Going beyond HSPD-12 – data protection with government identification
The phrase comes from the English translation of Ali Baba and the Forty Thieves. In that story, Ali Baba discovers that the thieves kept their treasure in a cave that’s protected by a magical door. In order to open the door, one must only utter the phrase “Open Sesame”.
Ali Baba uses this information in order to steal treasure from the cave, and thus begins the story as Ali Baba and the tribe of thieves plan revenge upon one another. Although the Forty Thieves didn’t realize it at the time, the real problem they faced was that their magic door had poor proof of identity. The security for the door relied on a shared secret, and thus freely let in unauthorized people who learned of the magic words.
It would have been far better and more secure if the door didn’t rely on shared secrets at all, and rather used a secret specific to each person as well as require proof that the user had the rights to use said secret. In 2004, the White House launched a set of executive guidelines to strengthen security in various aspects.
Homeland Security Presidential Directive 12 (HSPD-12) detailed the problem of inconsistent forms of government identification used for physically (in person) and logically (electronically) identifying employees with access to federal buildings and resources. The standards work developed in order to support HSPD-12 came out in a specification in FIPS 201 that defined the Personal Identity Verification (PIV) Card.
Under the standard, government agencies are now deploying stronger forms of identification used to identify employees & contractors at the front gate through the photo ID, access buildings with the proximity loop embedded within the plastic, as well as use the smart card for logical access to computing resources.
After undertaking the effort to get these employee badges out, many organizations are asking, “What else could we do with it?” The answer is to take advantage of the card’s strong authentication capabilities and leverage the same card for logical access to workstations.
In parallel to the efforts to provide stronger identification, government agencies are also protecting against data loss through the use of encryption technologies. For example, there’s been a strong uptake in the use of disk encryption products such as PGP Whole Disk Encryption to protect data at rest.
Adding strong authentication with the PIV card to an encryption project makes a lot of sense. Using a PIV card to authenticate to a desktop extends the value of the card that are already in employees hands, and it also makes the disk encryption more resistant against attack by providing multi factor authentication (the user must know the passphrase along and demonstrate possession of the card itself in order to unlock the computer). It’s getting more value out of the card the employees already carry, and it avoids the problem of single factor authentication. It also saves money by leveraging the existing investment in PIV cards and not requiring yet another authentication method to manage & support.
We’ve added support for strong authentication in other data protection products as well. In addition to using smart cards for pre-boot authentication in PGP Whole Disk Encryption, we support tokens for administrative access as well as smart cards for email encryption and digital signature. It’s a sound approach to add additional layers of security to your data protection strategy.
For those concerned about making sure data is safe, none of us want to see unauthorized access from “Open Sesame”. With strong authentication technology paired together with encryption, we can make sure that it doesn’t happen.