The need for better internal security - strong authentication, physical/logical access, mobile interoperability - is a challenge all verticals, markets and industries face.

For governments, where departments and agencies are searching for stronger internal identity-based security policy and solutions, an existing standards-based credentialing strategy and architecture is ready to help solve their challenges.

Based on a standard derived from the US Government (HSPD- 12 and FIPS 201), the Personal Identity Verification (PIV) system supports a common smartcard-based platform for identity authentication and access to multiple types of physical and logical access environments. Smartcards carry the physical and digital components forming the user’s PIV credentials.

While the PIV system is specifi c to the US Government, a select group of trusted security vendors are able to provide similar architecture for any organisation. Named PIV-C - or sometimes PIVcompliant - enterprises, organisations and governments can deploy credentialing solutions that follow some of the security standards in use today by the US government.

What is PIV-C?

Although the definition may differ between vendors, PIV-C provides the basic framework for a physical and logical access credential in the form of a smartcard. PIV-C is based on similar standards of vetting and issuance developed by the U.S. government — and managed by the US General Services Administration - for its employees, but it has been tailored for non-federal use. Of course, each organisation may customise the PIV-C requirements to meet the needs of their specific environment.

PIV-C credentials may offer vetted individuals many capabilities, including secure communication, as well as secure physical and logical access to the appropriate  facilities, machines, portals or applications.

PIV-C cards are different from government PIV credentials in that the latter is issued directly under the control of the issuing federal agency. PIV-C is capable of meeting many of the technical specifi cations of the PIV credential and is issued internally by the specific organisation.

One smart credential

Organisations and governments should partner with a security vendor that provides the capability to capture  and store sensitive biometric data on the smartcard via a secure, tamper-proof method. 

With this approach, biometric data cannot be copied or modified without detection. Further, the sensitive information cannot be released unless the cardholder provides a PIN and the card is read by a trusted card reader.

This unique ability enables organisations to implement policy, if they choose, that requires the use of advanced biometric authentication (e.g. fingerprint scan to open a door). This technology can be extended to fight fraud in unlimited ways, including authenticating card holders before they vote, receive medical attention or even  purchase prescription medication at pharmacies.

An integrated approach

Traditionally, physical access has provided authorised admission to buildings, while logical access provides access to networks. In a truly integrated system, a single  platform should be deployed to solve one or both of these access control challenges.

Organisations or governments should seek a security vendor that provides a new standard for physical and logical access control for effective enterprise/government authentication. An integrated platform approach simplifies the issuance and management of smartcards and certificates, leveraging industry standards such as PIV, all from a single trusted vendor.

Smartcard platforms

During the selection of a security vendor, it’s smart to ask which smartcard platform they deploy. It’s best to use an open platform (e.g. Java Card) that’s designed to streamline changes to card applications and configurations - even after initial smartcard issuance.

With this open approach, organisations also can increase efficiency with backward compatibility and crossplatform, cross-vender interoperability. Some vendors use proprietary, in-house smartcard operating systems, which makes it difficult to buy off-the-shelf applications from trusted third-party security vendors. This hinders advancement of the security environment and locks organisations into specific vendor hardware or software.

Better security through access convergence

It is critical to authenticate the identity of an individual or device that’s granted access to sensitive networks or facilities. With a versatile authentication platform, organisations can tailor authentication - whether for physical access, the online channel or through a mobile device - depending on the type of user, risk assessment and application.

While implementing techniques derived from the PIV standard helps organisations realise proven security, the core message is to deploy a comprehensive authentication platform that can evolve with new security needs or solve unknown challenges. The PIV framework is just one method to properly vet the identities enrolled into an enterprise or government infrastructure.