Smart Uses for Smart Cards

Tim McKnight and Russell Koste of Northrop Grumman take an award-winning approach to high assurance credentialing


To trust and use the card for critical transactions requires establishing and maintaining high levels of identity assurance in card issuance. This is the basis of the requirement for a strong cardholder registration program, including the people and process parts like background checks, separation of roles like applicant, sponsor (approver) and issuer, and in-person identity verification - much more than just the technology aspect.

The identity information that is used to link an individual to a card can no longer be scattered in multiple independent systems across the organization. This is the reason a single strong and well-managed identity management system and authoritative identity data source are required.

To prevent counterfeiting of the card, and to enable the card to perform data security functions such as encryption and electronic data verification, it is required that the systems putting data onto the card and reading data from the card employ highly secure methods of data exchange. The use of the card is not static. In many organizations, there are several hundred to thousands of applications that will use the smart card. What information goes onto the card must be designed and managed both for security reasons and to ensure that all the proper functionality is available.

What's more, the cards can be used as both a physical and electronic credential. Thus, it is no longer just an access card, but a credential. This multi-purpose capability further emphasizes the requirement for a strong identity and credential management system, including the people and process - not just technology.

Examining the entire picture of how smart cards must be deployed and maintained to be of full value, it is obvious there are many roles and responsibilities involved in the issuance and use of the card that simply do not exist (and for the most part were not needed) for yesterday's access control cards.

ICAM: Beyond Access Control

The existence of these requirements is why a new term has come into use: Identity, Credential and Access Management (ICAM). In the IT world, before smart card technology had reached its current level of deployment, the focus was on Identity and Access Management (IAM). After a while, it became apparent that the Credential part of the picture warranted just as much attention. Thus, the ICAM term came into being and became more widely known through a 220-page publication titled Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance.

This document can be downloaded on the Web; page 8 contains an ICAM conceptual diagram that clearly illustrates the key concepts, roles and responsibilities, as well as the technology and process infrastructure that are all part of a sound smart ICAM program.

A sound ICAM infrastructure (people, process and technology) provides the long-term organizational capability to improve physical and logical asset protection in risk-tailored, asset-focused ways.

Success with High Assurance Credentials

In Nov. 2010, Northrop Grumman Corp. was presented with the Information Security Executive (ISE)(tm) North America Project of the Year Award for the Northrop Grumman OneBadge program. Sponsored by Tech Exec Networks (TEN), the award recognizes achievements in risk management, data asset protection, compliance, privacy and network security in the United States and Canada.

Northrop Grumman leveraged its experience helping government agencies with FIPS-201 smart card deployments. FIPS-201 (Federal Information Processing Standards Publication 201) is a United States federal government standard that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors. Smart cards issued under the FIPS-201 standards are often referred to as "PIV cards."

TEN cited Northrop Grumman's project for, "successfully demonstrating a commercial enterprise's ability to turn the merits of a federal directive into a successful internal deployment." That is one of the main assertions of this article: that any organization can and should apply the federal standards and guidance to have a highly successful and business-beneficial smart credential program.

In previous years, many corporate smart card programs were designed as three-year programs, but ultimately stretched out into five years (or had their scopes cut back) because of learning curve factors, lack of guidance, and being ill-prepared to deal with the identity, credential and access management policy and process changes that accompany the technology deployment.