No Certainty Yet for Identity Assurance
The need for assuring identity is clear, but the path to achieving it is not.
Bob Lentz, deputy assistant secretary of defense for information and identity assurance, emphasizes its importance to all information technology activities while speaking at AFCEA’s Solutions Series conference on identity assurance.
As the armed forces move into the brave new world of information sharing, one of their biggest challenges will be identity assurance—proving that the parties to a virtual transaction are who they say they are, or simply that the person trying to enter a secure facility does in fact have a right to be there. Many current technologies already handle this task, including public key technology and biometrics, but many problems exist as well, such as duplication of effort within the federal government, lack of funding and even understanding what identity is.
Another aspiration is for “federation,” or the achievement of a “single identity” for Defense Department, federal and commercial transactions. While the idea of federation is held up as a Holy Grail by some, it is criticized by others. Given the challenges faced in basic areas such as vetting job applicants and establishing trust and interoperability between agencies, this goal may be a long way off. Nonetheless, a prerequisite for “federated identity assurance” is “finer-grained, role-based access to networks,” according to Bob Lentz, deputy assistant secretary of defense for information and identity assurance. “Identity assurance is the bedrock to everything we’re doing,” Lentz stresses. He hopes to have an identity assurance road map to the White House level in the near future. Ultimately, he foresees a transition to risk-based access control.
|Richard Hale, chief information assurance executive for the Defense Information Systems Agency, recounts how many identity assurance measures offer both risk and opportunity.|
As far as risk goes, even children’s worlds are not immune. Hale cited an example of theft at Habbo, an online hangout for children. In this supposedly benign environment, one child stole another’s virtual furniture and moved it from one “room” to another, Hale said.
Keith Ward, the director of enterprise security and identity management at Northrop Grumman, echoed Hale’s sentiments, warning of the “advanced persistent threat.” This is not the traditional hacker but instead comprises sophisticated intruders with commercial or intelligence agendas, according to the company. The threat of intellectual property theft from cyberattack was a driver in that company’s effort to come up with a common approach to physical and logical access control. According to Ward, intellectual property represents 65 percent of the value of the
His company’s enabling technology is a smart card solution. He explained that its “One Badge” project was a difficult undertaking, not only because of the expense but also because of the diversity of access control systems within the company, which has grown to its present size by acquiring some 150 companies. The new badge will be compliant with federal identification (ID) standards and interoperable with federal badging systems; will include an employee’s name, photo and unique badge number; and will use multifactor authentication, including cross-certification to an internal public key infrastructure (PKI) and biometrics. Ironically, one of the most difficult questions proved to be the look of the card. It took more than 12 months to achieve consensus on a badge layout, Ward said.
Identity is more than a name, which Hale demonstrated by showing a slide with photos of many Richard Hales. He described identification as the use of attributes to understand who a person is or to refer to a person. But the problems and pitfalls of identifying a person have been around for hundreds of years, he said. The idea of lessening risk via devices such as wax seals, couriers and letters of credit existed long before certificate authorities and PKI. Indeed, the Internet and automation have increased risk, as so many parties now are involved in online transactions.
The use of biometric data such as fingerprints for identity assurance and access control in the
But it is not enough for agencies to identify their own employees. Tom Lockwood, a senior adviser for credentialing interoperability for the Department of Homeland Security (DHS), recounted how doctors from the Johns Hopkins University operated boats in the aftermath of hurricane Katrina because they could not be authenticated for a couple of days. The moral of that story is the need for some level of cross-certification of nonfederal entities, he said.
Some successes in identity assurance have occurred, speakers noted. For example, where the Defense Department uses CAC cards for computer access, attacks on user names and passwords have gone way down. But now it is important to encourage other agencies and contractors to use the devices, too, said Neville Pattinson, director of government affairs for Gemalto, a security company.
|Greg Torres, director of security in the Office of the Undersecretary of Defense for Intelligence, offers that the department expects to begin implementing a baseline standard for facility access early next year.|
While that step will help to plug one hole, other challenges exist at the basic level of vetting potential employees, Torres said. It is important, for example, to establish very early in an investigation that a person is who he or she says he or she is. Torres asked why investigators coming to a neighborhood to ask about John Doe do not show residents a picture of him and ask them if that is John Doe.
Last year the
But even within the Defense Department, policies and operational issues can make it difficult to use the CACs effectively. A questioner pointed out that at
Another issue is the lingering of obsolete access control technology such as magnetic stripe cards, which still are the only way to enter the Pentagon, one attendee complained. Pattinson replied that magnetic stripe cards are used because the current infrastructure was set up to support them, even though it is possible now to copy the security technology in seconds, erase it or change it. Magnetic stripe technology “can be totally defeated and is completely insecure,” he asserted. The bottom line is that the will and budget must be there to change the infrastructure.
While CAC may be a big improvement on its predecessors, not everyone sings its praises. “[CAC] is broken in so many ways, it’s laughable,” said Dr. Stephen Kent, chief scientist for information security with BBN Technologies. In particular, he said, the e-mail ID is the one over which there are “the most lax and least stringent controls.”
Experts predict that future network infrastructures will involve huge databases with an increased demand for access and a need for stronger security. Among the questions that arise is the fiduciary responsibility of a computer to its owner if the machine is interacting with various elements of a network infrastructure. This question was posed by Tim Jurgensen, the owner and manager of the Identity Alliance, a security solutions firm. Furthermore, he asked, how will documents be signed, what will the signature mean and what weight will it carry across different domains? We need a definition of what identity is that addresses identity from a legal standpoint, he said.
In future infrastructures, would it even be a good thing to ensure that people have a single electronic identity that is capable of traveling across multiple domains? If so, who would create the IDs? Would they be maintained in a single repository? Although a single, global identity might be convenient, it is “just not palatable to people,” asserted Sam Hartmann, chief technologist at the MIT Kerberos Consortium. One big issue is correlation, the ability to collect different items of information that someone has provided in order to access networks, and thereby to know more about that person than he may want to reveal and even to anticipate that person’s plans. If databases become large enough in the future, Hartmann predicted, a need will develop to look at multiple identities.
Even now, the best way to control the possibility of correlation and invasion of one’s personal privacy is to have multiple identifiers, agreed BBN’s Kent. He expressed skepticism about the ability of people to manage complex network access decisions in some future environment, given that almost no one in the United States now can program a videocassette recorder. The profit motive driving vendors is likewise incompatible with assurance, he said. “What worries me about some of the more grandiose identity management things I’ve seen proposed frequently,” Kent said, “is that somebody is looking to become the identity king because they feel a lot of money can be made … their motivations are not beneficial to me.”
Hartmann likewise conjured up a future with large databases and a lot of shared access. “It’s not clear to me that people are going to be very good at making [access control] decisions,” he said. Is it practical, for example, “for me to be prompted every time someone wants to access my medical record?” The decisions that people will have to make about authorization will become more and more complicated, he predicted, adding that it is a problem we even now do not know how to solve. He stressed the importance of education, especially the need to teach about risk evaluation.
Biometric identification relies on signatures that cannot be changed—fingerprints, irises and the like. It involves taking a behavioral or physical characteristic of a person and processing it via automated methods to determine identity in real time, explained Walter Hamilton, chairman and president of the International Biometric Industry Association.
But current optical fingerprint reader technology leaves much to be desired, according to Ross Micheals, a supervisory computer scientist at the National Institute of Standards and Technology. With new technologies, first impressions are key, he said, pointing out that optical fingerprint devices are sticky and warm to the touch, which leaves some people with “hygiene concerns.” Three-dimensional, contactless fingerprint scanners would be superior, but they are still in the research and development stage.
Although advocates of biometrics assert that the technology will be able to close the door on identity theft, the
Biometric technology, he conceded, needs beefing up. For example, sensors need to be capable of “producing good data input” under “adverse environmental circumstances.” Sensors also need to reduce the risk of misidentifications and spoofing. Furthermore, biometric data must be implemented in a system that is cryptographically supported, making it very difficult to steal and abuse.
Meanwhile, the armed forces, police departments and the Federal Bureau of Investigation seem to be leading the way. The