Increasingly, organizations are adopting a model in which multiple use cases and identities can be processed on a single card or smartphone.
by HID Global
Thanks to this convergence of use cases and identities, users don't have to remember or carry separate cards or other devices to open doors, log in to computers, or access cloud applications. Likewise, this unification makes possible the incorporation of other applications of great value, among other automatic machines that work without cash, control of attendance and working time, as well as secure print management.
There is a growing demand to incorporate into a single card or smartphone the credentials of the computer and physical access control system, using a single set of processes. However, beyond the convenience it provides, unifying credentials on a single card or device can greatly improve security and reduce recurring operating costs. It also centralizes identity and access management, consolidates areas, and enables organizations to quickly and efficiently employ strong authentication across their infrastructure to protect access to their most important physical and computing resources.
The new integrated credential management model moves organizations in four important directions: from cards to smartphones, from readers to the convenience of "one-touch" access, from Public Key Infrastructure (PKI) technology to simplified solutions to achieve a higher level of security, and from existing PKI technology to truly unified access control with strong authentication.
This white paper examines the key driving forces, challenges, deployment options, and outcomes associated with a unified it-ed and physical access control solution. Additionally, it describes the added value represented by the possibility of providing users with an optimal experience when using applications and services in the cloud, accessing data and opening doors. It also explains the benefits of unified enrollment processes and workflows that span different identities across multiple computer security applications and PACS.
Understand the factors driving the implementation of convergence
Historically, the main concern of organizations has been to create a perimeter with a high level of security that protects access to their physical and computer resources. In the old access control models, users present an identification credential to enter a construction, and then, once inside, they use static passwords to authenticate to computer resources. However, due to the nature of today's advanced persistent threats (APTs) and all the internal risks associated with adopting BYOD (bring your own device) solutions, these methods of protecting access are insufficient.
As part of their multidimensional security strategy, organizations must have the ability to implement better access control and employ strong authentication across their infrastructure. Unfortunately, it has been difficult until now to choose a strong authentication solution that is effective in protecting enterprise data.
Most solutions available on the market are inadequate, either because of the security features they offer, because of the costs and complexity they introduce into the organization, or because of the experience they provide to users. Employees want the convenience of using a single card or mechanism to get quick and easy access to the resources they need for the development of the company's activities.
To achieve this goal, organizations must implement a solution that can be used to protect access to all their corporate resources, from doors to computers, data, applications and the cloud. They must unify domains that have traditionally been separated, physical security and computing, to coordinate identity management and user access.
The value of unified access control
Truly unified access control results from the conjunction of a security policy, a credential, and an audit trail. In some organizations, user management is already fully integrated, with a single corporate policy that defines acceptable criteria for accessing and using resources, a single user master repository, and a single logging tool to simplify reporting and auditing. This approach allows companies to:
*Provide comfort. The model replaces single-use password (OTP) tokens and keychains, so users don't have to carry multiple devices or change the OTP key to access all the physical and computing resources they need.
*Improve security. The model enables strong authentication across the entire IT infrastructure in critical systems and applications (not just at the edge), and even at the gates.
*Reduce costs. Thanks to this model, it is not necessary to invest in several access solutions, which centralizes management and consolidates tasks into a single set of administration and technical assistance processes, associated with the issuance, replacement and suspension of credentials.
Explore various deployment options
With a unified access control model, the credential can be delivered in a variety of formats, including a smart card (e.g., ID card) or even a smartphone. Depending on the needs of the company, as well as the existing infrastructure, there are several solution design options. The following are the three most common models:
Proximity in existing systems: It allows you to expand an existing physical access control system, based on cards, that uses technologies such as iCLASS®, iCLASS Seos® MIFARE™ and MIFARE DESFire™ to authenticate with networks and business applications. A computer program is installed on the end-user workstation, with a proximity reader connected to or built into it. The card can be "read" without the need to physically insert it into the reader's device. This is practical for users, who can carry the same card they have been using with a door reader and press it against a personal or laptop computer, to enter their computer and corporate and cloud applications.
This alternative does not use a PKI infrastructure, which links public keys to user identities through a certificate authority (CA). Used at the federal level, strong PKI authentication is a critical element of logical access and digital document signing for agencies and their contractors. A digital certificate, including the user's public key, is placed on a Personal Identity Verification (PIV) card, leveraging smart card technology and biometric technology (a fingerprint template with a digital signature), and also supporting multi-factor authentication methods.
Instead of using a shared secret key, for authentication, a pair of public and private keys is used and these keys are linked, so that the information processed with one key can only be decoded or validated using the other key. The Federal Bridge is used to determine reliability between the PKI infrastructures of cross-certified agencies (i.e., separate and independent infrastructures, each with its own primary certification authority), thus enabling the secure exchange of information from digital signatures and certificates sent from and between other participating state organizations.
The proximity model in existing systems eliminates many of the major PKI infrastructure management problems, but supports a narrower range of use cases and does not offer the same level of security as PKI infrastructure-based solutions. The PKI-free proximity model is being implemented in hospitals, schools and other settings, where multiple users need to access the same workstation at short intervals of time. It is also being used as a transitional solution, in cases where requirements, such as those of the Criminal Justice Information Services (CJIS), require workstations and applications to be protected by strong authentication.
Dual chip card: It incorporates in a single smart card a proximity chip for physical access and a contact chip for logical access control. Credentials such as PKI certificates and OTP keys can be managed on the contact chip using a credential management system (CMS).
The dual-chip card model is popular with medium and large companies that process intellectual property (IP) or sensitive customer data on their networks, as it provides a high level of security. It also allows companies to simplify the management of their IT security infrastructure and take advantage of their investments in physical access control, since, in many cases, the CMS can be integrated directly into the PACS management system (often referred to as the PACS header).
Dual interface chip cards: It leverages a single chip enabled for the PKI infrastructure, which has a contact interface and a proximity interface to support both physical and logical access control. The card can be used with a contact card reader for logical access use cases (such as logging into a computer or signing an email) and user PKI authentication for physical access.
The dual-interface card model is primarily applied in U.S. federal government organizations, where memorandum OMB-11-11 requires that PIV credentials, specified in FIPS-201, be used for physical access. By definition, when PKI infrastructure is deployed on a proximity interface it can be slow in physical access control. To resolve this issue, FIPS 201-2 is expected to enable the use of the OPACITY (Open Protocol for the Identification and Issuance of Privacy Access Control Ticket Ticket) set of authentication protocols and key agreements, which is expected to quadruple the quality of performance of essential business tasks. It will also offer secure wireless communications, which will make it possible to use PINs and biometrics in the proximity interface. This will further strengthen authentication, both in physical and logical access control.
Migrate strong authentication to the door
A major benefit of convergence is that it allows organizations to leverage their investment in existing credentials to create a multidimensional, fully interoperable security solution across all of the company's networks, systems, and gates. Strong authentication will increasingly be used not only for remote access, but also in the company's most important computers, applications, servers, cloud systems and facilities. This involves migrating strong authentication to the door.
One of the first places where this transition will occur is at the federal level, with users' existing PIV cards. To use a PIV card to enter a building, the digital certificates on the PIV card are checked against a Certificate Revocation List (CRL), which is provided by the certificate authorities. PKI authentication is an extremely efficient and interoperable method, not only for logical access control, oriented to data protection, but also for physical access control, oriented to the protection of facilities. In the latter case the infrastructure is known as "PKI at the door".
Agencies are taking a phased approach to implementing PKI infrastructure at the door, which is progressing progressively as they have a budget. To ensure that such an implementation is possible, they are configuring their infrastructure so that it can be quickly and easily upgraded with PKI's strong authentication for physical access control, when they are ready to do so.
For example, initially, they are registering all of their PIV cardholders in their header system, and then simply implementing Transition Readers, prescribed by the General Services Administration, which read the card's unique identifier and check it against the registered cardholder, without employing any FIPS-20 authentication techniques. These transition readers can then be reconfigured on-premises to allow multi-factor authentication.
Door PKI authentication is expected to be increasingly adopted, as FIPS 201 evolves and more products become available that are compatible with them. In addition, Commercial Identity Verification (CIV) cards will allow PKI authentication to be implemented at doors at a lower cost. These cards are technically similar to PIV cards, but do not have the additional requirements accepted by the federal government. Unlike federal agencies, users of CIV cards will not have to purchase certificates from a trusted anchor or pay annual maintenance fees, but can generate their own certificates.
Although the cards will have a slightly higher cost, since it will be necessary to incorporate additional memory for the storage of the certificate, this modest increase in the cost will allow to obtain the valuable additional benefits that entails the strengthening of authentication at the doors. Take, for example, the case of a municipal airport that will be able to employ CIV cards, along with PIV cards that are already being used by Transportation Security Administration (TSA) employees. Airport management will be able to create a unique access control system that works with both airport employees and federal agencies that are also operating there, while also being able to ensure a high level of security through strong authentication.
Extending strong authentication to the entire physical and logical access control infrastructure will also be important in the enterprise. Organizations must have different authentication methods and the flexibility to easily process different users and adequately protect different resources. By having easy-to-use solutions at their disposal, companies can protect access, from managed and unmanaged devices, to their resources. Without the need to design or maintain multiple authentication infrastructures, companies can employ a single solution to protect access to all their resources, from a facility door, or a photocopier, to a virtual private network (VPN), terminal service, or cloud application.
And what about mobile devices?
As is known, users increasingly use mobile devices and bring their own devices (BYOD) to the organization's environment, using smartphones, laptops and tablets to access the resources they need. According to ABI, by 2015 there will be 7 billion new wireless devices on the network, which means almost one mobile device for every person on the planet.
Organizations are trying to support all of this mobile access, while at the same time evaluating ways to leverage their users' mobile devices as platforms that contain credentials for physical and logical access control. Pilot studies have already been carried out, such as the one carried out at Arizona State University, in which it has been proven that it is feasible to use a mobile phone to carry a physical access credential.
The federal government is also looking at mobile access control. The FIPS-201-2 specifications are expected to contemplate expansions such as the concept of derived credentials that can be carried on the protected element of the phone (SE) using the same cryptographic services of the card.
Mobile access control forces us to rethink the way physical access credentials are managed, and involves allowing them to be carried on smartphones, so that organizations have the option to use smart cards, mobile devices, or both, within their PACS. To help this purpose, HID Global has created a new data model for its iCLASS SE® platform, dubbed the Secure® Identity Object (SIO®), which can represent many forms of identifying information on any device that has been enabled to function within the secure delimitation and core identity management ecosystem of the company's Trusted Identity Platform (TIP).
Tip employs a secure communications channel to transfer identifying information between validated phones, the protected elements of these, and other protected media and devices. The combination of TIP and SIO not only improves security, but also provides the flexibility to adapt to future requirements, such as adding new applications to an ID card. This solution is designed to provide a particularly robust type of protection and will be especially attractive in a BYOD environment.
In a mobile access control model, any access control data can be processed on a smartphone: access control data, cashless payments, biometrics, and PC connection, among many other applications. The authentication credential will be stored in the SE of the mobile device and a cloud identity provisioning model will eliminate the risk of credential copying, while facilitating the issuance of temporary credentials, the cancellation of lost or stolen credentials, and the monitoring and modification of security parameters, when required.
Users will be able to carry on their phone a wide variety of access control credentials, as well as a token to log in to the computer with OTP. By simply pressing the phone against a personal tablet they will be able to authenticate on a network. By combining mobile phone tokens with SSO (single sign-on) features of cloud applications, it will be possible to unify classic two-factor authentication with simplified access to multiple cloud applications, all from one device that users rarely lose or forget. In addition, the same phone can be used in door opening and in many other applications.
Challenges will no doubt need to be faced, as phones and other mobile devices used in physical and logical access control applications usually do not belong to the organization. For example, when a student graduates from a university, they don't return their phone, as employees would with their cards when they stop working at a company. It will be critical to ensure the privacy of BYOD users, while protecting the integrity of business data and resources.
IT departments won't have the same degree of control over BYOD or any untrusted personal applications they may carry, and they're not very likely to upload a standard image to BYODs with antivirus or other protection software. We will have to find new ways to address these and other challenges. Despite the risks, the use of SE-equipped mobile phones, or other equivalent protected containers, opens the door to powerful new authentication models that leverage the phone as a secure and portable means of storing credentials, enabling use cases ranging from strong one-touch authentication of the device to accessing remote data, until the entrance to a building or apartment.
Mobility is continually driving convergence as it forces physical and IT security departments to work together to find solutions. The result can be an alternative that allows the simple and economical handling of PACS credentials and IT access credentials from phones, while offering the same level of card security.
Reaping the benefits of true convergence
The ability to unify access control to physical and computing resources on a single device that can be used for many applications increases user convenience, while increasing security and reducing operational and deployment costs. Such a solution no longer requires separate processes for provisioning and registering IT and PACS identities.
Instead, it will be possible to apply a unified set of workflows to a single group of managed identities, to achieve business unification. Companies will be able to easily protect access to physical constructs and computing resources, such as computers, networks, data and cloud applications. An effective solution will also scale to protect access to other resources, as required, to support a multidimensional, fully interoperable security strategy that can protect the organization's buildings, networks, systems, and applications, now and in the future.
