Gemalto on FIPS 201 in the NonFederal World

| 0 Comments | 0 TrackBacks

Page:   1   2   3   4  Next  »

What PIV Means to Everyone Else

What's the influence of the FIPS-201 standard on the nonfederal world? That's the topic we've been exploring.

Recently, we spoke with Neville Pattinson, vice president of government affairs for Gemalto, which offers a range of smart card and authentication solutions.
NPattinsonjpg.jpgOur conversation ranged from the value FIPS 201 has brought to the market simply by being a standard to the need for stronger authentication for individuals in the online world.

What follows is a transcription of our conversation, edited for clarity and length.


********

Sharon J. Watson, Security Squared: I've been intrigued by the idea that with all the PIV and PIV-I cards being issued, whether enterprises that are not be mandated to adopt those credentials might still find some value in utilizing or taking advantage of the infrastructure work done in that area.

Neville Pattinson, Gemalto: Looking at the FIPS-201 market to date, it has been very successful in its implementation. It still has some way to go, and there are still more things for it to do. The key thing FIPS-201 has is the FIPS-201 standard. It's a standard that is published, and it has a very organized way for companies to create products.

On that basis, it is allowing competition in the marketplace. Everyone can create to those defined standards and be in competition with each other to ply organizations interested in adopting it. Nothing really existed before as far as standards in this credentialing area. Any


implementation historically tended to be, if not proprietary, certainly not interoperable with anything else. They were closed systems. So now this is an open standard; other people can interoperate with it.

Where you have organizations that are not mandated to do this, there are two basic categories: the [first] are associated with the U.S. government. It is in the interest of those companies to do something that is FIPS-201-like, that is, the PIV-I. For example, when you consider defense contractors or government contractors that are working closely with federal organizations, it would be in their interests for them to heavily consider having their employees badged with that PIV I.

That is a PIV credential which is part of the FIPS-201 spec but not issued by a federal or government agency, it was issued by a commercial entity. That "I" is for "interoperable." It allows you to interoperate, it allows you to communicate securely, and trust each other within that environment.

Then there is the other group, which is not necessarily dealing with the US government. For them, it's taking advantage of what is a growing pool of competitive products. You can go and get companies to compete for the best offer for the solution, for the components, for the reader, whatever it is you're trying to buy, and you've got adequate opportunity to have competitive price discussions with various vendors.

If they don't go that way, they tend to go into more locked-in or proprietary implementation. Once they do that, they may be subject to only one choice of supplier and potentially being locked in for a good deal of time before they can switch out of that.

That's not to say that's not the right way to go. Some organizations want that, they want to have security by obscurity and choose an implementation that is closed for them and only for them. That's fine. There are numerous options for them to go and select between one company and another for differing feature sets and functionality, but ultimately when they buy that, it's likely to be specific to that one vendor, so they make their choice and run with it. The PIV route gives you the option of always having competing vendors and prices I would expect to be more favorable on the basis of volume.

Either way the message here is that if organizations have assets they want to protect, they need to look at much stronger authentication technology than user name and password. It's been proven time and time again those are ineffective. Using two-factor authentication--something you have, like a smart card and something you know, a PIN code or maybe a biometric--is the way to really ensure you know who is in your building, who is on your network, who is in your database.

You've got accountability, traceability, along with that initial authentication. You then have all the capabilities of encryption, confidentiality for sending information around your network by having the proper technology at the personal level.

We're seeing companies that definitely have information that is valuable to them to protect or to ensure that it is not compromised or breached rapidly moving toward two-factor authentication technology for their employees.

Page:   1   2   3   4  Next  »

What PIV Means to Everyone Else

What's the influence of the FIPS-201 standard on the nonfederal world? That's the topic we've been exploring.

Recently, we spoke with Neville Pattinson, vice president of government affairs for Gemalto, which offers a range of smart card and authentication solutions.
NPattinsonjpg.jpgOur conversation ranged from the value FIPS 201 has brought to the market simply by being a standard to the need for stronger authentication for individuals in the online world.

What follows is a transcription of our conversation, edited for clarity and length.


********

Sharon J. Watson, Security Squared: I've been intrigued by the idea that with all the PIV and PIV-I cards being issued, whether enterprises that are not be mandated to adopt those credentials might still find some value in utilizing or taking advantage of the infrastructure work done in that area.

Neville Pattinson, Gemalto: Looking at the FIPS-201 market to date, it has been very successful in its implementation. It still has some way to go, and there are still more things for it to do. The key thing FIPS-201 has is the FIPS-201 standard. It's a standard that is published, and it has a very organized way for companies to create products.

On that basis, it is allowing competition in the marketplace. Everyone can create to those defined standards and be in competition with each other to ply organizations interested in adopting it. Nothing really existed before as far as standards in this credentialing area. Any


implementation historically tended to be, if not proprietary, certainly not interoperable with anything else. They were closed systems. So now this is an open standard; other people can interoperate with it.

Where you have organizations that are not mandated to do this, there are two basic categories: the [first] are associated with the U.S. government. It is in the interest of those companies to do something that is FIPS-201-like, that is, the PIV-I. For example, when you consider defense contractors or government contractors that are working closely with federal organizations, it would be in their interests for them to heavily consider having their employees badged with that PIV I.

That is a PIV credential which is part of the FIPS-201 spec but not issued by a federal or government agency, it was issued by a commercial entity. That "I" is for "interoperable." It allows you to interoperate, it allows you to communicate securely, and trust each other within that environment.

Then there is the other group, which is not necessarily dealing with the US government. For them, it's taking advantage of what is a growing pool of competitive products. You can go and get companies to compete for the best offer for the solution, for the components, for the reader, whatever it is you're trying to buy, and you've got adequate opportunity to have competitive price discussions with various vendors.

If they don't go that way, they tend to go into more locked-in or proprietary implementation. Once they do that, they may be subject to only one choice of supplier and potentially being locked in for a good deal of time before they can switch out of that.

That's not to say that's not the right way to go. Some organizations want that, they want to have security by obscurity and choose an implementation that is closed for them and only for them. That's fine. There are numerous options for them to go and select between one company and another for differing feature sets and functionality, but ultimately when they buy that, it's likely to be specific to that one vendor, so they make their choice and run with it. The PIV route gives you the option of always having competing vendors and prices I would expect to be more favorable on the basis of volume.

Either way the message here is that if organizations have assets they want to protect, they need to look at much stronger authentication technology than user name and password. It's been proven time and time again those are ineffective. Using two-factor authentication--something you have, like a smart card and something you know, a PIN code or maybe a biometric--is the way to really ensure you know who is in your building, who is on your network, who is in your database.

You've got accountability, traceability, along with that initial authentication. You then have all the capabilities of encryption, confidentiality for sending information around your network by having the proper technology at the personal level.

We're seeing companies that definitely have information that is valuable to them to protect or to ensure that it is not compromised or breached rapidly moving toward two-factor authentication technology for their employees.

<!--nextpage-->

SJW:  I want to make sure I am following, Neville: two-factor authentication is not necessarily synonymous with PIV-I--is that correct?

NP:  Yes. PIV-I happens to be one implementation of that. There are a number of other ways you can achieve that.

SJW: What I have been hearing is that the cost of complying with the PIV I methodology, the cost of the credential itself, the cost of the background checks that are called for, are expensive for enterprises. I was wondering if there are ways for enterprises to benefit from some of that methodology but have it be affordable for them as well.

NP: The situation there is really what is the cost of insecurity? If you choose to implement user name and passwords for your employees, you have the risk of having breaches, problems, compromises, denial of service attacks, all sorts of vulnerabilities.

If you use two-factor authentication, then you at least have the knowledge of who is accessing, who has the right to access, the device has to be present, the individual has to be present. You can now protect and have secure operations of your internal systems.

You don't have to do that to PIV I [levels]. This can be done to the level of assurance of the employee's credential that the employer wants to go through. They can choose to do their own checking. They may go as far as background checking; some may not. They may ask for your driver's license, they may ask for your passport, they may ask for a W-2 from a previous employer, they may have their own policy about what constitutes understanding and confirming your identity, and that will be enough for them to then issue a smart card with a fingerprint on it and a password.

PIV does require a much heavier vetting and proofing process that's been done specifically by the US government to determine a consistent level every government employee must go through to qualify for one of those badges. Organizations working with the government that want to participate in that very highly trusted credentialing system will need to go through similar processes for their employees to issue them a PIV-I badge.

The reason for doing that is you have got to be consistent. You can't have the government set done to one level of vetting, and the contractor or companies associated with the agency not done to the same level because then you have got an inconsistency of trust between the two areas.

So if you are participating in PIV or PIV I, that is the requirement. If you're not participating in that, it's up to the policy of the issuing organization to determine how much they want to use to prove you are who you are and establish that credential.

To come back to the cost: yes, it is a considerably thorough program on PIV-I, and it does have associated costs and time for you to get vetted. The whole idea is that once you're in, you're in for your five years or whatever the re-vetting process [timeframe]. So they want make a lot of good entry barriers and entry checking and testing before they let you into that community. That costs a lot. Well, that's because it's very secure and very necessary for them to get to that level. Commercial organizations may not go anywhere near that level

<!--nextpage-->

SJW: If commercial organizations are not going to go to the levels of identity proofing FIPS-201 calls for and also don't need all of the functionality that would be on a PIV I card, can they still take advantage of other parts of the standard such as vendor competition? Or if they don't need all the functionality, are they starting to get too far away from standards so they are back in the proprietary lock-in solutions? What's the balance there?

NP: Some of these components don't really care at all about it's being PIV. Door readers, desktop readers, laptop readers--they're a piece of hardware that really has no clue that you're doing PIV. They are really are off-the-shelf ready for the worldwide market.  

In other areas, it's entirely specific: it has to be done this way, it has to work this way, and if it doesn't work this way, it's not compliant. So there are some items which are fairly loose, some which are very rigid.

If you choose to take on a credential that doesn't support all of the PIV I capabilities, isn't part of the club. It's now external, it's likely to be used by the end users of that closed community in that one company.

SJW:  So if you want to take advantage of the vendor competition and the standard, then the form factor you pick has to be more PIV-based than not.

NP: If you want to participate in the PIV credentialing pool, yes.

SJW: Let's say that's not as big a concern to you but the standards are appealing...Why would you migrate more to the solution based on PIV versus some other approach to implementing a smartcard?

NP: That's a good question. Indeed, PIV part one is all about the [identity] vetting and proofing, PIV part two is all about the credential and how to issue it. If you want to take advantage of all the PIV-related products that exist in the world, there is no reason why you can't issue according to part two of PIV, the cards, the readers, the infrastructure, but have a very different policy for your vetting and proofing.

That will allow you to take advantage of the equipment...but ultimately you would not be implementing it such that it would be compatible with any PIV-I system. You would be choosing to issue it off the standards for your own needs.

We are seeing that interest around the world from corporations and other governments around the world. They are looking at this spec, saying yes, this could work for us, we might need to change this, this, and this. They use it as the basis for procurement.

SJW: Are those pockets of interest showing up in particular places, types of vertical industries, or is it across the board? What seems to be driving them to look at that?

NP: I think the lack of standards has driven people to look at this. They finally understand there is a pool of companies and equipment that can supply to this.  

Corporate organizations looking to credential their employees have a number of choices about which way to go. Even our company, Gemalto, we supply two different solutions they can choose. We probably have more than that if I sat down and worked it out. We have a PIV-related solution set, and we also have something called the .Net solution, which is very Microsoft-centric, where it's integrated entirely within the Microsoft environment using cards that are running .Net inside the card.

So we offer different solutions for different organizations....We are seeing this year an interest in FIPS-201-based products outside of the U.S.

SJW: Are these national ID cards, drivers' licenses or for government agencies authenticating their employees?

NP: It's government and commercial organizations, so basically either government employees or commercial employees. It's not in the form of national IDs.

<!--nextpage-->

SJW:  What else should I be asking that I'm not?

NP: There's a whole area of activity going on that I think is going to change some of the perspective here, which is the need for proving who you are on the Internet as a citizen. How do you present your credential on the Internet with any level of trust?

At the moment, we have a very limited view of how to do that so organizations can't be sure who they are dealing with online. There's an initiative within the US government called the National Strategy for Secure Online Transactions. That is a document that's being constructed. I can't go into the details but essentially it is setting up a credentialing framework on how you can provide citizens credentials that can prove who they are when they want to transact online. That could be an iPhone app, it could be a smart card, it could be a USB token--as rich as you can imagine, it could be lots of different things.

We need to have a way of credentialing people on the Internet. We're very good at creating cards for people with pictures on them they can show to get in the building or to get into an office but we're not good at being able to protect your identity in the online world.

SJW: I was going to ask if there would be room for some kind of credentialing body--it was suggested to me it would need to be government regulated--a credentialing body that private citizens could go to and in essence purchase a strong credential that might ease their life in this day and age, to help them get through airports and other forms of transport more quickly, that work on the Internet, that sort of thing.

NP: Exactly right. I think that's where we're heading. At the moment, there's lots of reticence in the U.S. for the U.S. government to issue any credential in that form for citizens...where if there's a commercial environment where a citizen can opt in and buy a credential for a certain level of trust--and obviously have to do more than just provide a credit card number as proof to get the highest level--that could then be used to exactly those purposes. That is coming.

That is what's needed: the ability as citizens to take control of our identity and be able to present our identity as we choose through smart phones, through Internet browsers, at a kiosk. Wherever they happen to be, they need to take control of their identities or maybe in some respects their identities. Some people like to be anonymous or pseudo-anonymous in some instances, and they may want to be fully identifiable in others. So let's allow people to have more than one persona: you have a real identity and then you can have personas so you can do things where you don't really want to be known for who you are

SJW: Is this the sort of work that builds on things like UProve that Microsoft is doing, OASIS, OpenID and so on?  

NP: There are all sorts of different organizations in that pot of possible solutions--once we can all agree what would be a workable framework so it could interoperate. We need to make sure we can all interoperate with each other, so you don't buy an OASIS credential, and it only works with OASIS credential receivers. If you've got that, it should be acceptable to one of these other systems. Allow them to compete but make sure that they do interoperate.

SJW: Is there something you came prepared to talk about that we haven't?

NP: The other area is to do with two-factor authentication and what could that be. It could be a smart card, it could be a USB device. Then the second factor could be a PIN code or it could be a biometric. You could have people using their fingerprints or their irises or whatever to prove they are standing or sitting there as well as having their other factor there. There are lots of variations there.

SJW:
Are you fairly certain we will be sticking with some kind of physical form factor for the foreseeable future versus just using a biometric as a replacement?

NP:
I think we'll really need to make a lot more certain that an individual is present and that they are who they say they are. We're going to need some identifier or some identification technology. An identifier would be a fingerprint and identification technology would be a smart card or USB stick, some hardware. There may be iPhone apps where you can store a credential and transmit an electronic certificate, for example. But in order for the iPhone to have that, you have to enroll with that number, that number has an association with you through the phone company. There are other points of triangulation to show that it is resident on the right piece of hardware, it came from the right phone number, it is authenticable.

So I think there will be the ability to have soft certificates. But when you really need to know who you're dealing with, you're going to do it with hardware.

# # #

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/216

Leave a comment