Opinion: Rigor and interoperability of security credentials depend on infrastructure design and deployment.
Federal agencies and contractors have until Oct. 27 to define a
new standard of personal identification. Thats
for compliance with the first phase of Homeland
Security Presidential Directive HSPD-12
, which called in August of last year for the creation of a federal standard that was issued this past February as FIPS
That standard requires "secure and reliable identification ... based
on sound criteria for verifying an individual employees
identity ... strongly resistant to identity fraud, tampering,
counterfeiting, and terrorist exploitation" -- with the further
capability of being "rapidly authenticated electronically" based on "an
official accreditation process," with "graduated criteria" to meet
varying levels of security needed for different situations.
Sure, we can do that by Thursday. Or maybe not.
I spoke last week with Jim Ganthier, Hewlett-Packards director of
Worldwide Defense Intelligence and Public Safety Solutions, about a
study that HP is releasing today of agencies readiness for HSPD-12
compliance. The September studys findings challenge the optimistic
assessment of Karen Evans
, Office of Management and Budgets
administrator for e-government and IT, who said earlier this month that
she expects broad achievement of compliance goals. "We have no choice
but to meet the dates," shes quoted as having said in a conference
appearance. Sorry, but thats like saying that a driver has "no choice"
but to stop at a red light -- a choice that people fail to make for any
number of reasons, including "but I didnt see it."
For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.
Not seeing the HSPD-12 deadline appears to be a common problem,
according to the Hewlett-Packard data. Half of federal IT professionals
have not heard of it; almost three out of five cannot state the
identification programs main objectives, according to the study
summary that I had a chance to review before general release. A third
of the respondents said the main problem with compliance is lack of
budget; another third tagged technical issues or shortage of staff as
the principal problem; but as the study report observes, when half the
respondents dont even know about a requirement, awareness probably
deserves to be ranked as Problem # 1.
And only a fifth of the respondents expected to meet the Oct. 27
I earlier compared missing this deadline to running a red light, and
I made that comparison deliberately because there are times when one
does that by choice. If an 18-wheeler is coming up behind you, blowing
its horn and showing no sign of slowing down, and you see no cross
traffic that poses a threat, you might decide that being actually safe
is more important than following a well-intentioned safety rule.
Implementing identification technology that isnt actually ready to
meet its goals, but that radiates a misleading aura of next-generation
reliability, could actually weaken security.
If we miss any part of the FIPS 201 standard, we make the problem
worse. If we dont have a sound accreditation process, we may see unauthorized
issuance of genuine credentials
by insiders looking to supplement
their income; if we dont achieve appropriately graduated criteria,
well have too
much identifying information available to too many people
, and may
make identify theft much easier than it is today.
I dont want to minimize the hardware issues of smart cards,
biometrics and other key elements of this program. To a great extent,
though, its up to application developers to make it happen by turning
the rules into specifications, turning the specifications into code,
and getting the code and the associated databases to play nicely with
each other while shunning any would-be abusers.
Awareness doesnt just mean knowing the rules and following them; it
also means having a professionals role in knowing, and communicating,
the right thing to do about the rules and the problems that they
purport to solve.
Tell me what rules you sometimes choose to break
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.