Why government is still waiting for 'PKI-at-the-door'
- By William Jackson
- Feb 29, 2012
SAN FRANCISCO — Millions of smart ID cards have been issued to civilian and military government personnel, but the goal of using a single electronic credential for both physical and logical access remains elusive.
“Government has led industry in many cases in this area,” with the creation of standards for the military’s Common Access Card and its civilian counterpart, the Personal Identity Verification card, said Julian Lovelock, senior director of product marketing at ActivIdentity.
The cards use chips containing public-key infrastructure credentials to authenticate users on computer systems and networks. “But PKI-at-the-door is in its relatively early days” as a technology, he said.
More from RSA:
Search engine poisoning: How malicious sites fool your filters
DOD wants in on protecting civilian infrastructure
“PKI-at-the-door” refers to the use of electronic credentials to verify a holder’s identity when entering a physical facility, such as building, base or campus. CAC and PIV cards are becoming common for signing onto government networks and online resources, but at doorways and gates it is more likely that guards will rely on the photo on the face of the card than the electronic credentials on the chip.
Managing both physical and logical access with a single set of electronic credentials makes sense on the face of it, but there are a number of reasons for the delay in adopting PKI-at-the-door, Lovelock said.
“Some of it has been waiting for the technology to catch up,” as the installed infrastructure of access control systems is upgraded, he said. There also is the complex task of getting physical and IT security shops to work together.
ActivIdentity is demonstrating technical solutions, raising awareness and promoting the convergence of physical and logical access at the RSA Conference this week.
The PIV card was mandated for civilian executive branch employees and contractors in Homeland Security Presidential Directive 12, and the Defense Department’s CAC was brought into conformance with technical specifications for the PIV in order to create a single interoperable platform for physical and logical access across government.
The Office of Management and Budget issued a memo in 2011 setting deadlines for full implementation of PIV cards for both physical and logical access. It required all new systems under development to be enabled for PIV cards immediately, and said that as of fiscal 2012, all existing access control systems must be upgraded to use PIV credentials before any other development or upgrades are done.
But identity management for managing access to physical facilities traditionally has been separate from managing access to IT resources. Merging the two under a single interoperable card is not necessarily simple, either technically or organizationally.
IT and physical security have different concerns, Lovelock said. Although cybersecurity concerns tend to be more universal across different types of organizations, physical security concerns at banks are widely different from those a military base or manufacturing facility, and none are the same as those for schools. There is no common model for where the two different security functions work in an organization, or for how they would together.
The technology for convergence is emerging, however. In the last couple of years the development of standardized credentials for CAC and PIV and the government mandate have spurred creation of systems that use the same credentials and a common infrastructure for managing access to physical and logical resources and defining privileges. But with current budget constraints, it is likely to be some time before legacy systems are upgraded to take advantage of this new technology.
William Jackson is freelance writer and the author of the CyberEye blog.