04 January, 2011
By Steve Howard, vice president of credentials, CertiPath
It took the U.S. Federal Government more than six years to get behind FIPS 201 and figure out how to make it real – but it’s finally here. The market is seeing millions of PIV cards and there’s a whole lot to get excited about.
The overarching theme behind much of what happens in identity technology and management in 2011 comes down to easier access to credentials that leverage PIV technology. This increased flexibility will in fact, significantly increase the value and use of high-assurance identity in controlling access to cyber and physical assets.
PIV-I will roll out beyond intergovernmental agency environments. PIV-I will serve critical federal applications, such as contractors that support the U.S. Dept. of Defense and First Responders supporting the Federal Emergency Management Agency.
In 2011, traction and demonstrated value will prove that PIV-I can go well beyond these limited applications, and it certainly will. The National Association of State CIO’s (NASCIO) is formulating plans for state-to-state and state-to-citizen applications. PIV-I credentials exponentially increase the trust in links to sensitive assets, such as Health Information Networks.
Why would we allow our health records to be online and not have them protected to the highest levels? PIV-I is the only tool I would trust to protect access to my health records on the Internet.
The call for Physical Access Control systems [PACS] that leverage high-assurance credentials coming out of the Federal Identity, Credential and Access Management committee [FICAM], will go mainstream in 2011.
In 2010, the U.S. General Services Administration and CertiPath successfully demonstrated a trusted PACS environment, where government personnel and contractors authenticated their identities as visitors to other agencies’ facilities using secure, Public Key Infrastructure (PKI)-enabled Federal PIV cards. Trusted PACS treats the front door with the same high-assurance level as a Cyber Security strategy. Why rely on prox technology which can be copied and cloned to protect facilities, when cyber security assets use the full capabilities of PIV and PKI?
PIV-Compatible or PIV-C – the final frontier in applying PIV technology to identity management – will be defined. Currently, PIV-C is like the wild west – lots of opportunity without a lot of regulation.
The market will define uses for PIV technology beyond the current vision of PIV and PIV-I smart card credentials, specifically defining multiple variants of PIV-C making PIV technology one of the most highly adopted technology standards for both logical and physical access applications.
When we’re talking about different communities and applications driven by common technology, the rules may need to change: Consider non-US markets for PIV technology where privacy reasons limit the use of biometrics. Consider a fully defined use of PIV technology with a medium-hardware credential that is based on a high-assurance in person identity proofing event, but without the biometric processes. Consider the use of the PIV-I application, but on a mobile device such as an iPhone or BlackBerry, not on a smart card.
The bottom line is that while it’s taken a while, it’s definitely been worth the wait. As we continue to be buffeted by news – and the fallout – of access breaches – both physical and logical, by organizations and individuals, the need to truly know who’s asking for access, who’s trying to get access and who has recently accessed information or space is more imperative than ever. In this environment – and to meet this need – the applications for PIV and PIV-I technology are limitless, and that’s got me really looking forward to what’s next.
About the AVISIAN Publishing Expert Panel
At the close of each year, AVISIAN Publishing’s editorial team selects a group of key leaders from various sectors of the ID technology market to serve as Expert Panelists. Each individual is asked to share their unique insight into what lies ahead. During the month of December, these panelist’s predictions are published daily at the appropriate title within the AVISIAN suite of ID technology publications: SecureIDNews, ContactlessNews, CR80News, NFCNews, DigitalIDNews, ThirdFactor, RFIDNews, EnterpriseIDNews, FinancialIDNews, GovernmentIDNews, HealthIDNews, FIPS201.com, IDNoticias es.