Beyond HIPAA and GLBA

The Federal Financial Institutions Examination Council (FFIEC) in the US, which consists of five federal banking regulators, issued guidance last October that financial institutions must deploy security measures to reliably authenticate online banking customers. While the FFIEC guidance does not specify the type of authentication technology needed, it does say that single-factor authentication is insufficient in light of increasingly sophisticated malware and rising identity theft. Banks must conduct comprehensive assessments of the risks associated with online banking and adopt authentication methods to reduce the risks by January. This regulation came as a surprise to some, but could set a standard for the security industry, says Cydelity CEO Bob Ciccone. In other domains, like e-commerce, sites can be hacked the same way as with online banking, he says, and the FFIEC could spur projects and products.

At the same time, federal agencies are grappling with Homeland Security Presidential Directive 12 (HSPD 12), which was issued in August 2004 and requires them to have a single ID card for physical and IT access. The card must be strongly resistant to fraud and tampering and be rapidly verifiable electronically.

According to security experts, agencies are scrambling to meet HSPD 12's 27 October 2006 deadline for implementation. The National Institute of Standards and Technology (NIST) issued a standard, called FIPS 201 PIV, for the directive in February, but products are still being mapped out, evaluated and certified to the standard. Complying with HSPD 12 will take time, and some question whether it will have a positive impact. According to a survey done by RSA Security, 76% of government integrators polled said none or only a few, of the agencies they do business with view HSPD 12 as an opportunity to lay the foundation for longer term identity and access management initiatives. But if the directive is successful, David Troy, identity solutions delivery manager at EDS, says HSPD 12 will drive interest for smart cards, which has had lacklustre acceptance in the commercial sector in the U.S.