I have spent a great deal of time over the last seven months learning more about how the public sector is addressing identity assurance and strong authentication as part of an overall identity and access management platform. While I have heard a lot of the same concerns, hopes, and questions whether speaking to folks in IT or physical security, state government or federal, the approaches taken from agency to agency and department to department are vastly different.
Let’s start with a quote from an IT Branch Chief at a federal agency that shall go unnamed…
“Although we are moving towards full use of smart cards to replace usernames and passwords for logical access control, usernames and passwords are still being used by about 90% of [the agency’s] employees. We require passwords to all applications and systems be changed every 60 days.”
Conversations with IT representatives from other federal agencies often yielded similar responses. When it was pointed out to a computer services Section Chief at a different agency that passwords are far more likely to be written down and thus open to theft if they have to be frequently changed, I was told “We thought of that. All employees are required to either keep their username and password list in their wallet, or in a drawer or cabinet that is not within arm’s reach of the workstation.”
I’m not making this up. And this is the Federal Government we’re talking about here, where use of Personal Identity Verification (PIV) smart cards for logical and physical access control is now a requirement thanks to HSPD-12 and OMB M-11-11 (links to both documents below, since I'm not smart enough to figure out the hyperlink functionality of this blog program, and I don't want to risk shutting down the entire NASCIO Community website).
In fairness, efforts towards meeting those requirements are well-underway and in some cases completed at just about every federal agency. So we don’t need to worry about a hacker stealing a password and then stealing valuable information or doing untold damage across the whole of the U.S. Government anymore. But perhaps across just enough of the federal space to cause a little worry here and there, right?
Speaking of physical access control, one agency (and yes, they will also remain nameless) is currently “complying” with the above mandates in a rather....innovative fashion. Instead of using the capabilities of their employees’ PIV cards, this agency has actually attached a proximity tag to the back of the PIV cards so that the PIV cards can be presented to existing physical access control proximity card readers and employees can gain access. In other words, the proximity tags may as well be stuck to the back of the Ace of Spades. In spite of its superior technical capabilities for PKI authentication, biometrics, etc., the PIV card is being used as nothing more than a vehicle for decades-old technology at this one, nameless agency. While at other agencies, tens of thousands of PACS transactions occur every day with use of a smart card, including some agencies where full PKI authentication is required for all PACS transactions. So again, the tide of progress does not move evenly across the board.
And then there is the issue of who calls the shots. Is the idea of identity assurance supposed to be handled by IT? By physical security? By both in tandem? Is HR in the mix somehow? As I am sure you can imagine there is no correct answer. Or at least there is no standard answer.
I was hoping to get to the topics of interoperability and mobility in this blog entry, but I’m too long-winded and this particular entry is already longer than I had intended it to be. Next time.
HSPD-12: http://www.dhs.gov/xabout/laws/gc_1217616624097.shtm#1
OMB M-11-11: http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf