Enterprise ID specs fail to catch on
09 March, 2015
category: Corporate, Digital ID, Government, Library, Smart Cards
Outside of select government contractors, Gemalto isn’t seeing a lot of call for PIV-I or CIV, says Neville Pattinson, vice president for of government affairs and business development at Gemalto North America.
“Gemalto is deploying smart cards for the corporate enterprise but they’re .Net cards that are easier to integrate,” Pattinson explains. “Corporations looking for top of the line security want smart cards and then augment those with mobile devices.”
Cost may be the largest barrier. “If you’re looking to cover a company’s basic needs in terms of logical access there are simpler and cheaper solutions on the market,” says Stefan Barbu, head of secure ID sales and marketing Americas at NXP Semiconductors.
PIV-I credentials can cost as much as $50 a year due to certificate management and other issues, says Terry Gold, founder of IDAnalyst. The cost is high for a lot of the components in a system because they all need to be certified and tested. The Certificate Authority alone can run $250,000 per year, and that doesn’t include startup costs, he says.
“There are ways now to reduce the cost but they don’t cater to small organizations, don’t scale for larger ones and aren’t full function,” Gold adds.
Part of the complexity of PIV-I and CIV solutions comes in putting together a complete system, Gold says. “Ultimately the most burdensome thing about it is there are no really good supported solutions out there that tie in the whole workflow – request, proofing, vetting, invoking records, issuance and lifecycle,” he explains. “The services are disjointed.”
For example, one company might have a great card management system but will it integrate with whoever is doing the proofing and vetting? “Likely it is going to be a manual workflow,” Gold says. “You have to source that service.”
Moreover, the corporate enterprise doesn’t have the policies and processes in place for everything that has to be done with a specification like PIV-I. “PIV is well thought out on paper but not in practice,” Gold says. “It is only something that government could come up with since they are never accountable for inefficiency or failure metrics.”
The corporate world doesn’t have this kind of latitude. Corporations also don’t have the time or money to change their processes to accommodate a credential. For a government contractor who had a lot of revenue coming in, it makes sense to make the change, but for others it’s simply not worth it, Gold says. “The contractors consider it part of doing business, customer retention, rather than truly a security project,” he adds.
Gold has worked with customers considering PIV-I that bailed because they wanted to make slight changes that would keep them from being completely compliant. “When you explain that there is no such thing as 98% compliant, they abort,” he says.
Logically, this should lead them to the CIV, but there are challenges there as well. “It’s not well thought out, as it takes root in inefficiency and does not consider requirements outside of the federal government,” Gold says. “CIV was never vetted. Ultimately you are dealing with a data model and products that are tuned for inefficiency.”
Identiv CEO Jason Hart is blunt when it comes to CIV. “It doesn’t fill any business requirements,” he says. “CIV is fundamentally flawed to work in the commercial space, it’s too expensive for a company to stand up on their own.”
Smart cards as a form factor may be waning, Hart says. Many corporations will always require some type of visual identification – a badge – for employees, but there are other form factors that work just as well if not better than smart cards.
“I have an ID card because my company hasn’t gone away from visual identification, but I use my phone to tap on a contactless reader and then maybe to an OAuth authentication or a one-time passcode,” he explains.
The future for PIV-I and CIV looks bleak.
Unless rules change to enable – or even require – contractors to use the credentials within the federal enterprise, uptake in that space is unlikely. And unless something is done to overcome the cost and complexity of these systems for the corporate enterprise, uptake there will be slow or non-existent.
It seems that cheaper, easier to use alternatives – though not based on government standards – are better able to serve enterprise needs. Thus, the death knell for these smart card specifications may ring far sooner than expected.
National Cancer Institute uses a ‘bit’ of CIV
When the National Cancer Institute was building its new facility in Shady Grove, Maryland, the intention was to have the physical access control system be PIV compliant. This included making sure that all credentials – employee and visitor – were PIV-compliant, says Shane Hebert, facilities program manager for physical security at the National Cancer Institute.
The institute deployed HID Global’s pivCLASS readers for physical security and needed a card that would be issued with that technology. And since the facility requires employees and visitors to badge in and badge out, it needed a visitor badge that would also work with the PIV-enabled system, Hebert says.
Northrup Grumman was the prime contractor for the project and CertiPath was one of the team members. Hebert knew that CertiPath had a “CIV in a Box” product that could enable security to issue those cards to visitors or temporary workers. The institute rolled out 200 preprinted CIV cards that could be issued to visitors for temporary use.
Concurrently, the U.S. Department of Health and Human Services decided to start issuing another type of credential called the Restricted Local Access badge. The credential serves the same purpose as the PIV, providing both physical and logical access for short-term staff of less than six months.
“It’s a PIV alternative for when you don’t have the proper background check on someone or are waiting for another credential to be issued,” Hebert says.
The CIV credentials are still being issued for visitors and to employees while they wait for a Restricted Local Access badge, Hebert says. “It’s a one-off solution when we need to track people coming in and out of the building,” he adds.