In Depth
HSPD-12: United States of Access Control
A fast-approaching smart card deadline for federal agencies could be the seminal moment for bringing together physical and logical access control. But is the government trying to do too much too soon?
By Sarah D. Scalet
In the IT world, of course, standards were what always made things work. The physical vendor community is only now starting to accept this. "If you look at something like Wi-Fi on the IT side, everybody's Wi-Fi works the same," says Gary Klinefelter, chairman of the Open Security Exchange, which was created by physical and information security vendors to create interoperable security products. "I can take my computer to anybody's building or hotel, and it works. But that same kind of standardization doesn't exist on the physical security side today. One of the big things that the government mandate will do for us is create a set of cards and readers that are interoperable."
The technical hurdles are not insignificant. People like Visbal, from the Security Industry Association, could wax poetic for hours about the difference between, say, the 125 kilohertz proximity cards in wide use and the 13.56 megahertz smart cards specified in FIPS 201. Or about why one common protocol for proximity cards supports only 64,000 unique ID card numbers, not the millions required by FIPS 201. Or about how fire safety issues in the physical security world slow down the product development process. But the writing is on the wall. Standardizationand along with it access control convergenceis coming.
"They're making us go to TCP/IP, LAN, WAN deployable systems, not just for access control but also for digital systems," Visbal says of what the government is doing. "They're forcing our hand."
Reality in the Field
Back at federal agencies, though, the changes are no less daunting. Butler says it's only been within the past year that the Department of Defense has started to overcome the cultural challenges of bringing together the teams responsible for physical access control and logical access control. "When I used to go to my physical security meeting, I used to sit down with my physical security team members who'd say, 'Oh, the geek has showed up.'"
While the directive refers matter-of-factly to a combined card for physical access and logical access, the reality is that this kind of converged access control project has simply never been done on any broad scale. And one of the particular ironies is that the agencies that are perhaps in the best position to actually issue FIPS 201compliant cards don't have toat least not right away. That's because OMB decided that agencies that had already made significant investments in smart card deployments could issue "transitional" cards, rather than FIPS 201 cards. Both the Department of Defense and Veterans Affairs, along with a handful of other agencies, are getting what one vendor calls a "get out of jail free" card from OMB for the October deadline.
smart cards
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- WagerWorks Takes Fraudsters Out of the Game Using iovation
- Understanding Versatile Authentication and Its Benefits
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Implementing Best Practices for Web 2.0 Security
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
