Linux in Government: Federated Identity Management Business Drivers

In last week's article, we discussed federated identity management (FIM) to get you familiar with some of the concepts of how it worked. We also stressed the need for Linux practitioners to start preparing for the emergence of new products and services requiring FIM. In this week's discussion, we explain reasons why identity management has become required in many organizations.

Homeland Security Presidential Directive (HSPD) 12, dated August 27, 2004, established a policy for a common identification standard for federal employees and contractors. In the directive, the White House established these talking points:

In response to HSPD 12, the National Institutes of Standards and Technology (NIST) Computer Security Division initiated a new project for improving the identification and authentication of federal employees and contractors for access to federal facilities and information systems. Federal Information Processing Standard (FIPS) 201 started the clock for agencies to implement common smart card-based ID cards, among other identity management procedures.

FIPS 201 lays out the technical and operational requirements for the system and card. HSPD 12 requires agencies to have their access systems in place, "to the maximum extent practicable", by October 25, 2005.

Some people feel that meeting that deadline is likely to be a challenge. Although NIST is not responsible for implementing the standard, Jim Dray of NIST stated, "I don't think it's going to be possible for most agencies to continue doing business as usual and comply." People at the Office of Management and the Budget (OMB) remain optimistic.

The main commercial Linux vendors may wind up providing infrastructure and provisioning to the various agencies that must meet the standard of FIPS 201 and related documents. You could say that the President of the United States created a sense of urgency in the federated identity management sector by suggesting that wide variations in identification technology people use to gain access to secure facilities exist and need to be eliminated.

That's the essence of Red Hat's entry into this market. For more information on Red Hat's product, take a look at its product page.

The new FIPS 201 standard requires replacing the former Government Smart Card Interoperability Specification (GSCIS). The new standard requires DOD, for example, to re-deploy applications on 2.2 million computers and update 3.5 million Common Access cards. And, that's only one implementation.

With all of the scrambling to comply with the President's standard, many vendors find themselves scrambling to help agencies meet their deadlines. You can count on IBM and its partners Red Hat and SUSE to benefit from those efforts.

In addition to FIPS 201, other federal regulations have created a need for identity management. Again, with IBM having a significant lead in the market, Linux will see its share of business. Let's take a look at the primary drivers in the compliance area.

Healthcare Insurance Portability and Accountability Act (HIPAA)

HIPAA regulations provide for the protection of healthcare information. Control of access to information systems has become big business in the health care industry. Fines of up to $100,000 and prison terms of up to five years for noncompliance make HIPAA compliance a big concern.

HIPAA regulations affect business processes, information systems operations and information systems sharing. HIPAA-compliant privacy and security features require structured identity management solutions that we have seen in products such as IBM's Tivoli Access Manager, which runs on Linux and interoperates with a variety of other software platforms.

HIPAA regulations impose requirements to enforce formal security policies and procedures for granting different levels of access to patient information.

Gramm-Leach-Bliley

Gramm-Leach-Bliley regulations became effective on February 1, 2001. The US Treasury Department issued guidelines interpreting the privacy and security requirements contained in the GLB Act of 1999, also known as the Financial Modernization Act of 1999.

The GLB exists primarily to repeal restrictions on banks affiliated with securities firms. It requires financial institutions--including preparers of income tax returns, consumer credit reporting agencies, real estate transaction settlement services and debt collection agencies--to adopt privacy measures relating to customer data.

The legislation eliminated legal barriers to affiliations among banks and securities firms, insurance companies and other financial services companies. Such affiliations require legal and security safeguards. The Federal Deposit Insurance Corporation (FDIC), Federal Reserve System (FRS), Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC) and the Office of Thrift Supervision all regulate some area of Gramm-Leach-Bliley.

Sarbanes-Oxley Act

The Sarbanes-Oxley Act of 2002 has created numerous logistical, operational and economic challenges for public companies. Sarbox requires CEOs and CFOs of public companies to swear under oath that the financial statements they publish are accurate and complete. This is supposed to protect investors by improving the reliability of corporate financial statements. It imposes stiff penalties for auditors, corporate officers, company directors and others who violate the Act. Every publicly traded company registered under the Exchange Act or that has a pending registration statement under the Securities Act of 1933 falls under the regulations.

If someone fails to comply with Sarbox, he or she can expect stiff penalties, including jail terms for executives. New processes and procedures to ensure compliance may improve efforts to implement identity management and automate many of those processes.

Identity management technology helps automate processes that enable Sarbox compliance. For example, it addresses security processes associated with establishing "adequate internal controls" around financial reporting. By mapping these processes as well as internal security policies to automated identity management, companies can utilize frameworks for improving security and ensuring compliance.