Getting Identity Assurance Right

Efforts of many now coming into focus


In my prior three articles for Airport Business, we focused on identity, credentialing, and supporting technologies and processes, with a focus on how these issues impact airport owner/operators, their operations, and their security posture. Given all this information, what is the state of the industry for Identity Assurance in airports? That is subject to be addressed here.

While attending the 2008 RSA Conference in San Francisco, the nation’s largest conference on information security that has grown (from the dot-bust era) into a behemoth again, I was struck by an emerging, common theme at this conference: Identity Assurance. Keynote addresses by EMC’s RSA Security Division, Microsoft, Symantec, and others all mention this as the underpinning of success. Identity Assurance was highlighted for access control, for e-Commerce, for employment, and everything in between. As I walked the show floor, vendors had Identity Assurance as one of the key features of their booth graphics, as well as how their products and services help you get it right.

Here are some questions I get asked often by airport security folks: “I already do identity and credentialing with my access control systems — can’t I just add biometrics for access control? Why isn’t this enough?”

Further, how will TSA, FAA, standards (such as RTCA DO-230B and FIPS 201), ACIS, and the emerging pilot programs by AAAE called BASIC all play out to improve our security posture? Is all this stuff necessary? What about those sunk costs in deployed investments for access control?

Again, why can’t I just add biometrics?

Many Parallel Events
There are currently several critical events happening in parallel from a standards and program point of view:

  • 14.March.2008 — Federal Identity and Credentialing Committee’s architecture working group publishes the draft Back-End Attribute Exchange Architecture and Technical Specification (BAE Spec). (This will soon be made public at www.smart.gov/awg.)
  • April.2008 — National Institute for Standards and Technology publishes Special Publication 800-116 (SP800-116) in draft form (available at www.csrc.nist.gov/groups/SNS/piv/standards.html).
  • April.2008 — AAAE forms the Biometric Airport Security Identification Consortium (BASIC)
  • 29.April.2008 — RTCA Special Committee 207 votes approval and completion of its work on the revisions to the DO-230A. This work is anticipated to publish as the DO-230B in June.2008. (Upon approval, it will be available at www.rtca.org.)
  • 29.April.2008 - TSA publishes for airports its draft Aviation Credential Interoperability Solution (ACIS) Technical Specification to the aviation community. (Authorized users may visit http://webboards.tsa.dhs.gov for access.)

This is a tremendous amount of information all coming out roughly at the same time. If you are thinking information overload, you would be a member of a large club. Those of us in the Identity Management and Credential Issuance System (IdM-CIS) business see this as business as usual. This information gap must be resolved. So here are some thoughts on how to look at these documents.

The foundation of all of these documents and programs is Identity Assurance and the proper use of identity and credentials to establish a privilege (the right to access a facility or network). As seen in the commercial security vendor world at the RSA Conference, this is a top-of-mind issue. It is not a situation where a TSA regulation should drive us.

Intellectual property rights, critical business applications, and critical infrastructure protection all need robust identity assurance processes to mitigate security risks. As seen in the standards world for government employees and contractors, and for aviation, we see significant progress on using Identity Assurance as a critical component to protecting our facilities and personnel.

This content continues onto the next page...

We Recommend