||Add To My Personal Library
October 9, 2009
Vol.31 Issue 25|
Page(s) 40 in print issue
Government Agencies Face Challenges Complying With Federal Mandates On Identity & Access Management
Identity and access management pose problems in all enterprises, but for government agencies, ID management is an even bigger concern because of federal mandates.
• The Department of Homeland Security has issued a governmentwide standard for secure forms of ID, but many agencies are struggling to fully comply.
• Challenges to compliance include cost and technical hurdles.
• Although the directive could spark ideas in the private sector about creating standardization on access management, many experts believe it’s unlikely that a similar mandate will be handed down from the government to private industry.
Although a major directive has been put in place, most agencies haven’t met the deadline for compliance, highlighting the challenges that come with standardization efforts, according to experts and vendors that provide ID tools for government clients.
Homeland Security Presidential Directive 12 (HSPD-12) was issued in August 2004 by President George W. Bush. It calls for a mandatory, government-wide standard for “secure and reliable forms of ID issued by the federal government to its employees and employees of federal contractors for access to federally controlled facilities and networks,” notes the U.S. Department of Agriculture’s site. The USDA’s efforts include an ID called LincPass, designed to link an identity to an ID credential that will grant access to physical and logical systems at the USDA and other agencies.
Although many agencies have sported similar efforts, there’s still a long way to go before there’s true compliance, and even the Department of Homeland Security got a deadline extension to 2010, notes Chris Poulin, CSO at Q1 Labs (www.q1labs.com). Poulin spent eight years in the U.S. Air Force managing global intelligence networks and developing software. He says, “Almost no one has been able to meet the directive.”
Looking Toward Cohesion
The initiative is intended to create an interoperable access control mechanism for all federal agencies, with identity verification that includes extensive background checks and ID cards with smart chips. The idea is to create cohesion and standardization within agencies, so they’re all on the same system and can therefore be accessed in the same way. For example, a CIA agent could get into buildings at NASA without going through additional security checks.
There’s been a wide gulf, however, between the development of this directive and its implementation, some experts have noted. Laurie Aaron, vice president of government and Alliances for Quantum Secure (www.quantumsecure.com), says that the mandate had a deadline of Oct. 27, 2008, at which time all agencies should have had new ID cards and technology for employees and contractors. But recently, she spoke to one agency that hasn’t even started the process and has 40,000 employees to credential.
“Everybody is moving at their own pace, and some have now decided that they’re going to develop their own process,” she says. “Cost is a big issue, because even though the government mandated this, they didn’t fund it, so agencies have had to build it into their budgets, and that’s not easy.”
There are also technology challenges because of the complexity involved, says David Ting, CTO of Imprivata (www.imprivata.com), a single sign-on provider with government customers such as the City of Miami Beach. He says, “How do you standardize everyone on one type of card? That’s a more complex and expensive question than it seems.”
Coming To The Private Sector?
When all agencies do comply with HSPD-12, does that mean the same directives might be targeted at the private sector, particularly toward companies handling health records? Although mandates such as HIPAA have been issued in the past, many experts believe that HSPD-12 won’t join them.
“It really doesn’t translate into the private sector because it’s wildly invasive in terms of background checks and cost,” says Q1’s Poulin. “The presidential directive is almost an idealistic way to look at access control. What they’ve painted is the need to have some sort of centralized ID system.”
Access management is a security issue at any company, but Poulin notes that not many companies would want to gather as much information about their employees as HSPD-12 requires. Also, employees are likely to balk, he notes. In a federal agency, employees expect deeper background checks, but in the private sector, it could be surprising to an employee if the company decided to call all of the employee’s friends and former employers to determine character and personal history.
Also, the checks must be maintained, sparking more cost and privacy issues. While at the Department of Defense, for example, Poulin was given a polygraph test every six months and went through random drug tests.
The idea of centralization and standardization, though, could be helpful to companies in general. IT managers may want to team up with HR to look at what type of consistency exists in background checks and how that process might sync with creating different levels of access. Poulin says, “Universal access control doesn’t have a lot of meaning, because you wouldn’t want an administrative assistant and the CFO to be able to see the same data, for instance. But companies may want to look at the principles outlined in HSPD-12 for ideas.”
by Elizabeth Millard
Biggest Challenge: Trust Issues |
Beyond the technical challenges of implementing HSPD-12 comes a broader issue of trust, says Adam Vincent, CTO of Layer 7 Technology (www.layer7tech.com) and an advisor to the Department of Defense and the Department of Homeland Security.
“We need to trust the agency that has issued the users and systems credentials, we need to trust and understand the metadata utilized for authorization, we need to trust the enforcement of authentication and authorization policies and employ common policies for each, and lastly, we need to trust all of the systems and people involved in all these processes from user credentialing and human resources to policy creation and deployment,” says Vincent. “Although there are technical efforts underway to assist in these areas, we have a long way to go before government agencies will trust a common credential for doing anything more than just authentication.”