Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Beyond HIPAA and GLBA: New mandates push strong authentication

Most organizations are familiar with HIPAA, GLBA and SOX, but newer regulations are pushing certain industry sectors to adopt strong authentication.

Most organizations are familiar with HIPAA, Gramm-Leach-Bliley (GLBA) and Sarbanes-Oxley (SOX), but newer regulations are pushing certain industry sectors to adopt strong authentication.

The Federal Financial Institutions Examination Council (FFIEC), which consists of five federal banking regulators, issued guidance last October that financial institutions must deploy security measures to reliably authenticate online banking customers. While the FFIEC guidance does not specify the type of authentication technology needed, it does say that single-factor authentication is insufficient in light of increasingly sophisticated malware and rising identity theft. Banks must conduct comprehensive assessments of the risks associated with online banking and adopt authentication methods to reduce the risks by January. This regulation came as a surprise to some, but could set a standard for the security industry, says Cydelity CEO Bob Ciccone. In other domains, like e-commerce, sites can be hacked the same way as with online banking, he says, and the FFIEC could spur projects and products.

At the same time, federal agencies are grappling with Homeland Security Presidential Directive 12 (HSPD 12), which was issued in August 2004 and requires them to have a single ID card for physical and IT access. The card must be strongly resistant to fraud and tampering and be rapidly verifiable electronically.

According to security experts, agencies are scrambling to meet HSPD 12's Oct. 27 deadline for implementation. The National Institute of Standards and Technology (NIST) issued a standard, called FIPS 201 PIV, for the directive in February, but products are still being mapped out, evaluated and certified to the standard. Complying with HSPD 12 will take time, and some question whether it will have a positive impact. According to a survey done by RSA Security, 76% of government integrators polled said none or only a few, of the agencies they do business with view HSPD 12 as an opportunity to lay the foundation for longer term identity and access management initiatives. But if the directive is successful, David Troy, identity solutions delivery manager at EDS, says HSPD 12 will drive interest for smart cards, which has had lackluster acceptance in the commercial sector in the U.S.

Kelley Damore is the editorial director of the TechTarget Security Media Group.

Dig Deeper on Two-factor and multifactor authentication strategies

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.