Organizations are increasingly adopting a model in which multiple use cases and identities can be processed on a single card or smartphone. Thanks to this convergence of use cases and identities, users do not have to remember or carry separate cards or other devices to open doors, log in to computers, or access cloud applications.
Likewise, this unification makes possible the incorporation of other applications of great value, among other automatic machines that work without cash, control of attendance and working time, as well as secure printing management.
There is a growing demand for incorporating physical and computer access control system credentials into a single card or smartphone using a single set of processes. However, beyond the convenience it provides, unifying credentials on a single card or device can greatly improve security and reduce recurring operating costs. It also centralizes identity and access management, consolidates areas, and enables organizations to quickly and efficiently employ robust authentication across their entire infrastructure to protect access to their critical computing and physical resources.
The new integrated credential management model moves organizations forward in four important directions: from cards to smartphones, from readers to convenient “one-touch” access, from Public Key Infrastructure (PKI) technology. to simplified solutions for a higher level of security, and from existing PKI technology to truly unified access control with strong authentication.
This white paper examines the main driving forces, challenges, implementation options, and outcomes associated with a unified physical and computing access control solution. Additionally, it describes the added value that represents the possibility of providing users with an optimal experience when they use applications and services in the cloud, access data and open doors. It also explains the benefits of unified enrollment processes and workflows that span different identities in various PACS and IT security applications.
Historically, the main concern of organizations has been to create a perimeter with a high level of security that protects access to their physical and computing resources. In the old models of access control system, users present an identification credential to enter a building, and then, once they are inside, they use static passwords to authenticate against computing resources. However, due to the nature of today’s advanced persistent threats (APTs) and all the internal risks associated with adopting BYOD (bring your own device) solutions, these access protection methods are insufficient.
As part of their multi-dimensional security strategy, organizations should be able to implement better access control and employ strong authentication across their entire infrastructure. Unfortunately, until now it has been difficult to choose a robust authentication solution that is effective in protecting business data. Most of the solutions available on the market are inadequate, either because of the security features they offer, because of the costs and complexity they introduce into the organization, or because of the experience they provide to users. Employees want the convenience of using a single card or mechanism to gain quick and easy access to the resources they need to carry out business activities. To achieve this goal, Organizations must implement a solution that can be used to protect access to all of their corporate resources, from doors to computers, data, applications, and the cloud. They must unify the traditionally separate domains, physical security and IT, to coordinate identity management and user access.
A truly unified access control results from the conjunction of a security policy, a credential and an audit trail. In some organizations, user management is already fully integrated, they have a single corporate policy that defines acceptable criteria for accessing and using resources, a single master user repository, and a single registration tool to simplify reporting and the auditory. Such an approach enables companies to:
· Provide comfort. The model replaces one-time password (OTP) tokens and keychains, so users don’t have to carry multiple devices or change the OTP key to access all the physical and computing resources they need.
· Improve security. The model enables robust authentication across the entire IT infrastructure in critical systems and applications (not just at the edge), and even at the doors.
· Reduce costs. Thanks to this model, it is not necessary to invest in several access solutions, thus centralizing management and consolidating tasks in a single set of administration and technical assistance processes, associated with the issuance, replacement and suspension of credentials.
With a unified access control model, the badge can be delivered in a variety of formats, including a smart card (for example, ID badge) or even a smartphone. Depending on the needs of the company, as well as the existing infrastructure, there are several solution designs options. The following are the three most common models:
Proximity in Existing Systems: Expands an existing physical, card-based access control system that uses technologies such as iCLASS®, iCLASS Seos® MIFARE ™, and MIFARE DESFire ™ to authenticate with business applications and networks. A computer program is installed at the end user workstation, with a proximity reader connected to or built into it. The card can be “read” without the need to physically insert it into the reader device. This is practical for users, who can take the same card they have been using with a door reader and press it against a personal or laptop computer to access their computer and corporate and cloud applications.
This alternative does not use a PKI infrastructure, which links public keys with user identities through a certificate authority (CA). Employed at the federal level, strong PKI authentication is a critical element of logical access and digital document signing for agencies and their contractors. A digital certificate, which includes the user’s public key, is placed on a Personal Identity Verification (PIV) card, which takes advantage of smart card technology and biometric technology (a fingerprint template with digital signature ), and multi-factor authentication methods are also supported. Instead of using a shared secret key, for authentication, a pair of public and private keys is used and these keys are linked, so that the information processed with one key can only be decoded or validated using the other key. The Federal Bridge is used to determine the reliability between the PKI infrastructures of the agencies that are cross-certified (that is, separate and independent infrastructures, each with its own primary certificate authority), thus allowing the secure exchange of digital signature information and certificates sent from and among other participating state organizations.
The proximity model in existing systems eliminates many of the main PKI infrastructure management problems, but supports a more limited range of use cases and does not offer the same level of security as solutions based on PKI infrastructure. The proximity model without PKI is being implemented in hospitals, schools and other environments, where several users need to access the same workstation at short intervals of time. It is also being used as a transition solution, in cases where requirements, such as those of the Criminal Justice Information Services (CJIS), require that workstations and applications be protected by a strong authentication.
Dual chip card: It incorporates in a single smart card a proximity chip for physical access and a contact chip for logical access control. Credentials such as PKI certificates and OTP keys can be managed on the contact chip using a credential management system (CMS).
The dual chip card model is popular with medium and large companies that process intellectual property (IP) or confidential customer data on their networks, as it provides a high level of security. Likewise, it allows companies to simplify the management of their IT security infrastructure and take advantage of their investments in physical access control, since, in many cases, the CMS can be integrated directly into the PACS management system (often referred to as the PACS headend).
Dual interface chip cards: Take advantage of a single chip enabled for the PKI infrastructure, which has a contact interface and a proximity interface to support both physical and logical access control. The card can be used with a contact card reader for logical access use cases (such as logging on to a computer or signing an email) and PKI user authentication for physical access.
The dual interface card model is primarily applied in US federal government organizations, where OMB-11-11 requires PIV credentials, specified in FIPS-201, to be used for physical access. By definition, when deploying PKI infrastructure on a proximity interface it can be slow in physical access control. To solve this problem, it is expected that FIPS 201-2 will allow the use of the set of authentication protocols and key agreements of the OPACITY protocol (Open Protocol for the Identification and Issuance of Access Control Tickets with Privacy), which will be expects to quadruple the quality of performance of essential business tasks. It will also offer secure wireless communications, which will make possible the use of PINs and biometrics in the proximity interface. This will further strengthen authentication, both in physical and logical access control.
An important benefit of convergence is that it enables organizations to leverage their investment in existing credentials to create a fully interoperable, multi-dimensional security solution across all company networks, systems, and doors. Strong authentication will be increasingly used not only for remote access, but also on the company’s most important computers, applications, servers, cloud systems and facilities. This involves migrating strong authentication to the gate.
One of the first places where this transition will occur is at the federal level, with existing PIV cards of users. To use a PIV card to enter a building, the digital certificates on the PIV card are checked against a Certificate Revocation List (CRL), which is provided by the certification authorities. PKI authentication is a highly efficient and interoperable method, not only for logical access control, aimed at data protection, but also for physical access control, aimed at protecting facilities. In the latter case the infrastructure is known as “PKI at the door”.
Agencies are taking a phased approach to implementing the PKI infrastructure at the gate, progressing progressively as the budget is available. To ensure that such deployment is possible, they are configuring their infrastructure so that it can be quickly and easily upgraded with strong PKI authentication for physical access control, when they are ready to do so. For example, initially, they are registering all their PIV cardholders in their headend system, and then they simply implement Transition Readers, prescribed by the General Services Administration, which read the unique identifier of the card and check it against the registered cardholder, without employing any FIPS-20 authentication technique.
It is expected that PKI authentication at gates will be increasingly adopted as FIPS 201 evolves and more products are available that support it. Likewise, the Business Identity Verification (CIV) cards will allow the implementation of PKI authentication at the doors at a lower cost. These cards are technically similar to PIV cards, but do not have the additional requirements accepted by the federal government. Unlike federal agencies, CIV card users will not have to buy certificates from a trust anchor or pay annual maintenance fees, but can instead generate their own certificates. Although the cards will have a slightly higher cost, as it will be necessary to incorporate additional memory to store the certificate, This modest increase in cost will allow for the valuable additional benefits of stronger authentication at the doors. Take, for example, the case of a municipal airport that will be able to use CIV cards, along with PIV cards that are already in use by employees of the Transportation Security Administration (TSA). The airport administration will be able to create a single access control system that works with both airport employees and federal agencies that are also operating there, and at the same time will be able to guarantee a high level of security through a strong authentication.
Extending strong authentication to the entire physical and logical access control infrastructure will also be important in the enterprise. Organizations must have different authentication methods and the flexibility to easily process different users and adequately protect different resources. By having easy-to-use solutions available, companies can protect access, from managed and unmanaged devices, to their resources. Without the need to design or maintain multiple authentication infrastructures, companies can employ a single solution to protect access to all of their resources, from a facility door or copier to a virtual private network (VPN). English), a terminal service or a cloud application.
As is known, users increasingly use mobile devices and bring their own devices (BYOD) to the organization environment, using smartphones, laptops and tablets to access the resources they need. According to ABI, by 2015 there will be 7 billion new wireless devices on the network, which means almost one mobile device for every person on the planet.
Organizations are trying to support all of this mobile access, while at the same time evaluating ways to leverage their users’ mobile devices as platforms that contain credentials for physical and logical access control. Pilot studies have already been carried out, such as the one carried out at Arizona State University, in which it has been proven that it is feasible to use a mobile phone to carry a physical access credential. The federal government is also looking at mobile access control. The FIPS-201-2 specifications are expected to contemplate expansions such as the concept of derived credentials that can be carried in the protected element of the phone (SE) using the same cryptographic services of the card.
Mobile access control requires rethinking the way physical access credentials are managed, and implies allowing them to be carried on smartphones, so that organizations have the option of using smart cards, mobile devices, or both. , within your PACS. To assist this purpose, HID Global has created a new data model for its iCLASS SE® platform, called a Secure Identity Object® (SIO®), which can represent many forms of identifying information on any device that has been enabled to operate within the secure boundary and core identity management ecosystem of the company’s Trusted Identity Platform (TIP). The TIP uses a secure communication channel to transfer identifying information between validated phones, the protected elements of these, and other protected media and devices. The combination of TIP and SIO not only improves security, but also provides the flexibility to adapt to future requirements, such as adding new applications to an ID card. This solution is designed to provide a particularly robust type of protection and will be especially attractive in a BYOD environment. such as adding new applications to an ID card. This solution is designed to provide a particularly robust type of protection and will be especially attractive in a BYOD environment. such as adding new applications to an ID card. This solution is designed to provide a particularly robust type of protection and will be especially attractive in a BYOD environment.
In a mobile access control model, any access control data can be processed on a smartphone: access control data, cashless payments, biometrics and PC connection, among many other applications. The authentication credential will be stored in the SE of the mobile device and an identity provisioning model in the cloud will eliminate the risk of credential copying, while facilitating the issuance of temporary credentials, the cancellation of lost or stolen credentials, and monitoring and modifying security parameters, when required. Users will be able to carry a wide variety of access control credentials on their phone, as well as a token to log into the computer with OTP. Just by pressing the phone against a personal tablet they can authenticate on a network. By combining mobile phone tokens with cloud application SSO (single sign-on) features, it will be possible to unify classic two-factor authentication with simplified access to multiple cloud applications, all from one device that users rarely lose or lose. they forget. In addition, the same phone can be used for opening doors and many other applications.
Challenges will undoubtedly be necessary, as telephones and other mobile devices used in physical and logical access control applications generally do not belong to the organization. For example, when a student graduates from a university, they do not return their phone, as employees would with their cards when they leave a company. Ensuring the privacy of BYOD users while protecting the integrity of business data and resources will be critical. IT departments will not have the same degree of control over BYOD or untrusted personal applications they may carry, and they are unlikely to upload a standard image to BYOD with antivirus or other protection software. We will have to find new ways to meet these and other challenges. Despite the risks, the use of mobile phones equipped with SE, or other equivalent protected containers, opens the doors to new and powerful authentication models that take advantage of the phone as a secure and portable means of storing credentials, allowing use cases that They range from robust one-touch device authentication to remote data access, to entering a building or apartment.
Mobility is continually driving convergence as it forces IT and physical security departments to work together to find solutions. The result can be an alternative that allows easy and inexpensive handling of PACS credentials and IT access credentials from telephones, while offering the same level of card security.
The ability to unify access control to physical and computing resources in a single device that can be used for many applications increases user convenience, while increasing security and reducing operational and deployment costs. Such a solution eliminates the need for separate processes for provisioning and registering IT and PACS identities. Instead, it will be possible to apply a unified set of workflows to a single group of managed identities, to achieve business unification. Companies will be able to easily protect access to physical buildings and computing resources, such as computers, networks, data, and cloud applications. An effective solution will also scale to protect access to other resources, as required,
Posted byPosted inAccess Control
Fill in your details below or click an icon to log in:
You are commenting using your WordPress.com account. ( Log Out / Change )
You are commenting using your Google account. ( Log Out / Change )
You are commenting using your Twitter account. ( Log Out / Change )
You are commenting using your Facebook account. ( Log Out / Change )
Connecting to %s
Notify me of new comments via email.
Notify me of new posts via email.
