Since launching the HSPD-12 (Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors) secure credentialing program in 2004, millions of smart cards have been issued to U.S. Government employees, military personnel and contractors. As a result, the government has streamlined and standardized the process used to vet employees and process their identities and credentials, and has defined and implemented a standardized, single credential to grant access to physical and logical security applications.
Government employees across all federal agencies now are required to use a single, secure photo ID badge to authenticate themselves, gain access to doors, gates and portals at government buildings, carry biometric and other information in a secure manner, log on to their computers and mobile devices, digitally sign emails and encrypt disks, files and emails.
With this U.S. Government initiative, for the first time, standards were applied to all elements of the identity, credential and access management ecosystem of an organization. Developed by NIST (National Institute of Standards and Technology), the Federal Information Processing Standard 201 (FIPS 201) governs the way in which federal employees provide their identities, and the workflows associated with capturing personnel data, processing credential requests, producing the credential and getting it to the employee are strictly defined. Following the FIPS 201-mandated process provides a high level of trust in the credential, which allows it to be accepted across different agencies, and to perform more functions than a typical, locally-issued proximity credential could be trusted with. These credentials are commonly referred to as PIV (Personal Identity Verification) cards. As of today, millions of PIV cards have been issued to federal workers, including both military and non-military government employees and contractors.
To produce the high volumes of smart cards the government requires for its PIV credentials, a number of agencies, including the GSA (U.S General Services Administration), established sophisticated identity and smart card management systems that not only print visually secure ID badges, but also encode the smart card chips with agency- and personnel-specific data, biometric information, encryption keys and digital certificates.
Government standards also aid enterprises
It took a lot of work by the government and industry, but the FIPS 201 standard that supports HSPD-12 has made real the promise of trusted, enterprise-wide credentialing and multiple applications on a single credential. Success at the federal agency level has stirred interest among government contractors and commercial enterprises, many of whom share the problems as the government –identifying all employees, and securely managing those identities and their credentials across multiple sites.
There are various forms of FIPS 201 credentials that are available to private and commercial organizations, allowing them to benefit from the research and data models that have been implemented and shown to be effective by the federal government. Examples include TWIC (Transport Worker Identity Card), use by workers at maritime facilities and ports, FRAC (First Responder Access Card) for police, fire and other local government emergency response personnel, and PIV-I (PIV-Interoperable Cards) for non-government personnel that may need to have access to U.S. Government sites and data as if they were government personnel.
And there are CIV Cards. The Commercial Identity Verification Card provides a model for technical compatibility with PIV-based systems deployed by the federal government. The CIV card doesn’t require the same level of identity proofing or issuance workflow required to obtain a PIV card, but does provide a framework that non-government organizations can use to issue very secure, multifunction smart card credentials. Technically, PIV-I and CIV are virtually identical; the difference lies in the issuing process. CIV issuers must follow the same enrollment, verification, separation of duties and full background checks that the federal government follows to issue a PIV card. CIV holders are then considered vetted to the same standards as a government employee or contractor, and their credentials are handled with the same levels of security as a government-issued card.
CIV cards for smaller organizations – issued through the cloud
But what if instead of millions, your organization consists of thousands, or maybe hundreds of employees? While high assurance, smart-card based credentialing programs would provide more secure physical and logical security tools and policies, the investment of hundreds of thousands of dollars required to implement such a card management system would likely be a challenge.
This is where cloud-based credentialing, or “identity as a service” can play a role. These services allow users to bypass the smart card infrastructure investment and to create, manage and distribute secure, certificate-based smart card credentials such as CIV cards through the cloud. ‘Pay-as-you-go’ models offers one fixed price so you pay only for the users you need, as you need them, eliminating the complexity and operating costs associated with managing and deploying an internal smart card identity project. This approach offers significant savings by avoiding upfront capital and ongoing management costs of replacing, installing, maintaining and managing onsite servers and systems.
Typical identity as a service solutions allow an organization to define its own credentialing workflows, badge designs and encoding data for physical access, logical access, digital signing and encryption. Badges can be printed by the service in bulk, one at a time, or even at the customer’s facility, if they prefer to have printers and the associated supplies and support mechanisms on site. Remote employees can log onto the service, follow the predetermined workflows, and create their own badges, which are then mailed to them in a secure envelope.
By taking the complexity out of designing smart card data models, encryption, encoding, printing and issuance, cloudbased credentialing services make true, secure smart card functionality and deployments available to all organizations.
Outside the U.S., there are similar programs starting or already going on all over the world that use smart card-based credentials issued via the cloud. The underlying technology that creates secure, trusted identity credentials is gaining momentum. And we can be curious what the future will bring.