It is clear that there has been a growing awareness of the importance of increasingly strong identity verification and credentialing. There are constant reminders of the threats to our institutions and the vulnerabilities that are raised when a strong program of identity management has not been implemented in the enterprise.
Security professionals, both on the physical security as well as the logical security side, have struggled to bring adequate technology solutions to the problem – engaging in an ever-escalating battle to meet the latest threat that thwarts the previous solution. To a very large extent, organizations have run out of solutions that can scale to meet the threats – how long and how complicated can IT managers make passwords before their users rebel?
On the physical security side, technology solutions suffer from a lack of strength. Often, single factor authentication is the rule even in modern systems. In addition, a lack of standardization continues to prevail, and organizations are locked into technologies that have failed to keep pace. Worst of all, there are too many instances of using organization credentials as flash passes for facility access.
Security professionals can rest assured that solutions are emerging to both physical and access security problems that use more sophisticated smart card-based credentials paired with a strong process of identity vetting and strict procedures for issuing the cards. The U.S. federal government credentials employees with a smart card that incorporates a standards-based approach, strong security and a technologically advanced card – called the Personal Identity Verification (PIV) card. The PIV card contains standard identity information, Public Key Infrastructure (PKI) credentials and biometrics that provide an infrastructure for the improvement of both logical and physical access. While deployment of the new credentials is not complete outside of the Department of Defense, taking advantage of this new infrastructure can be a “game changer” for access control and offers the possibility of the physical security brass ring – increasing the security of the access transaction while lowering costs.
Embracing existing standards
Many questions exist on access control standards. What technologies and which standards will help an organization achieve the promise? How do you construct a physical security access plan around these new credentials? How do you handle access for those who are not card holders?
The basic starting point for those tasked with handling physical access control may be one that is unfamiliar: Learn about and embrace existing and emerging standards and build your access system in a way that will allow a natural evolution of your program to meet new challenges. This is a best practice that has been effectively learned on the information technology side of the house and is just beginning to emerge on the physical access side. As these two domains converge, as they do with the introduction of smart credentials, best practices will aid in both controlling costs and ensuring success in the implementation. Standards help with future proofing the system, increasing competition, lowering costs, encouraging third-party certifications and bringing stable and tested technologies.
Taking advantage of a standards-based credential, such as the federal government's PIV card, jumpstarts the effort to increase security and lower costs. There are dozens of standards that are incorporated into the card, including the chip contact interface, the contactless interface, the card's layout and fingerprint template, the information contained on the card and many others. The next step is an effective plan that takes advantage of the card's standards and technologies. At the highest level, an effective physical access plan needs these essential components: effective privilege management, multifactor authentication, escalation procedures, and equally strong procedures for all populations seeking access.
Managing access privileges
Privilege management is at the heart of an access control system. It is more than a binary yes/no, and this aspect of access control will greatly increase in importance as the physical and logical security domains converge. Privilege management addresses who can access the facility; where in the facility he or she can go; when he or she can access the facility (what hours and days and under what security conditions); and what he or she can bring into the facility – cars, trucks, weapons, etc. Setting up the privilege system can be straightforward for a building or immensely complicated for a campus or a military base. Privilege management information must be brought into every access transaction and conditions the right to access. When physical and logical access domains converge, access privileges can get even more granular such as logical access denied for those without appropriate physical access transaction.
Multifactor authentication is readily enabled by standards-based credentials, but it is not automatic and has to be designed into the access control process. The level of authentication is also the best way to ratchet up the security of the access during times of higher threat. So if security was the only concern, using the current PIV card would allow you to do a contactless read and establish the cardholder ID and privilege, obtain a pin from the cardholder, examine the PKI certificates for authenticity and currency, pull down the photograph from the card and use facial recognition technology, and check fingerprints using a match on the card algorithm. The capabilities are impressive, and all could play a role in an effective system, depending on the security requirements and the length of the entry line with which you are willing to put up. Picking the right solution is key to achieving the increases in security as well as the opportunity to lower costs. Minimally, it requires at least two factor authentication. Simply doing an open contact or contactless read of the card is probably not secure enough for most applications.
Addressing dynamic threat levels
Dynamic response to changing threat levels is another essential component. This involves a thought out plan of who needs access during a period of heightened threat and how the authentication and access plan needs to change to raise the security of the access. Prior planning is key to building these components into the system and having the right technology available for implementing the plan.
Ensuring that there are no weak links in the security chain is the final essential ingredient. Strong identity management and authentication for employees, but weak processes for visitors or vendors, undercuts all that hard work. This can be the more difficult part of securing access, but there are both technology and business processes available to help.
Clearly visitors should be sponsored so the concept of a trust relationship exists with someone you already trust – the sponsoring employee. In addition, visitors have proofs of identity that can be authenticated; even a driver's license can provide some level of authentication. For example, many U.S. government visitors will have a secure identity issued by another federal agency that can be authenticated and a biometric can be checked. Federated solutions are available to address the issue of contractor personnel or vendors. Many federal contractors are looking to issue compatible credentials, embracing the same standards as the federal PIV card. These cards can be authenticated using a federated identity infrastructure.
Commercial solutions also exist that can credential vendors; these issue a strong standards-based credential and provide an authentication service. Finally, instant vetting of individuals is increasingly available. These services can confirm basic identity information as well as perform law enforcement-such as checks for outstanding wants and warrants.
Emerging technologies
With the essentials handled, what technologies are emerging to help raise security and control costs using this new credential infrastructure?
Often the highest concern for physical security managers is using the existing access control infrastructure while taking advantage of the new credentials. There has been a significant investment made both in the software and the access control hardware -- do these have to be scraped in order to take advantage of new credential realities?
There are a couple of technologies that can help interface new credentials to existing legacy systems, and this clearly needs to be thoroughly explored in order to minimize both costs and the impact on employees. New middleware options allow the interface of Identity Management Systems (IDMS) to legacy systems, allowing the organization to move toward physical/logical integration while continuing to use existing infrastructure. This option may entail swapping out the proprietary readers for more standards-tolerant ones.
A new generation of smart badge readers is emerging as well. These readers are essentially mobile smart card readers that have been paired with physical access Radio Frequency Identification (RFID) technology. These readers allow the employee as they approach the access control barriers to enter his Personal Identification Number (PIN) code, which opens the smart card credential. The successful PIN entry then activates the legacy RFID to provide the entry code for the legacy system. A number of helpful business processes are at work her e-- the employee must have his smart ID, he must enter the right PIN, and it must be registered in the access control system to gain entry. This approach provides for multi-factor authentication while keeping the existing infrastructure intact, but requires the agency to invest in the newest generation of smart badge readers.
Installing an IDMS may be needed in order to provide the organization with a management tool for the new credentials. While in the past we looked at a vertically integrated process that was agency or organization specific, credentialing now has a larger agency-wide or enterprise look. The credentials may be issued by a headquarters element or even a managed service that is providing credentials to a number of agencies.
The best way for an agency to register the credential and make it available for access decisions, both logical and physical, is the implementation of an IDMS. The IDMS then is linked to both the directory system for logical access and the legacy physical access system for access control. Most importantly, the IDMS is linked to the authoritative databases that provide dynamic updating of individuals' information as well as the database that contains information on access privileges. Real-time or close-to-real-time updates of access information are key for maintaining the system's security. This ensures no access for employees who have separated from the agency.
Other biometric technologies help to enable multi-factor authentication while controlling costs. These may include facial recognition that is done in conjunction with lightly guarded access controls. It could also include license plate recognition or RFID identification of vehicles, which speeds up the authentication process by pre-staging the authentication records and pulling up pictures or other biometrics.
The reality is that new approaches to access control are coming, and they are coming quickly. They offer the promise of increasing security while also increasing cost effectiveness. New credentials are more sophisticated, secure and standards-based. They offer more security alternatives and take the burden of credential issuance and management off of the access security manager – as well as the costs. Now is the time for security professionals to plan for these new enterprise-wide credentials and develop a security and access plan that will embrace the new technology and use it effectively.
Robert Brandewie is senior vice president, identity and security solutions, for Telos Corporation, Ashburn, Va., where he directs the company's efforts in assisting government organizations to effectively meet increased security challenges with innovative services and software solutions.
