The Future of Credentialing

Security specialist shares what the feds, industry groups are doing

Over the last several years, Steve Howard has participated in some of industry’s leading committees and standards related to security and credentialing — RTCA’s SC-207 working on the DO-230B Aviation Access Control guidelines; Smart Card Alliance’s Physical Access Council and Identity Council, the Government Smart Card Inter-agency Advisory Board committees for FIPS 201 [Federal Information Processing Standard 201], and the Security Industry Association’s PIV Committee and the ANSI B10.9 committee on identity credentials. In this ‘State of the Industry’ update, he offers his insights as to where credentialing is headed, along with some resources.

Starting with physical access, the goal historically was to keep bad guys out and let good guys in, using a badge. Electronic verification of a badge is much stronger than the old World War II scenario:

‘Halt, who goes there?’
‘It’s me, Sgt. Jones.’
‘What’s the password Sgt. Jones?”
‘You may enter.’

Anyone listening in on that challenge and response protocol now knows how to get on base until the password is changed. When a threat is identified, the process is changed (show me your ID card — now that individual must know the secret and have a valid ID). This helps mitigate the risk.

Today, we use a proximity badge that provides a “something you have” level of security: wave it at the door reader, and if the credential is authorized, the door strike opens. Yes, proximity badges have served us well; but times are changing. Clearly more is being done than simple prox badge access, as many facilities already support PIN and automated photographic verification at critical access points. Some are also engaged in biometric methods for access control.

Change in Definition
The very definition of “access control” is changing. Now we see concerns around “Identity Management.” We hear about convergence of ID between physical and logical access in a uniform approach. We are seeing the emergence of “Security Operations Centers” focused on situational awareness, command, and control.

An excerpt from a research report by the Stanford Washington Group might help here: “We believe that the creation of FIPS 201 is a landmark event for the industry. For the first time, a formal standard exists that will allow agencies to purchase biometric and credentialing solutions with the assurance of interoperability and mutual levels of trust.” With solid vetting requirements and rigid smart card and biometric interoperability standards, the ‘ID solutions’ industry is rapidly moving to support it. Other federal ID programs like TWIC, Registered Traveler, and the First Responder Card initiative have pledged to follow the same technical standards, allowing them to be more rapidly and affordably deployed.

Any card that complies with FIPS 201 will be a powerful tool that all public or private agencies should be able to trust and easily authenticate. FIPS 201 establishes a new gold standard for identity documents and credentialing. With this standard in place, companies that build access control systems — in both the physical and cyber world — are quickly adapting their products to accept the new PIV credential.

Moreover, these two worlds are crashing together, as physical and IT security professionals work together to pre-integrate solutions from each world, creating exciting new product combinations and new approaches to security. Some, such as Lenel and AMAG Technology, have gone so far as to integrate their products directly with card and identity management products from vendors like ActivIdentity and Intercede, allowing security managers the ability to provision both logical and physical security credentials from a single identity management system.

This content continues onto the next page...

We Recommend