It was perhaps serendipitous that the same week the brouhaha over The National Strategy for Trusted Identities in Cyberspace (NSTIC) broke I had scheduled an interview with Jeff Nigriny. He's the CEO of Certipath, a company intimately involved in real government identity cards.
It was perhaps serendipitous that the same week the brouhaha over The National Strategy for Trusted Identities in Cyberspace (NSTIC) broke (see the last issue of this newsletter) I had scheduled an interview with Jeff Nigriny. He's the CEO of CertiPath, a company intimately involved in real government identity cards.
CertiPath provides externally portable organization and individual identity assurance by certifying that your organization's credentials -- and those of your employees -- meet globally accepted standards. They do this for anyone, of course, but their concentration is in the aerospace and defense industries. Over the past few years they've been heavily involved in the U.S. government's rollout of (warning: acronym alert!) HSPD12 requirements under FIPS201 with a PIV-I implementation. That's Personal Identification Verification, for the uninitiated. If you really want to know how that works, read the government's PIV Test Procedure white paper.
Next up is called PIV-C, or PIV compatible, cards. These are intended for non-government situations -- B2B, B2C, C2B, etc. CertiPath believes the market will define uses for PIV technology beyond the current vision of PIV and PIV-I smart card credentials, specifically defining multiple variants of PIV-C making PIV technology one of the most highly adopted technology standards for both logical and physical access applications. It's certainly an area many enterprises are interested in.
I did ask Jeff about any potential conflict or confluence of PIV cards and NSTIC. While he didn't really see them coming together, he also couldn't see any obstacle to both developing independently. He also mentioned HITRUST (the Health Information Trust Alliance), a collaboration of health care, business, technology and information security leaders, which has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information.
Nigriny sees lots of activity looming in the online commerce world, and thinks that banks and other financial institutions would be good NSTIC custodians. But he warns that unless really good security is in place from the get go that failure to adopt the solution might be it's fate.
CertiPath, meanwhile, is chugging full speed ahead on converging logical and physical access, using multi-factor PIV cards, and investigating PIV-compatible devices (such as smartphones) to see where the company's expertise in secure transactions and verified identity can come into play.
We might hear more from CertiPath before the year's out.