Issue link: http://securitytechnologyexecutive.epubxp.com/i/571504
September/October 2015 • SECURITY TECHNOLOGY EXECUTIVE 19 www.SecurityInfoWatch.com locations. Although the credential is designed for both logical as well as physical access control, this article is focused on PACS. The Federal Personal Identity Verification (PIV) standard defines a set of common policies that, among other items, govern the procedural details of on-boarding, identity vetting, back- ground investigation, adjudication, issuance, and life cycle management. In addition, PIV policies require that identity management and credentialing systems are configured and certi- fied to enforce the processes mentioned above with separation of operator duties. Separation of duties mitigates the risk of one operator being able to produce and issue a PIV credential. The list of policy driven procedures and details is long and some items are quite complex. A Policy Object Identifier, OID, serves as proof that a cre- dential's certificate is issued in compliance with relevant policies. PIV policies' OID allows one agency to trust that an identity credential was indeed cre- ated under the same PIV policies and issued to employees of another agency. Knowing that these procedures are consistent across all PIV issuing agencies is intended to remove the distrust that sometimes existed between different agencies. Although some distrust still remains, the major- ity of agencies now allow visiting employees from different agencies to use their PIV credential for unescorted building access. PIV credentials may also be registered and provisioned in a local PACS, as per local agency policies. In addition to policies, standards govern what information is collected during the on-board- ing process and how it is stored, used, read and authenticated. The traditional data model of legacy cards was often a short string of bits, such as the 26-bit Wiegand that used a three-digit number to rep- resent a location and five digits to represent the unique sequential number of the specific card. Although longer identifier formats are available, the 26-bit Wiegand model is still common. The card data was simply read by the reader and sent to a PACS controller or, in some cases a reader interface unit, using a one way (simplex) data stream. A three-digit facility code determined if the card belonged in the system at this location and, if yes, the sequential number was processed for authorization. Interoperability was in many cases deliberate- ly limited. Each PACS operated in a site-centric, stove-piped environment; the legacy data model severely limited system capability to support large user populations. PIV interoperability, as described above, means that a Federal employee who has a PIV credential can, regardless of issu- ing agency, use the card for access to both physi- cal and logical resources at any Federal agency where the cardholder is authorized. This is quite contrary from legacy thinking and required sig- nificant system changes. Large user populations as represented in all Figure 1. When using the card for access requests, one part of the process is that the PACS must authenticate the card's credential by comparing the hash values of the original with that of the presented card.