Building the PIV team
HSPD-12 touches more than just IT
- By William Jackson
- Jul 27, 2006
By October, agencies are supposed to begin issuing Personal Identity Verification smart ID cards. Adoption of an interoperable ID across government under Homeland Security Presidential Directive 12 should help strengthen authentication for physical and logical access to federal facilities and resources.
But authentication is only one part of the broader, more complex goal of access control.
'Any strong authentication measure we can put in place is one piece of the puzzle,' said Deepak Kanwar, director of product management for SafeNet Inc. of Belcamp, Md., which helps enterprises manage digital identities.
Other pieces of the puzzle include identity and account management, access policy and enforcement, and legal, regulatory and audit requirements.
'This is whole lifecycle management,' Kanwar said. 'Unless you have a process in place, you're not going to have security.'
Because of the need to integrate authentication technologies with policies, access-control projects often come with a high cost and high level of complexity.
Stakeholders in the project, in addition to the IT and network security offices, can include:
- Human resources, which usually is the owner of the data upon which the system depends. Timely, accurate and reliable HR feeds are necessary to provision and deactivate accounts.
- The help desk, which must field calls when a user forgets a password, loses a token or does not get the expected access.
- Physical security. Traditionally, there has been little interaction between the guys with the badges and guns and the guys in IT. But with a single card to manage both, they become pieces in the same puzzle.
- The legal department, which will want to pass judgment on access policies.
- Auditors, both internal and external, who will pass judgment on execution of those policies.
- The owners of the applications, who usually decide who gets access.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.