approach. No offense to the ornithologists or vegetarians but we are missing the opportunity to kill more than one bird with one stone.

One interesting article even proposed skipping a generation of identity credentials and basing the national ID on a SIM card. This is a fascinating idea particularly given the capabilities of today’s mobile devices. This is clearly the future and while it’s not a likely outcome in the India case (don’t think that mobile devices have sufficiently penetrated to the 1.1 billion individuals who will be covered) but the fact that it’s being discussed shows how an investment in identity has the potential to leapfrog the technology base of countries. Maybe it will be an option and if so it will create a whole new concept of mobility.

You have to give props to the Indian government for their initiative and good luck to Mr. Nilekani. Not surprisingly IDmachines and many other companies in the identity world will be taking a close look to see how they might get involved.

Finally, is anyone making the argument that India should be looking at FIPS 201 as a basis for their credential specification. More than most global ID specifications it meets the needs for multi-use by combining contact and contactless interfaces, logical and physical access control, strong authentication, digital signatures and encryption, and continues to evolve (e.g. match on card, contactless mutual registration, secure channel, elliptical curve, etc.). Is it possible that we could be entering the world of “Identity Diplomacy” where the US Ambassador in New Delhi has interoperable identity credentials as part of his brief? This would certainly be a boon to economic cooperation, and another way to leverage the global investment by industry in FIPS 201.

Interoperable FIPS 201 Value Proposition: New York Times Highlights Needs for Strong Medical IDs

This is likely the easiest post I will ever do but you have to love it when the New York Times has your back. Article today, New Ailment: Medical ID Theft points out the danger of Medical Identity Theft. While I mentioned this in my last post this article brings it very specifically to light.

To make the point again. Any Health IT spending must include an investment in strong identity. Interoperability of health data without strong identity credentials is putting the cart in front of the horse. See previous post for more details.

Use Cases for FIPS 201, Multi-use Interoperable Health Credentials

IDmachines supports an investment to bring health credentials into a PIV-I world. Interoperability among health care providers, payers and patients provides a great use case for high assurance interoperable credentials. It’s a widely required application for an identity credential.

Any investment in healthcare IT has to realize this. Healthcare needs strong identity assurance yet most systems in the US don’t make the investment in an identity infrastructure. The United States Government needs to invest in infrastructure to support item 10 (in the Cyberspace Policy Review) identity management/privacy and civil liberties.

Some organizations have begun this, Mt. Sinai being a leader (see below). Many countries have also done this; the US has not. Unless the US invests in strong identity, we won’t get the cost saving or improve healthcare and the US will continue to be a laggard. Please don’t give me another bar code or magnetic stripe ID card, web account(s), user names and passwords. Even scarier don’t accept federated IDs that don’t have any way of knowing who is establishing the accounts. Don’t make me get more certificates either. Can someone commit to identity infrastructure as part of the Health IT stimulus? That’s the gist of this post.

IDmachines supports the efforts of the Smart Card Alliance and the Secure ID Coalition when they combined to deliver message that strong identity matters for any health IT effort at National Press Club briefing in Washington DC May 19th.

Credentialing matters when millions of individuals are involved in a program, surely this is the case as state and national health insurance programs grow. Strong privacy and security, interoperability and multi-use would be good things to have in a credential. I don’t see any in the health market place. I access my health accounts (also Microsoft and Google “Vaults”) with un/pw or a bar code/number at a desk. Why can’t I use my government issued digital ID to log into these sites?

These are strong assurance credentials, background investigation and breeder document checks. The process is well defined and in my case the issuance procedures worked. I want to be able to use it. Organizations can have greater assurance of my identity when I use it. I have an ability to log on, digitally sign communications, and encrypt sensitive information. Please spare me from my endless usernames and passwords and changing them on a frequent basis, what a pain. Give me my PIN and biometric and chip and certificate(s) private keys that I use for everything. Sounds uber-tech, well it’s the way in dozens of countries.

Estonia, despite (or mayber as a result of) getting cyber attacked is making a renewed investment. As I said, dozens of large scale programs including England, Italy, Belgium, Austrian health cards, German health cards, Brisbane driver license, Angola, Nigeria, Ivory Coast, it’s a long list. A lot of places are making the identity investment that will then be leveraged.

In the United States without a funded program, in the current economic conditions it’s not about whether it’s the “right” thing to do. The real question is why invest when you can just print a flash pass or bar code. I refer to why Mount Sinai would do it. I have heard Paul Contino before but he repeated the rationale at the National Press Club. It always makes sense. To repeat again…

“Correctly identifying patients and their records is difficult just within a single hospital, but gets far worse between multiple institutions", Paul Contino, vice president, Information Technology, at Mount Sinai Medical Center in New York. Paul cautioned that identity management must be addressed correctly up front or “we’re going to have problems with the linkages of electronic medical records” on a regional or even national basis. Mount Sinai revamped patient registration processes and implemented a smart card-based patient card to more accurately link individuals to their medical and administrative records.

In fact it’s completely irresponsible to invest in health information technology without doing it. The financial arguments are well established. Organizations that implement new health IT applications can use PKI and PIV credentials. Soon the entire US Government will use it and a lot of people interact with it.

More information is available in Smart Card Alliance publications. ”Effective Healthcare Identity Management: A Necessary First Step for Improving U.S. Healthcare Information Systems” explains the current problems with identity management in healthcare and its costs. It also proposes solutions that leverage existing standards developed for other federal identity programs. The newly published ”Smart Card Technology in Healthcare” frequently asked questions document outlines how the technology is used to manage patient identity and protect a healthcare consumer’s personal information.

A FIPS 201 Bridge Across the Seas and the Expanding World of PIV-I

One more example of how FIPS 201 and Personal Identity Verification Interoperability (PIV-I) and cross certification to the Federal Bridge Certificate Authority continue to gain momentum as an enterprise credentialing standard is the Transglobal Secure Collaboration Program (TSCP). This brings into play foreign national governments (UK and Netherlands Ministries of Defence in addition to the US DoD and GSA) and foreign multinational corporations. TSCP chains to the Federal Bridge Certificate Authority through Exostar and Certipath. Primarily aerospace in focus it includes the who's who of companies in the field.

If you look at these organizations its clear how it sets up FIPS 201 and PIV-I to make headway in the European Community. It sets up significant enterprises for FIPS 201 credentials in their next refresh cycle. It further confirms the vitality of PKI and its basis for identity federations interested in strong authentication.

This is not news, the change in DoD policy to accept "comparable credentials" actually came out 22 July 2008. However it is another brick in the wall in making the case that FIPS 201 is not just about US Government employees and contractors. So for matters of completeness its an important addendum to the last post.