WASHINGTON--The federal government is trying to find better ways to standardize and coordinate personal information about American citizens that is currently spread across thousands of databases, according to a White House official.
There are more than 3,000 programs or databases in the federal government that hold personal information--Social Security numbers, addresses, fingerprints, and so on--yet the government is only beginning to develop a plan for collecting, protecting, and using such information.
"You have a lot of duplication of data" among various agencies, said Duane Blackburn, a policy analyst in the White House's Office of Science and Technology Policy. Moreover, he said, privacy controls and security measures vary from agency to agency.
At a forum here Tuesday hosted by the Information Technology Association of America, representatives from the federal government and the tech industry discussed how the government conducts identity authentication--either for federal employees or regular citizens--and how it can improve.
Blackburn helped establish an Identity Management Task Force that examined the government's current identity management architecture and how to consolidate the personal information collected.
Chartered by the National Science and Technology Council's subcommittee on biometrics and identity management, the task force released a report (PDF) in September. The report offers a set of recommendations, including possibly creating a position within the executive branch that would be responsible for coordinating identification management across all agencies.
Blackburn said the report presents "a vision--it's not a policy."
The task force's report--the first of its kind--was produced after a six-month analysis of information management across all departments and agencies.
This image represents the vision of a federated 'network of networks' laid out in the Identity Management Task Force's recent report.
(Credit: Office of Science and Technology Policy)The government's current IT architecture consists of standalone repositories, many of which duplicate what is dubbed PII, or personally identifiable information.
"As such, differences exist in the ways the same PII and other information are retained, portrayed, weighted, and valued across the total data architecture," the report says. "Further, the existence of these duplicative and nonstandard data increases opportunity for data exploitation and unauthorized access."
To address those weaknesses, the task force presented the idea of a federated "network of networks," with cross-organizational and cross-domain interoperability. The task force breaks down PII into two categories: "basic information" and application-specific data. The architecture laid out by the task force would support the basic information, but not application specific data.
An agency, such as the Defense Department, would retain application-specific data (such as a special clearance) itself and would not share it across the network. However, it could access basic information--now often duplicated across agencies--in the supported data stores using a predefined querying process.
There will always be privacy concerns when personally identifiable information is being collected, the task force acknowledges. The "basic information" about an individual would be supported by the network, conceivably accessible to any government agency.
Blackburn maintained, however, that such information would be more secure with standardized privacy stipulations and methods of access. He also reiterated that information required for specific applications would only be accessible to the relevant agencies.
"It cannot be emphasized enough that this centralized data store approach is NOT being recommended," the report says. "The applications supported by this architecture will be enormously diverse, as will the nature of the content-specific data they use and retain. At the same time, the scale of the object architecture will be global and massive, as needed to support the full range of federal government activities and enrolled participants."
To approach this vision, the task force recommends tackling a number of issues, such as standards and guidelines that would have to be in place to support a federated network, the appropriate technologies to use, and how to best coordinate interagency efforts.
Blackburn said the task force stayed away from policy prescriptions because "if you try to specify that now, you run the risk of someone trying to do it now when it's not fully thought through--you run the risk of these recommendations being politicized."
Government agencies will face a test in the development of coordinated authentication programs on October 27, when every federal employee and contractor is expected to have a government "smart card," as required by a presidential directive.
With no common authentication system within the federal government, employees currently may have four or five credentials to gain access to various buildings and may only be expected to flash those credentials at a security guard. By contrast, the smart cards will be equipped with microchips, will hold biometric data like fingerprints, and will eliminate the need for multiple credentials.
"If you don't use the cards to change the way you do business, we have all wasted a lot of effort and money to produce cards people stick in their desk," warned Mary Dixon, director of the defense manpower data center for the Defense Department.
WASHINGTON--Is the idea of widespread biometric data collection still too spooky to win over the American public?
At some level, it's already becoming commonplace: California and some other states demand fingerprints from driver's license holders. The Verified Identity Pass program includes iris scans, as does the U.K's border control system. And prisoners have their blood forcibly drawn for a DNA sample.
But more widespread use of biometrics, especially by the government, raises substantial privacy concerns that may alarm many Americans and prove difficult to resolve, panelists at a conference here said Tuesday.
"How would I transact business, if I knew someone was following me everywhere and watching me?" asked Scott Hastings, president of the IT consulting firm Deep Water Point, who previously worked in the federal government for 23 years. "We need to grab hold of that and decide how that's going to modify our behavior."
Hastings sat on a panel at a forum on identity management hosted by the Information Technology Association of America.
"Will there be underground transactions? Will it affect our economy?" he asked. "When people (become aware of) the electronic footprints they leave behind, there will be a reaction."
Homeland Security's US-VISIT program is moving from collecting two fingerprints to 10 at U.S. borders.
(Credit: Stephanie Condon/CNET )The increasing sophistication of identity management has had clear benefits, Hastings said. He noted how the rollout of the Department of Homeland Security's immigration and border management system--United States Visitor and Immigrant Status Indicator Technology--has virtually erased the once-prominent problem of document fraud at U.S. borders. The US-VISIT program, implemented in 2003, involves the collection of biometric data such as fingerprints to monitor for criminals and terrorists at the borders.
US-VISIT is the world's first large-scale biometrics program, according to director Robert Mocny. He said the program has stopped 2,400 criminals based on biometrics alone.
The program is currently transitioning from collecting two fingerprints to a 10-fingerprint standard. Mocny said US-VISIT is also pursuing other forms of biometric identification, such as iris-scanning technology.
"The biggest challenge since day 1 with any service has been the privacy and security aspect of it," said Chase Garwood, chief information officer of US-VISIT. He said the program extends to non-U.S. citizens many of the same protections afforded to citizens.
Protecting Americans' privacy at other borders presents an additional challenge, pointed out Mary Dixon, director of the defense manpower data center for the Defense Department.
Governments in Japan, Australia, the European Union, and other places have begun collecting biometric data at their respective borders as well. The United Arab Emirates has been utilizing iris scans for some time, Mocny said.
"As biometrics increases worldwide, consistent standards are essential," Mocny said. "We can transform the way the world travels."
He said that in order to make the collection of identifiable information palatable for consumers, it has to be noninvasive and familiar to people.
Some panelists suggested that younger generations are more accepting of handing over their personal information, but Dixon took issue with that point.
"They might share" their information online, she said, "but it's their decision whom they share with--they don't want the federal government collecting all of their information."
Conor White, chief technology officer of security systems vendor Daon, said consumers are growing more comfortable with the use of biometrics on an everyday basis, as evidenced by products like the Registered Travelers card, which identifies travelers who pose a minimal security risk.
"People are doing it because they recognize the security and convenience trade-off," he said.
CNET's Declan McCullagh contributed to this report.
CA on Tuesday announced it acquired identity management company IDFocus.
With the acquisition, CA plans to use IDFocus' Ace identity management technology to provide employees with multiple authorizations in their company's employee resource planning (ERP) system to automatically have those authorizations checked against the information they are seeking or the task they're trying to conduct.
Specifically, the CA Identity Manager aims to give employees various authorizations, then run a check against the segregation of duties (SOD) policies set up in the IDFocus software. If a policy has been violated, the CA Identity Manager is designed to kick in and prevent the employee from accessing the information or performing the attempted task.
"This acquisition strengthens CA's ability to continually enhance critical elements of CA's Identity and Access Management suite," Dave Hansen, CA Security Management general manager, said in a statement.
Terms of the sale were not disclosed.
In the 1990s and early 2000s, Oracle dabbled in the identity space with database access controls and a network directory. But it really wasn't considered a player in this space.
This changed in 2005 when Oracle acquired its way into identity management with the purchase of Oblix and Thor Technologies. Even with these acquisitions, many industry watchers never thought that Oracle could buy its way into the market and weave disparate products into an integrated suite.
Once again, common wisdom was completely wrong. While others struggle or abandon this space, Oracle has vaulted to a leadership position. In fact, my sources tell me they see Oracle in every large deal these days. The fact is that Oracle saw the identity management space as strategic and invested accordingly to become a market leader because:
• Identity management is a business--not an IT--initiative. Back in the 1990s, identity management was all about technology tools to manage user provisioning and security. Now it's about mapping employees and outsiders to business processes, managing user roles, and meeting regulatory compliance mandates. When identity management evolved from a set of IT tools to a business application, deal sizes skyrocketed.
• Identity management is middleware. Oracle wants to own identity middleware just like it wants to own application integration middleware. Identity is the glue between users, applications, and distributed systems.
• Identity management projects can be huge. Identity management is like ERP in that it means years of process definition, role creation, custom development, and systems integration. This is right up Oracle's alley.
Oracle isn't alone in this space. IBM still kills it on product and services. Identity is one of CA's healthiest businesses. Novell has great technology, and Microsoft is a sleeping giant. These guys won't lie down, but Oracle went from nowhere to become a market leader in three years. That won't change in the future.
- prev
- 1
- next
