From “identity standard of the future” to a likely sad footnote for bygone smart card specifications, PIV-I has had quite a ride. Just three-years ago experts predicted it would be deployed not only for government contractors but across enterprises markets as well.
Por Zack Martin
Seven companies are cross-certified with the federal bridge to issue high-assurance PIV-I credentials on behalf of other organizations, but only a few of them are actually doing it.
“Costly and complex” is the universal answer when insiders are asked why PIV-I and its less-assured little brother CIV aren’t being used in smart card deployments.
The other issue is that despite the original promise, PIV-I credentials aren’t really authorized for use within the federal government. So while some government contractors might be using the specification, employees who are contracted at different agencies are still being issued separate PIV credentials for access to facilities and systems.
“There’s no mandate for PIV-I within the federal government,” says Steve Howard, vice president of credentials at CertiPath, a PIV-I issuer and one of the founders of the smart card specification.
The idea for PIV-I began around 2006 when the Federal PKI Policy Chair, the Federal PKI Management Authority and CertiPath saw a need for a credential that could be carried by contractors and used at federal agencies and within that contractor’s own physical and logical access systems. The spec was intended for government contractors working on a job for six months or less, as anything more than six months requires a background check and a PIV card.
Two-years ago a group of contractors lobbied the White House Office of Management and Budget to change this rule so that contractors with PIV-I could use those credentials instead of having to receive a federal-issued PIV.
The response was that agencies weren’t concerned, so there wasn’t a need to change the rule.
Because federal agencies aren’t accepting PIV-I, there has been little issuance in that space. At one point, however, there was a lot of buzz around enterprises not associated with the federal government issuing credentials via the specification. Since PIV-I was standardized, the assumption was that products would be readily available, security would be high and as many organizations began using it, costs would fall.
This belief gave rise to another acronym, CIV or Commercial Identity Verification. CIV leverages the PIV-I specifications, technology and data model, but it does not require cross certification to the Federal Bridge. Any enterprise can create, issue and use CIV credentials according to their own requirements. It’s basically PIV-I without the government-mandated identity assurance.
This mass deployment of PIV-I and CIV, however, hasn’t come to pass. A few financial services companies and health care institutions are considering deployment because the PKI security is attractive to them, Howard says.But that is about it.
Wells Fargo might be the largest to announce a PIV-I/CIV deployment, but the financial institution declined to provide an update on the project’s rollout. At the Smart Card Alliance’s Smart Cards in Government show in 2013, Brian Keltner, information security engineer for smart card access management at Wells Fargo, said that FIPS 201 and CIV were attractive because it’s a standards-based solution, interoperable, federates and increases levels of assurance to make policy requirements.
According to Keltner, the bank was issuing 5,000 credentials each month across the country. The IDs used PKI validation for both physical and logical access control. CIV Authentication Certificates were used for authentication to end points and network applications and for authentication at door readers. CIV was attractive because it was based on PIV and PIV-I standards but also enabled local policies to be added.
Unless you’re a large organization needing the highest levels of security there hasn’t been much of a call for the specifications.
“Going down the PIV-I route requires a significant commitment,” says Randy Vanderhoof, executive director at the Smart Card Alliance “Cost is still a big barrier, as is complexity. Enterprises need to make tough business decisions on how much to invest and look at the alternatives out there.”
Outside of select government contractors, Gemalto isn’t seeing a lot of call for PIV-I or CIV, says Neville Pattinson, vice president for of government affairs and business development at Gemalto North America.
“Gemalto is deploying smart cards for the corporate enterprise but they’re .Net cards that are easier to integrate,” Pattinson explains. “Corporations looking for top of the line security want smart cards and then augment those with mobile devices.”
Cost may be the largest barrier. “If you’re looking to cover a company’s basic needs in terms of logical access there are simpler and cheaper solutions on the market,” says Stefan Barbu, head of secure ID sales and marketing Americas at NXP Semiconductors.
PIV-I credentials can cost as much as $50 a year due to certificate management and other issues, says Terry Gold, founder of IDAnalyst. The cost is high for a lot of the components in a system because they all need to be certified and tested. The Certificate Authority alone can run $250,000 per year, and that doesn’t include startup costs, he says.
“There are ways now to reduce the cost but they don’t cater to small organizations, don’t scale for larger ones and aren’t full function,” Gold adds.
Part of the complexity of PIV-I and CIV solutions comes in putting together a complete system, Gold says. “Ultimately the most burdensome thing about it is there are no really good supported solutions out there that tie in the whole workflow – request, proofing, vetting, invoking records, issuance and lifecycle,” he explains. “The services are disjointed.”
For example, one company might have a great card management system but will it integrate with whoever is doing the proofing and vetting? “Likely it is going to be a manual workflow,” Gold says. “You have to source that service.”
Moreover, the corporate enterprise doesn’t have the policies and processes in place for everything that has to be done with a specification like PIV-I. “PIV is well thought out on paper but not in practice,” Gold says. “It is only something that government could come up with since they are never accountable for inefficiency or failure metrics.”
The corporate world doesn’t have this kind of latitude. Corporations also don’t have the time or money to change their processes to accommodate a credential. For a government contractor who had a lot of revenue coming in, it makes sense to make the change, but for others it’s simply not worth it, Gold says. “The contractors consider it part of doing business, customer retention, rather than truly a security project,” he adds.
Gold has worked with customers considering PIV-I that bailed because they wanted to make slight changes that would keep them from being completely compliant. “When you explain that there is no such thing as 98% compliant, they abort,” he says.
Logically, this should lead them to the CIV, but there are challenges there as well.
“It’s not well thought out, as it takes root in inefficiency and does not consider requirements outside of the federal government,” Gold says. “CIV was never vetted. Ultimately you are dealing with a data model and products that are tuned for inefficiency.”
Identiv CEO Jason Hart is blunt when it comes to CIV. “It doesn’t fill any business requirements,” he says. “CIV is fundamentally flawed to work in the commercial space, it’s too expensive for a company to stand up on their own.”
Smart cards as a form factor may be waning, Hart says. Many corporations will always require some type of visual identification – a badge – for employees, but there are other form factors that work just as well if not better than smart cards. “I have an ID card because my company hasn’t gone away from visual identification, but I use my phone to tap on a contactless reader and then maybe to an OAuth authentication or a one-time passcode,” he explains.
The future for PIV-I and CIV looks bleak.
Unless rules change to enable – or even require – contractors to use the credentials within the federal enterprise, uptake in that space is unlikely. And unless something is done to overcome the cost and complexity of these systems for the corporate enterprise, uptake there will be slow or non-existent.
It seems that cheaper, easier to use alternatives – though not based on government standards – are better able to serve enterprise needs. Thus, the death knell for these smart card specifications may ring far sooner than expected. –
Fonte: http://www.secureidnews.com
CIV – Commercial Identity Verification
FIPS 201 – Federal Information Processing Standard 201
PIV-I – Personal Identity Verification-Interoperable
NIST- National Institute of Standards and Technology