Heeding the Unified Identity Challenge of HSPD-12

High costs, technical frustrations, cross-domain challenges pepper HPSD-12 roadmap


Homeland Security Presidential Directive 12-more commonly referred to as HSPD-12-is one of those grand, unfunded federal mandates that's a great idea but nearly impossible to pull off to its fullest extent.

The order calls for all federal agencies to adopt a single ID standard for controlling physical and logical access across the entire federal government by 2008. The IDs must be tamper-resistant and difficult to duplicate, meaning that terrorists and hostile operatives can't compromise the government's infrastructure.

Making that happen in a single agency's one facility is exceedingly challenging and expensive. Making it work across the entire federal government is next to impossible. While we've had smart cards, digital certificates and encryption for years, no one has truly unlocked the promise of public key infrastructure that would make such digital credential verification possible.

Even if those cross-domain challenges are conquered, a host of other management challenges remain. Consider the experience of the Department of Defense, which replaced its laminated ID cards with universal smart cards in 2003. The cards carried everything from digital fingerprints to medical records and military service history. The DoD issued 4 million cards and immediately hit its first hurdle-exceedingly high password-reset costs. Soldiers and sailors kept forgetting passwords and losing cards, which necessitated more help-desk calls.

Then there's the infrastructure cost. Linking physical access control systems-door locks, building access and surveillance systems-with IP-based networks and controls requires a lot of funding. While security experts have preached multifactor authentication for years, only recently have notebooks with embedded fingerprint readers come to market in large quantities, and desktops still rely on peripheral biometric readers. Smart card readers on PCs and network terminals are practically nonexistent, piling on the additional costs of peripheral readers.

The potential magic of HSPD-12 is in identifying anomalous behavior between physical and logical access. For instance, if Joe Smith logs into a classified system on a Sunday afternoon but there's no record of him entering the building, the system could identify the potential breach and lock out the user until he's cleared. Unfortunately, the only system ever developed for such a purpose-CA's 20/20-never made it to market because of technical hurdles and lack of market demand.

All of those technology and cost issues aside, the vision of HSPD-12 is sound. But like all visionary concepts, it will take time to develop. Federal CIOs and IT departments will find just enough money to demonstrate that they're attempting to comply with the mandate's requirements, which means plenty of work for the channel.

Copyright 2007 CMP Media LLC. All rights reserved.

(VarBusiness -- 05/01/07)