November 9, 2007 • Volume 5 • Number 9

“It Took A Brave Man To Eat The First Oyster”

“The trust relationship is fundamental,” explains Tom Lockwood, DHS senior advisor, “in where we are going as a country. When we talk about a knowledge-based community, we are talking about working in a distributive environment, where the ability to cross boundaries quickly must be commonplace.”

“I guess I’ll sum it up by a phrase that Mark Twain said, ‘it took a brave man to eat the first oyster.’ It’s going to take a braver person to really accept the certification that’s been done by another department or agency.”

“And it’s going to take leadership and guts when it doesn’t go right the first time.”

Lockwood was talking about the implementation of HSPD-12 and the trusted relationships necessary for identity management programs to succeed. He gave his views during the October Federal Executive Forum on Identity Management broadcast on Federal News Radio and produced by Trezza Media Group.

Moderated by Jim Flyzik of The Flyzik Group, Lockwood was joined on the panel by:

• Mike Butler, Program Manager GSA Managed Service Office

• Mary Dixon, Director, Defense Manpower Data Center, DOD

• Gordon Hannah, Managing Director, Public Sector Security and Identity Management Group, BearingPoint

• David Troy, Director, US Government Identity Management Solutions Group, EDS

• Phil Myers, Director, Identity and Access Management Solutions.Unisys Corporation.

Ever Forward

The deadline for full implementation of HSPD-12 is approaching. GSA’s Mike Butler is proud of the progress and steps forward GSA has made.

“GSA has put together a federation of different agencies to share the costs and share the infrastructure across the government,” says Butler. “We did a new contract just in April and at that point we had 42 agencies signed up. Since April we’ve now signed up 67 agencies boards and commissions and our population over the last year of agencies that have signed up has actually doubled from about 420,000 to around 860,000 people. So four months into the new contract we are pretty proud of that and I think that’s a pretty good step forward.”

DOD’s Mary Dixon is equally proud. “This is my favorite subject because I think that sometimes we get so hung up on how to issue those cards that we forget about the important thing is using those cards,” says Dixon.

“I can tell you that since we have begun issuing our precursor to the HSPD-12 card, we have begun to use it for logging on to our networks. And since we have begun that we have reduced the number of successful intrusions into our networks by 46% and that is before we were fully implemented. We have reduced the amount of phishing by 30%. We have begun to start the cultural change in the physical access world of moving away from the flash passes, if you will, to the ability to do rapid electronic authentication.”

Links To Privileges

“Part of this discussion is the race to get to the starting line,” adds DHS’s Lockwood. “Once the people have cards, now the creative part comes in with our industry partners.”

Lockwood says there are opportunities for entrepreneurs to come in with solutions for bundling products, services, and better network management. “This will definitely drive the linkage to privileges,” notes Lockwood. “How do we efficiently provide privileges when we do business, provide services, when we make a decision; how do we do it in an informed way.”

“We can see in demonstrations now 100% of authentication of people coming to an event. Now we’ve done nine demonstrations across the nation, three in ports, a number of incident responses. In these demonstrations you know exactly who the people are and who they are representing in real time. We never had that before. Additionally we have the ability to provide that information real time to the operation centers that are really trying to manage an incident as well as providing a list to those parent organizations so that they are aware of some of their people who have been deployed. We have never had that before.”

Change Management Challenges

Identity management is an enormous change management challenge to the agencies as well. A new system is being introduced that really touches every individual’s lives at the agencies. It’s absolutely essential to make sure strong communication and change management tools are in place because having the information in the right hands at the right time becomes very important.

Just ask Butler. “One of the challenges that we do have is when you have some agencies or commissions that are five people and then you also have some that are 110,000 people. The business rules for all of those are very different and diverse so we have tried being as flexible as possible.”

One of the things that Butler says they have found is about 20% of the people who come in to enroll have some data issue with their identity. “And this is coming right out of the HR systems of the agencies,” says Butler.

“When you do something like HSPD-12, it starts to wring out these gremlins that we’ve lived with for many, many years. This is a huge and it’s going to impact a lot of agencies. It’s a big deal.”

Another change management challenge is the reality that the physical and IT security functions have not traditionally shared the same space. Building trust between these two groups is essential. Policies must ensure that trusted relationships become the norm between the two functions and there must be a strong cross collaboration of capabilities. Policy and trust needs to start within the agency.

Looking Forward

Since 9/11, many new identity management programs have come into play. So many that Butler says that in their GSA presentation, “when you put that slide up in front of people and then you ask them to step back, it’s almost breathtaking.”

Butler points out that a lot of thought has been put into identity management over the past four or five years and that “we are really laying a foundation for identity in our country that not only allows HSPD-12 for government folks, but will end up addressing things like a new transit standard, which has been talked about.” 

“I think that what we are seeing now is that the foundation is laid down,” says Butler. “This is a new highway of a new industry and we are only at the 1% point and who knows what we are going to be able to do with this after we get over the work of putting the credentials out.”

###

Wringing Out The Gremlins

“When you do something like HSPD-12, it starts to wring out these gremlins that we’ve lived with for many, many years. This is a huge place where it’s going to impact a lot of agencies. It’s a big deal,” says GSA’s Mike Butler.

“About 20% of the people who come in to enroll have some data issue with their identity,” explains Butler. “This is coming right out of the HR systems of the agencies. I think that a lot of the agencies are wrestling with the challenge of anchoring people’s identities with the normal documentation that people would expect like a passport and getting that data back into their systems and making sure that it’s consistent.”

DHS’s Tom Lockwood agrees. “There are nearly 50 screening credentialing identity management programs that DHS has, let alone the new ones that we have in HR,” says Lockwood.

The thing that you’ll hear from all the technologists is many times it’s not the technology, it’s the culture. “In this case when you are trying to integrate the technology, especially one that really hits people at a personal level, it is perceived loss of power, prestige, notoriety, celebrity within the processes,” says Lockwood.

To get through this Lockwood says DHS is holding a series of demonstrations to show people what are the opportunities if you a common credential.

“What are the misperceptions about how do you extend and revoke privileges? How do you make informed decisions to protect your data?” asks Lockwood. “As we walk through the demonstrations, we can show real practical value and use utility of making informed decisions. And that’s really what we’ve been doing to address this challenge of cultural change.”

At DOD, Mary Dixon, Director of the Defense Manpower Data Center has two challenges, not the least is the sheer size of what DOD has to accomplish. “The first is that we are making some changes in our process for doing background checks. Because we have been pretty much a paper based system, it does not help us in making sure we have a chain of trust.”

The other challenge begins with physical access – and the badge.

“Everybody thinks that the badge has to be the thing that tells what accesses and privileges you should have and to try to change that culture has been quite a challenge,” says Dixon

“Wouldn’t it be great if we could extend HSPD-12 a little bit beyond the federal government because we want to try to issue cards to contractors,” says Dixon. “Think about the fact that some contractors work for DOD, some work for DHS; some of these contractors work across some of the agencies that have similar missions.”

“Why are we all trying to figure out who is going to issue their credential? Why don’t we figure out a way so that we can trust our industry partners to issue those credentials against our rules and then we can trust each other’s credentials,” asks Dixon. “It improves security because they know best about their people and when they are coming and going. It improves privacy because I don’t have to store all this privacy information about all these people at all these different systems, you keep it within your own home base if you will. So I think this is just the beginning of where we need to go.”

And it builds the trust relationship. “You do not have to know everything about me to trust me, but you have to know that the person who issued my credential, you have to trust that person to have followed the rules,” says Dixon “And you can know just a small amount of information about me to grant me privileges as long as you have that trust somewhere in the system.”

Getting that trust means that government has to meet its enormous change management challenges head-on.

“This is a new system being introduced that really touches every individual’s lives at the agencies, says BearingPoint’s Gordon Hannah. “So we’ve really taken it upon ourselves to make sure that there is strong communication and change management tools in place because having the information in the right hands at the right time becomes very important.”

“I think policy and trust is going to become a big issue when we start looking across agencies,” adds Hannah. “I think FIPS 201 is a great framework, but the execution of it becomes up to the individual agencies over which credentials they will accept and how they will verify them, so we are working through those types of issues with a number of the agencies now.”

“Trust needs to start at the home actually, within your agency,” notes Unisys’ Phil Myers. “Some of the challenges that we are going to see moving forward are this mapping of physical and logical identities for a holistic approach to security.”

“ If agencies aren’t utilizing a centralized provisioning system it’s going to be a lot more difficult. Both IT and physical security groups have lived in different worlds for quite some time so we are going to see some cultural changes taking place there and that goes back to that policy and trust between the different groups. Physical and IT security functions may not require explicit reorganization of the groups but there must be a strong cross collaboration of capabilities. And again it all boils back to that to that policy and trust.”

EDS’ David Troy agrees that the culture issues tend to be most important, but the technology aspects are there. “I think one of the interesting things from a technology perspective is the fact is that none of this technology is stagnant. We will see multiple generations of card technology, we’ll see multiple generations of access control technology, we are seeing the convergence of the physical and the logical and HR systems and that all needs to be managed without negatively impacting the mission of the agencies.”

### 

Gazing Into The Future

Looking over the horizon, Forum panelists see a bright future ahead.

Jim Flyzik, FEF Moderator

We think of identity management we shouldn’t just think of the card and the person. Identity management is about people, things, perhaps electronic bits. Think about cargo coming in and out of our country. We want to allow the good cargo in and keep the bad cargo out. Then think about bits coming in; we want to identify let the good bits in and keep the bad bits out. Take it to another level of thinking and it just opens up a whole new world of opportunity.

Phil Myers, Unisys

If you start looking at the foundation that we now have this common credential called the PIV card, we start seeing a lot of different uses for that. The PIV card moves you right into the area of secure single sign-on and the authentication objectives. It’s very easy to move into a direction where you have a single-sign on that gets you into all of your applications and gets you in securely.

Everybody goes through an enrollment and they get provision for that enrollment. That would be a great opportunity to start looking at ways to deploy enterprise and digital rights management type activities where we are actually not only controlling application access, but we are also looking at access down at the application of the data level itself. Who has access to read, write and change documents in my organization and likewise who has the ability to send those documents out to other organizations?

We can also look a little bit down the road to possibly tying this PIV card to an asset tracking mechanism where when you walk out of the agency in the afternoon the laptop that you are carrying is also being tracked by that PIV card. So there are a lot of exciting things that could happen outside of what we know as the standard PIP card today.

Mary Dixon, DOD

On the eGovernment side, it allows us to work in a global organization which the Department of Defense certainly is, that allows us to conduct business without having to move pieces of paper. So I can now move pieces of paper electronically; be assured that the people on the other end are the right people. I can use digital signatures to get rid of the web signature if you will and I can do a lot of things to simplify my business processes and become more efficient.

But probably the biggest area that I see in the future is if you look back at 9/11, one of the biggest concerns that fell apart in 9/11 was information sharing. We couldn’t figure out how to share information because certain people shouldn’t see certain things but couldn’t see other things and it’s really about identity. If we could know who those people were and what roles they had and what attributes they had, then we would know which kinds of information we could share with people, so this is the beginning of our ability to really do a good job with information sharing, the right people seeing the right information at the right time.

David Troy, EDS

I think information sharing and the collaboration that is going to be opened up with this new sense of trust and this new focus on trust and the ability to rapidly bring together teams that are diverse from different organizations. To quickly be able to collaborate and resolve issues and deal with any kind of circumstance that is presented is a very, I think it’s going to be a new paradigm in a lot of respects.

And essentially it is something that has occurred before. If you think about it there was a convergence of identity management and a new approach to identity management prior to  HSPD-12 but it was a slow moving train and I think with HSPD-12 and really the federal government’s efforts in this area, it’s been a catalyst that’s really accelerated that change in thought and the industry in general  and I think that’s where you are going to see, if you look at it, not only will the federal government be advancing ecommerce and eGovernment significantly.

Tom Lockwood, DHS

Many of us have lived through the birth of the Internet, the real adoption of the Internet. We’ve seen the adoption of charge plates in a broad environment. The evolution of ATM machines and all of those have profoundly added to the quality of our life. Many of us have decided to become a doctor or a nurse, an engineer or a scientist or an administrator because they believe in that.

And somehow they’ve gotten distracted from their jobs by things like trying to do business expense reports and filling out HMO forms and many cases things that, had it been built in the trust model of the enterprise they could concentrate on the thing that they chose to do in their life’s profession. We see people going to school now remotely to take classes whether they are DOD people where ever they are assigned throughout the globe, people that are at home, people that are now being educated through the internet, you have the opportunity to fundamentally understand products and services in a distributive environment, the quality of life for our citizens and guests is going to be profoundly better.

Gordon Hannah, EDS

I think this credential is going to enable what’s becoming a much more mobile workforce. Take for example the ability of the digital signature for example, to now sign paper that traditionally moved around from desk to desk, the hope is the business of government and of industry will become much more streamlined as individuals can be much more strongly authenticated and their transactions can be authenticated.

(You now have) the ability to reduce paperwork; the ability to do more telecommuting, work from home because now you have this stronger online identity that can conduct transactions and make decisions. So overall we think it’s really going to enable faster decision making.  When we start to think about possibly adding financial applications capability to this credential you have a very powerful tool, one that you basically use throughout the day to get on the metro, to use bus services, to get in your building, to get on to your systems, to conduct transactions or to do all that from home as well. We think it’s going to make lives better and it’s going to make our security stronger.

Mike Butler, GSA

We have a slide that we do our presentation on and it gives the whole list of all the HSPD-12 directives, it talks about all sorts of identity management and identity related programs that have come into play really since 9/11. And when you put that slide up in front of people and then you ask them to step back, it’s almost breathtaking.

Someone, or we just got lucky, really thought about this over the last four or five years and we are really laying a foundation for identity in our country that not only allows HSPD-12 for government folks, but will end up addressing things like a new transit standard, which has been talked about, and I’ve had some exposure to overseas and Europe and also in Canada, and people all over the world are looking at this because we had the guts to do this.

It was a very bold move and I think that what we are seeing now is that the foundation is laid down. This is a new highway of a new industry and we are only at the 1% point and who knows what we are going to be able to do with this after we get over the dog work of putting the credentials out?

###
 

Progress Is Our Most Important Product

“There is a new thing that surprised me,” reflects Mike Butler, GSA’s Program Manager heading up GSA’s HSPD-12 programs.

“We do have some agencies that have signed on with the managed service and they have no requirement to do HSPD-12, they are not under the mandate,” explains Butler.  And when I talked to some of their senior leaders they told me ‘we are small and we’ve never really been treated like federal workers. I want my people to have a common credential that says that I work for the federal government and serve the people of the United States’.”

“I think that’s an interesting cultural thing,” says Butler. “To me we are starting to act like a federal government with a common credential, and why haven’t we always had that? Maybe five years from now people will say, ‘why was this so hard?’”

Having a common credential has benefits for both government and industry.

One of the biggest benefits will be easier and quicker access to federal facilities by both government employees and contractors.

“We call it on-boarding,” says BearingPoint’s Gordon Hannah, “but basically it’s getting into a position to do your job more quickly. We think that is going to be streamlined with this new HSPD 12 compliance.”

The result according to Hannah is more security. When it’s time to leave, accounts are deactivated and access is taken away. Then there is the convenience of not having to remember several user names and passwords for various applications to do your day to day job, so there will be more seamless work across the agencies.

EDS’ David Troy adds that the FIPS 201 standard has established a level of trust now that wasn’t there before, that is now present or can be present between agencies, which hopefully  make government more interactive and be more efficient.

“It’s interesting we are actually seeing a fairly significant interest on the part of commercial entities as well as the state and local community to also adopt an HSPD-12 alliance solution so they can participate in that trust model,” says Troy.

Trust is a critical aspect because you are talking about agencies interacting internally and with other agencies; and they also interact with state and local governments, the contracting community and other entities like NGOs. A new infrastructure is being put in place that will allow a whole new world of creativity and probably new things that none of us have even thought of yet.

“It’s a very virtual world and having that trust model and that trusted identity is going to be critical to that,” adds Troy.

Phil Myers of Unisys believes the most important aspect of FIPS 201 is the interoperability comes to the forefront. “Integration of logical and physical access is no longer an option,” says Myers. “Product venues will start moving away from proprietary technologies and begin embracing national and international standards.”

FIPS 201 will have many benefits to the agencies and there will be new opportunities for physical and logical security convergence says Myers.

“Employees gain a single unified access control mechanism; administrators can supplement traditional read password only systems with multiple forms of authentication and have a single repository for employee IDs and provide for the immediate and real time authorization and replication of all enterprise resources,” notes Myers. “Likewise, auditing and forensic groups will now have a single location to control investigations, and finally the legal department can show improvement in access control efforts which will help meet regulatory requirements.”

###