Developing Securitys New Image

By Peter Coffee  |  Posted 2005-10-24 Print this article Print

Opinion: Rigor and interoperability of security credentials depend on infrastructure design and deployment.

Federal agencies and contractors have until Oct. 27 to define a new standard of personal identification. Thats the deadline for compliance with the first phase of Homeland Security Presidential Directive HSPD-12, which called in August of last year for the creation of a federal standard that was issued this past February as FIPS 201.

That standard requires "secure and reliable identification ... based on sound criteria for verifying an individual employees identity ... strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation" -- with the further capability of being "rapidly authenticated electronically" based on "an official accreditation process," with "graduated criteria" to meet varying levels of security needed for different situations.

Sure, we can do that by Thursday. Or maybe not.

I spoke last week with Jim Ganthier, Hewlett-Packards director of Worldwide Defense Intelligence and Public Safety Solutions, about a study that HP is releasing today of agencies readiness for HSPD-12 compliance. The September studys findings challenge the optimistic assessment of Karen Evans, Office of Management and Budgets administrator for e-government and IT, who said earlier this month that she expects broad achievement of compliance goals. "We have no choice but to meet the dates," shes quoted as having said in a conference appearance. Sorry, but thats like saying that a driver has "no choice" but to stop at a red light -- a choice that people fail to make for any number of reasons, including "but I didnt see it."

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub. Not seeing the HSPD-12 deadline appears to be a common problem, according to the Hewlett-Packard data. Half of federal IT professionals have not heard of it; almost three out of five cannot state the identification programs main objectives, according to the study summary that I had a chance to review before general release. A third of the respondents said the main problem with compliance is lack of budget; another third tagged technical issues or shortage of staff as the principal problem; but as the study report observes, when half the respondents dont even know about a requirement, awareness probably deserves to be ranked as Problem # 1.

And only a fifth of the respondents expected to meet the Oct. 27 deadline.

I earlier compared missing this deadline to running a red light, and I made that comparison deliberately because there are times when one does that by choice. If an 18-wheeler is coming up behind you, blowing its horn and showing no sign of slowing down, and you see no cross traffic that poses a threat, you might decide that being actually safe is more important than following a well-intentioned safety rule. Implementing identification technology that isnt actually ready to meet its goals, but that radiates a misleading aura of next-generation reliability, could actually weaken security.

If we miss any part of the FIPS 201 standard, we make the problem worse. If we dont have a sound accreditation process, we may see unauthorized issuance of genuine credentials by insiders looking to supplement their income; if we dont achieve appropriately graduated criteria, well have too much identifying information available to too many people, and may make identify theft much easier than it is today.

I dont want to minimize the hardware issues of smart cards, biometrics and other key elements of this program. To a great extent, though, its up to application developers to make it happen by turning the rules into specifications, turning the specifications into code, and getting the code and the associated databases to play nicely with each other while shunning any would-be abusers.

Awareness doesnt just mean knowing the rules and following them; it also means having a professionals role in knowing, and communicating, the right thing to do about the rules and the problems that they purport to solve.

Tell me what rules you sometimes choose to break at

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
Peter Coffee is Director of Platform Research at, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel