Guest Column: Who’s knocking? Civilian agencies can benefit from defense experience in identity management
By Jeff Nigriny
Jeff Nigriny
It’s not simple, though. Most of the buzz around FIPS-201 has involved Public Key Infrastructure (PKI). However, multiplying two prime numbers together cannot replace the business relationships that agencies and their partners have developed for hundreds of years.
And it’s hard to find the resources during the annual budget battles. Serving the U.S. taxpayer, whose priorities are not necessarily directly affected by concepts such as identity management, secure collaboration and encryption technology, makes it even more difficult to implement.
There’s good news though. Implementing strategies and technologies for identity assurance and information sharing can dramatically improve your organization’s security. After years of wrestling with this transition, defense agencies have gained experience that can provide a roadmap for civilian agencies to follow.
Smart cards and PKI are the technologies that make identity portable and usable in real time. They are a necessity, but not the aim of an identity standard. Here are some other areas to consider when rolling out an identity management system:
Creating a credentialing program is tough.
Based on their needs, civilian agencies should explore the services offered by VeriSign SSP, Department of Treasury SSP and Verizon Business SSP, or outsource the entire credentialing effort to the General Services Administration (GSA). This would allow the agency to focus solely on ensuring that their systems can actually use the new identities. The GSA, for example, has already negotiated pricing and completed all the interoperability testing to arrive at an approved products list. An agency that attempts to do this alone would add extra cost and exponential risk for no incremental benefit.
Getting employees credentialed is only the beginning. The first question from the user will be, "What can I do with this card?"
With the time and effort saved by outsourcing credentialing, resources could be directed towards upgrades to the badge readers installed at every entrance throughout the agency. Similar changes will need to be made in the agency’s computer systems to accept these credentials. This usage piece is very thorny. Do not wait to address it until the end of the initiative.
Most agencies do a large portion of their data sharing with external entities. These entities fall into four categories: other agencies, foreign governments, industry and citizenry.
At the outset, take the time to determine which external partnerships require access. The U.S. Federal Bridge resolved this problem 10 years ago, enabling trust between federal agencies, some states and a few industries with PKI Bridges. One example, the aerospace and defense community’s CertiPath PKI Bridge, was the first industry-based bridge trusted by the Federal Bridge that provided credential interoperability between federal agencies and the aerospace and defense industrial base. Once you understand who is a member of the community, you can determine what valid trust mechanisms are in place. The Federal Bridge team is a great resource at your disposal.
From a government-wide perspective, this evolution is still in the nascent stages and many challenges remain to be overcome. Be careful to understand how identities will be used in each scenario. Consider sharing efforts whenever possible. There are few problems that are as common to everyone as identity management. Thus, economies of scale will flourish in such an environment.
Jeff Nigriny is president and chief operating officer of CertiPath. He can be reached at: .
- Add your comment
- trackback url: http://www.gsnmagazine.com/cms/trackback/741-1
