Information Systems Security

HSPD-12, Compliance and the Role of Automated User Provisioning in Converging Logical and Physical Government Environments

Bob Demson

Mandated by Homeland Security Presidential Directive 12 (HSPD-12), government agencies are required to converge physical and logical access control onto a single credential. Many in the identity and access management industry view HSPD-12 as a watershed issue - influencing U.S. government agencies to consider implementing automated provisioning solutions to ensure employees have timely, appropriate access - whether it be to federal buildings or computer systems, or both - based on their role in a particular agency, job requirements or security clearance. Provisioning's position as the glue that binds identity management infrastructure will be further tested in January 2007 in the face of massive mid-term turnover on Capitol Hill.

As a result of these strains on disparate and often outdated technology infrastructure, government agencies are under intense pressure to revisit their information security policies to keep up with internal and external audit requirements. Federal agencies need to establish frameworks and demonstrate sound processes and controls around how users get access, how access changes, and ultimately how access is removed once someone leaves an agency. Automated user provisioning is at the core of building a sustainable, consistent and enforceable solution to address these issues and support an integrated enterprise in which token-based credentials and single sign-on password capabilities are seamlessly intertwined.

Barriers to Compliance: Challenges Created by Mandates and Turnover

As government agencies have matured and expanded services to meet emerging political, security and public health demands, their technology infrastructure has become complex - especially given increasing efforts to merge physical and logical assets. Barriers to compliance include the large numbers of federal employees and partners with different operational and business "identities" who are accessing multiple databases, financial systems as well as custom applications, extranets and intranets. On top of that, many older physical access and building security systems don't "talk" with newer information technology assets, creating significant security and compliance risks.

According to Gartner, through 2010, organizational inhibitors and complexity of joining disparate provisioning workflows will prevent 75 percent of government agencies from joining personnel, physical security and IT provisioning holistically.1 Effective identity and access management solutions need to combine processes, technologies and policies to manage digital identities and create standards for granting user access to technology assets. By reducing complexity and automating processes associated with user provisioning - ensuring the right people have the right access to the right applications - government agencies can create new efficiencies, reduce costs and improve adherence to federal regulations.

The building blocks for an effective framework that supports automated provisioning and compliance include modular, easily deployable and repeatable approaches that simplify processes, eliminate infrastructure stovepipes and unify work across agencies and within the lines of business of the federal government. The framework must integrate with overall identity and access management architecture, while at the same time be flexible enough to support interoperability of functions, allow for collaboration, reduce costs of ownership and improve productivity.

State of the State: Technology Infrastructure Needs to Catch Up With Converged Environments

Compliance with mandates like HSPD-12 will be road tested in January 2007 when the new Congress is sworn in. Complying with HSPD-12 isn't just about credentials, but about building a unified system that will help make the merging of other security and authentication initiatives such as token-based and single sign-on passwords more manageable. When the Republicans took control in 1994, it wasn't just a pre-9/11 world; it was largely a pre-Internet world. A new password for every desktop was likely enough to feel confident about information security. Beyond the new faces in the Senate and House, there will be staff overhauls in nearly every committee office, new appointments and a market flooded with displaced Republican support staff.

To avoid a data lockdown until roles and rights can be established -- effectively handcuffing government in the information age -- or an information free-for-all that seems highly improbable in the "safety first" mood set by well-publicized data disasters, automated provisioning solutions will help ensure appropriate access for every new government employee - on day one. Equally as important as granting access, is taking it away. To meet compliance and audit requirements, federal agencies must demonstrate the ability to both provision and deprovision employees in a timely manner to avoid potential security breaches - accidental or malicious.

Another example demonstrating the need for automated provisioning is related to federal disaster planning. Consider the role of first responders. Based on a particular threat or event, first responders need to be given access to mobile emergency systems they may not otherwise have access to. By being able to automatically grant special access to applications and databases allows teams to mobilize quickly. A manual process could potentially put lives at risk.

Historically, logical resources and physical access control have been separate domains. Managing physical access through security tokens such as key FOBs traditionally fall to the corporate security department, while passwords and cyber security issues are typically the purview of the IT department. As a result, the architecture, technology assets and identity verification requirements are usually independent and oriented toward their own specific functional goals. Additionally, tasks such as provisioning authentication into a database were not only a heavy manual undertaking, but oftentimes overlooked or ignored. Today, automated provisioning is becoming a core component of infrastructure upgrades.

Provisioning Technology, Processes and Lessons from the Private Sector

From an enterprise standpoint, investing in the right technology is only about 20 percent of the issue. The larger challenge is determining how to implement a business process framework that aligns automated provisioning and compliance goals with the increasing convergence of physical access control and logical resources. Once an infrastructure to support mandates like HSPD-12 is in place, agencies need to focus on creating a delivery mechanism that links processes and systems to achieve goals such as streamlined password management, account management and efficient provisioning/deprovisioning.

There are important considerations to prepare agencies for granting seamless physical and logical access control. First, security administrators must look at existing processes for granting access. As manually assigning privileges would no doubt cripple federal IT departments, particularly in advance of January turnover, agencies must lean on automated processes, integrated databases and a single point of contact for administrators to ensure there are no conflicts between the systems an employee will have access to, and the building within which they are assigned to work.

Government department-level CIOs are the primary decision makers regarding identity management investments. Primary concerns around new technology investments include funding, potential political constraints and measurable benefits in terms of new efficiencies and reduced operating costs. Another trend in the government technology space to take into consideration is the move toward COTS (commercial off the shelf) and GOTS (government off the shelf) environments, and emphasis on modular approaches that can be implemented quickly, are repeatable and standards-based (XML, SPML, SAML). Agencies are quickly realizing the benefits of taking a more unified, streamlined approach to technology investments and learning from the private sector about associated cost, quality and productivity benefits.

One of the identity management challenges for government agencies is addressing how to strengthen identity and access management and achieve related security benefits, without impeding productivity or increasing operational costs. Based on constantly changing business environments, provisioning solutions have evolved over the years to where provisioning's foundation in workflow, roles and rules has become automated and dynamic - enabling government enterprises to accommodate changes with minimum cost, time and risk. Effective user provisioning software helps organizations deal with fundamental challenges associated with ensuring that access privileges are consistent with policy by automating hiring, firing, transferring and other agency processes - while reducing administrative costs and speeding delivery of access privileges.

With the continued build out of government enterprises' identity management infrastructure with directory, Web access management, enterprise access management, enterprise single sign-on and other components, it has become clear that provisioning is not a small element of each component, but rather the core around which the operations of the identity management infrastructure revolves. Organizations generally look to provisioning to accomplish three key tasks:

Provisioning crosses many diverse organizational, operational and technical boundaries. Even the most simple business actions spawn provisioning actions, such as hiring a single new employee - triggering a larger number of connected and disconnected provisioning actions. Coordinating these actions effectively hinges on accomplishing two key tasks. The first task is to ensure that the variety of provisioning actions (who can provision what for whom, and when) is consistent with business and security policy. The second task is to simplify the complexity of connecting people and resources in a way that was consistent with policy.

To summarize, like their private sector counterparts, government agencies are susceptible to diverse and constantly changing business processes, organizational structures and business and IT infrastructures. Under the new weight of audit and compliance issues and added complexity of merging physical and logical assets, federal agencies are increasingly motivated to streamline existing technology infrastructure and adopt processes that enable better identity and access management. Ideally, automated enterprise provisioning achieves transparent compliance with regulations and corporate policies; sustained efficiencies in IT operations; and improved business velocity by lowering operating costs, improving security and maximizing productivity. By automating provisioning through the creation of modular, repeatable processes and utilizing a "reduced sign on" environment, government agencies can benefit from:


1 Gregg Kreizman, "Solving Government Identity and Access Management Problems," Gartner IT Security Summit 2006, London, England.

About the Author
Bob Demson is the Director of Federal & Mid-Atlantic Region for Courion Corporation. His responsibilities include setting the direction and focus for the federal market and achieving the objectives for expanding the Courion presence in the region. With over 15 years of management experience in the identity technology sector focusing on video imaging, smart card credentialing, PKI and identity and access management solutions, Bob brings experience through involvement in government working groups and programs associated with the GSA and DoD Common Access Card (CAC), Federal Bridge Certificate Authority (FBCA), eAuthentication and HSPD-12 programs.

© Copyright 2007 Auerbach Publications