Part 2: HID Global on PIV and PIV Competition

| 0 Comments | 0 TrackBacks

Page:   1   2   3  Next  »

FIPS-201 PIV and Competing Standards
 
Given the utility of smart cards, and the presence of a U.S. government-backed standard detailing the Personal Identity Verification credential, we've been exploring how/whether nonfederal entities could utilize PIV.

In Part One of this interview, Security Squared spoke with Kevin Graebel (pictured), product
Thumbnail image for Graebeljpg.jpgline manager, HID Credentials, for HID Global. We discussed how FIPS-201 mirrors best credentialing practices and began talking about how native PIV support in Windows 7, the latest PC operating system from Microsoft, might influence adoption of PIV-compatible credentials in nonfederal settings.  That's where we pick up in Part 2, which looks more closely at the role of card "edges" in credential selection as well as factors that could help PIV-I and PIV-C gain wider use.

*************

Kevin Graebel, HID Global: Right now a lot of the federal government agencies that are using a PIV credential are not using it for applications outside of the federal government. They would typically carry one card for their PIV uses, but they might carry a second card for access control into their building or other applications that their organization might be using.

But if nonfederal organizations decide to adopt the PIV standard for their card edge communications, they might do so because of the native support in Windows 7.  If third-party application developers start to see greater adoption of the PIV standard outside of the federal government, they might choose to adopt that in their applications as well. So they can follow the wave, they can take advantage of some of the success the government is having in

pushing out this card standard that can be easily adopted by anyone who wants to use it.

Sharon J. Watson, Security Squared: So if I'm an enterprise and I have not yet adopted smart card technology but I have begun loading Windows 7 on my corporate network, I don't need to go purchase one of the other card edge standards, I can just use this native support for PIV. Why wouldn't I adopt that?

KG: Right out of the gate, an organization that chooses to do that will have a very simple time using their PIV card to log into Windows, for example, because Windows 7 supports it right out of the box. The question the organization will have to answer is do their other applications support it as well?

Right now, systems that are based on PKCS#11 have a much wider range of applications that are supported by card middleware [from developers like] ActivIdentity.

For example, people are using it to encrypt e-mail, they're using it to securely store data on their computer networks. This interface has been around for five or 10 years so it's something many people have developed applications for.  PIV is much more in its infancy as a card standard.

So if there's not an immediate need for one of those other applications, the enterprise might choose to make that decision [implement PIV], that's correct.

SJW: Given that there is this wide base of applications that can take advantage of the PKCS#11 middleware, what would be the advantages for an enterprise to follow the PIV standard more closely vs. creating their own smart card implementation or methodology?

KG: It's really more of a question of whether they want to adopt someone else's PKCS#11 middleware. A lot of the card edges out there are proprietary, so you end up paying a license for loading that type of middleware onto your computer to work with all these different applications out there.

You might see it as a necessary evil. You want to purchase this PKCS#11 middleware because it has this wide network of applications that are supported by it. Because that middleware is a for-profit entity, they are incentivized to continue to widen their support of applications that are out there and give organizations a high level of technical support to make sure everything is working well with their systems.

PIV, on the other hand, is a standard that's been proposed by the U.S. government. It's more of an open standard in that it is not licensed-based. You need to find someone who's willing to create that card for you, but once you do, you own the license to it. You don't pay an annual fee for the middleware because it's already included in Windows 7.

Some people see PIV as the next-generation interface because the U.S. government is defining it. They think it's going to continue to gain steam, and people will start to develop applications for it just because it's open to anyone can do so. If you see that happening and it meets your current needs today, organizations might choose to [implement PIV].

Page:   1   2   3  Next  »

FIPS-201 PIV and Competing Standards
 
Given the utility of smart cards, and the presence of a U.S. government-backed standard detailing the Personal Identity Verification credential, we've been exploring how/whether nonfederal entities could utilize PIV.

In Part One of this interview, Security Squared spoke with Kevin Graebel (pictured), product
Thumbnail image for Graebeljpg.jpgline manager, HID Credentials, for HID Global. We discussed how FIPS-201 mirrors best credentialing practices and began talking about how native PIV support in Windows 7, the latest PC operating system from Microsoft, might influence adoption of PIV-compatible credentials in nonfederal settings.  That's where we pick up in Part 2, which looks more closely at the role of card "edges" in credential selection as well as factors that could help PIV-I and PIV-C gain wider use.

*************

Kevin Graebel, HID Global: Right now a lot of the federal government agencies that are using a PIV credential are not using it for applications outside of the federal government. They would typically carry one card for their PIV uses, but they might carry a second card for access control into their building or other applications that their organization might be using.

But if nonfederal organizations decide to adopt the PIV standard for their card edge communications, they might do so because of the native support in Windows 7.  If third-party application developers start to see greater adoption of the PIV standard outside of the federal government, they might choose to adopt that in their applications as well. So they can follow the wave, they can take advantage of some of the success the government is having in

pushing out this card standard that can be easily adopted by anyone who wants to use it.

Sharon J. Watson, Security Squared: So if I'm an enterprise and I have not yet adopted smart card technology but I have begun loading Windows 7 on my corporate network, I don't need to go purchase one of the other card edge standards, I can just use this native support for PIV. Why wouldn't I adopt that?

KG: Right out of the gate, an organization that chooses to do that will have a very simple time using their PIV card to log into Windows, for example, because Windows 7 supports it right out of the box. The question the organization will have to answer is do their other applications support it as well?

Right now, systems that are based on PKCS#11 have a much wider range of applications that are supported by card middleware [from developers like] ActivIdentity.

For example, people are using it to encrypt e-mail, they're using it to securely store data on their computer networks. This interface has been around for five or 10 years so it's something many people have developed applications for.  PIV is much more in its infancy as a card standard.

So if there's not an immediate need for one of those other applications, the enterprise might choose to make that decision [implement PIV], that's correct.

SJW: Given that there is this wide base of applications that can take advantage of the PKCS#11 middleware, what would be the advantages for an enterprise to follow the PIV standard more closely vs. creating their own smart card implementation or methodology?

KG: It's really more of a question of whether they want to adopt someone else's PKCS#11 middleware. A lot of the card edges out there are proprietary, so you end up paying a license for loading that type of middleware onto your computer to work with all these different applications out there.

You might see it as a necessary evil. You want to purchase this PKCS#11 middleware because it has this wide network of applications that are supported by it. Because that middleware is a for-profit entity, they are incentivized to continue to widen their support of applications that are out there and give organizations a high level of technical support to make sure everything is working well with their systems.

PIV, on the other hand, is a standard that's been proposed by the U.S. government. It's more of an open standard in that it is not licensed-based. You need to find someone who's willing to create that card for you, but once you do, you own the license to it. You don't pay an annual fee for the middleware because it's already included in Windows 7.

Some people see PIV as the next-generation interface because the U.S. government is defining it. They think it's going to continue to gain steam, and people will start to develop applications for it just because it's open to anyone can do so. If you see that happening and it meets your current needs today, organizations might choose to [implement PIV].

<!--nextpage-->

SJW: What do you think, Kevin? Do you think PIV has that kind of future ahead of it?

KG: It's hard to say at this point. There's a new standard coming out from Microsoft with Windows 7, and they are continuing to push their native smart card mini-driver that enables users to basically do plug-and-play. They are pushing it heavily with their Microsoft Forefront Identity Manager software.

So there are these multiple giants in the industry:  the U.S. government is defining the PIV standard, Microsoft has its own, and there are all these third-party applications from PKCS#11 developers. They have their own interests at heart to maintain their business model because if PIV takes over or even the Microsoft one takes over, that takes away from their business.

It will continue to be a battle. The winners will be the people who are able to work with more than one standard. The HID Crescendo product is available both with the Microsoft mini-driver right now for Base CSP; our C700 product is based on the PKSC#11 platform. We are playing both sides of it to see where it's going to go, and we are evaluating potentially developing a PIV-compliant card in the future if that's what our customers are looking for in a combined physical and logical access control solution. It's a little early to say for sure.

There has been a lot of discussion recently about using the PIV credential for physical access control at a higher level of security than it is operating at today. If those movements are successful, there may be more of a drive to at adopt that as a standard for both physical and logical access. That might give PIV more of the legs it needs to take more hold in the market. Yet because of the fact there's more money behind the Microsoft solution and the PKSC#11-based solution, those will continue to operate for many years as alternatives.

SJW: If I'm a company doing a lot of business with the federal government or some of my employees are or a division is, it's sounding to me like I'm going to wind up with an employee base carrying more than one credential, a PIV I, and a different credential for internal use

KG: Yes, a company that wants to interact with the federal government would need a PIV I credential because it would need to have been issued by a trusted source so its employees could have a trusted credential. But because of all the complexities associated with issuing FIPS-201 compliant card and the costs associated with maintaining them, and also because of the very strict security features associated with the card, enterprises have been very slow [to adopt them]. I don't see it becoming very likely they would try to use that credential for anything other than the federal government-related purposes

In all the communications we've had with either federal contractors or internal government people, they have their one card they use for logging into the federal government system but they maintain a secondary card they might use for access control into external buildings, or transportation or vending.

I think people see the PIV card as sacred, and they don't want to do things to mess around with it, or even worse, roll it out to the entire organization because the cost would be much higher than they are willing to adopt. They are just choosing to offer their current credential to employees and just have them carry more than one card.

SJW: What about organizations that do a great deal of their business at ports, such as an airline or delivery service, so they have a lot of people carrying TWIC cards and whatever the airports eventually come up...Would those cards be more likely to become corporate credentials versus just a specialized credential?

KG: TWIC is essentially an older version of the FIPS-201 standard; FIPS-201 grew out of what was TWIC probably four or five years ago. My timing could be a little off. A lot of the standards outlined in TWIC are similar or the same as those outlined in FIPS-201. The guidelines and directions on using the TWIC cards are very similar to the ones outlined in FIPS-201 so organizations that are using a TWIC for sensitive ports are continuing to use that just for those individual purposes and will continue to offer a different type of card for their other purposes.

There are some exceptions to that with both the FIPS-201 and TWIC card. HID has worked with a few partners to combine one of our contact-less technologies with both of those card types. The card itself might have a TWIC component for contact chip and even a contact-less antenna, but their physical access control system might have been based on HID prox technology. So we worked with card manufacturers to embed HID proximity technology into a TWIC or FIPS card today to enable those cardholders to have a single credential that works with their legacy access control environment as well as federal government related environments.

But as far as actually using the same TWIC or FIPs-201 technology in the card, I think very few organizations are using that for much outside of government-related purposes.

<!--nextpage-->

SJW: I'm just struck by how much capability the cards have. It seems a shame that an enterprise can't make greater use of it.

KG: It might go that way in the future. Right now, organizations aren't doing it. As the PIV standard gains more traction in how it's used for logical access control, there are bound to be organizations that want to take advantage of the federal government market for all those different people who have PIV cards. I could see other companies offering additional applications that could be added to PIV cards in the future.

There will always be a little bit of concern about allowing anyone access to that PIV card. For a card to be sold as FIPS-201 compliant, the applications loaded on the card, in addition to the card module itself, need to go through a very strict testing process to ensure there are no security issues related to it. If you were to add anything else to the card, it would need to go through the qualification process again. If you wanted to add the vending application, you would need to make sure that vending application did not break or create any gaps in security for the access control application originally written on the card itself.

So people are looking for loopholes. Potentially you could use the card number that's stored on it and compare that to a backend database, but even that opens up security risk. Now that third party vendor using the card has a database of people holding a PIV credential, so it becomes something of a worry.

SJW: That brings us around to my blue-sky query: let's say that the PIV I or PIV C credentials become more widespread, more and more citizens are carrying them. What kind of infrastructure would need to be in place for other kinds of businesses to take advantage of those credentials?

KG
: That's an interesting question. For an entity to trust the information that's stored on the card, they would need to be authorized to connect to the Federal Certificate Authority to authenticate the person's identity. It may happen for some highly secured and related businesses, but for things like loyalty programs or other types of online businesses, I don't think it's very likely at this point.

Because the more people that have access to the information stored on that card, the greater risk of breach would be associated with it. It's like sending out your Social Security number: you don't want every online business to have access to that number, you want to keep it protected and only share it with people that truly need it. That's going to be the case with an actual PIV I card as well. People see it as something that's very security oriented and keep it specifically for that purpose and make sure that information does not get out of their possession.

In the future, there's potential someone will be able to issue a credential that has the capability of holding additional applications on it. But for now, it's more likely people will continue to use secondary cards for other types of businesses.

SJW
:  Kevin, what should I be asking that I'm not asking or what had you come prepared to talk about that we haven't?

KG: The interesting thing about PIV is whether it's going to take hold as an international standard. Since the U.S. government defined the PIV standard, I've seen a few different organizations outside of the U.S. that have looked at it and have thought that the U.S. government carries some weight so potentially this standard is here to stay.

But there are competing standards in Europe for passports, for example, that would potentially make more sense as international standards for data storage, for card management and so forth. One of the things to watch in the near future is to see what other government entities end up doing with their identification cards.

The problem is all of these card edges are very heavily influenced by individual smart card developers in the marketplace. Even with the PIV standards, there were certain organizations that were more influential in defining how that would work than others. It would be interesting to see in the future how much traction the PIV standard has globally and if the world does continue to adopt it because the U.S. has done it first or if there will be more competing standards.

*******

Be sure to see Part One of this interview, in which Graebel discusses parallels between FIPS-201 PIV and what should be common best practices for enterprise credentialing.

Was this interview interesting to you? Please help us bring you more convergence perspective by signing up for our free newsletter, Convergence Callouts. We'll keep your data secure and private.


No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/219

Leave a comment