I just returned from speaking at the Financial Information Security Decisions conference (held by Techtarget.com - check it out) in New York with colleague Kelly Manthey from Solstice Consulting; the conference was great, and our presentation seemed to be well-received.As we were waiting at the airport for our horribly-delayed flight out of Newark, our conversation turned to airport security. Now, there are a few very good blogs out there, written by very smart people, discussing airport security, so I won't get into the Transportation Security Administration here. However, Kelly and I ran into an interesting subset that I thought might make for good discussion here.
Kelly was expressing how she found it somewhat frustrating how all airports apply security to protect the aircraft and its' passengers, but they all implement it in a very different manner. The screening process at Chicago's O'Hare airport, for example, is slightly different than at Newark. At O'Hare, you can use TSA-approved bags for your laptop so you don't have to take it out and display it while going through screening. O'Hare even has signs posted that explain how it's acceptable for you to use one of these laptop bags. The TSA even posts their policy on their website.
Yet at Newark, Kelly was asked to pull her laptop out of this TSA-approved bag and display it, "to ensure it wasn't tampered with."When we thought of it in the context of an IT problem, rather than a physical security problem, our viewpoints shifted slightly. Perhaps it's a problem of not having architectural standards. Perhaps the scanning equipment is different at each airport. The TSA doesn't regulate that all airports use the same scanning/xray equipment, right?
That had us thinking...and this is where the identity management part of this comes in. Think of an airport as a corporation, and the airplane as the highly-sensitive...database, I suppose. You need to be able to move people in and out of this highly-sensitive database, but there is a risk that a small percentage of this audience has malicious intent.
How do you determine which sources (in this case, people) are to be trusted and which are not? There are two answers: authentication, and authorization.
Travelers are authenticated through their driver's license or passports. However, all those documents do is tell you that person knows how to drive or can follow a process for international travel. It doesn't give you any of their history so you can determine intent or credibility. This is where some principles of identity management directly clash with privacy: IdM says to have one source of truth, and privacy says people should be able to choose what you know about them. If we applied an Identity Management concept to this scenario, the drivers' license you present to the check-in steward at the airport would contain a record of your employment, credit, incarceration history, aliases, previous addresses, clubs, organizations and affiliations, financials, and health records. That's pretty scary, yes?However, wouldn't it be helpful to have all of that information in one place to begin to determine the intent of an airline passenger, wouldn't it?
Ok, so maybe that's a bit too infringing to simply ensure airline safety. I can agree with that. I'm not quite ready to abandon the IdM mindset for this problem though. There is another concept that can be applied here: certification.
Depending on your industry, regulatory laws are starting to request companies perform regular audits of employee access. Asking a manager to review and authorize the access their team has is called "certification"; specifically, the manager "certifies" that the team has appropriate access.
How does that apply to people? When the U.S. Government is working on a top-secret project, they have to be very selective with who they trust to work on it. They have established a process to help determine that trust - security clearance. I won't go into the details in this post, but there's some digging into your history that occurs, some character references might be used, and you are given a clearance level.
The airport works in a very similar manner; pilots and co-pilots have certain clearance levels to permit them access to places that baggage-handling and custodial staff don't. Why not certify passengers?You can bet that frequent flyers would be interested in skipping the often-multiple-hour wait at security checkpoints, and I'm certain the TSA would appreciate the smaller amount of (uncertified) passengers they would have to screen.
Now, there are certainly some issues to address, such as cost. Could the cost savings of not having to continue to ramp-up scanning equipment, hire/maintain TSA employees, customer satisfaction, and managing people outweigh the certification process cost? One would think if we could certify people to handle our national secrets, we could certify people to ride on a plane.
Great blog! Very nicely written. I personally love and support the idea of certifying passengers. As an end-user of the airport security process, had I been told upfront that different x-ray machines have different requirements I might not be so annoyed at the process inconsistencies that appear to run rampant in the security process. It's all about setting expectations and change management:) Did TSA do a good job of change management and expectation setting when it comes to airport security procedures over the last 8 years?
ReplyDelete