For enterprises considering higher level and more integrated physical and logical security, identity and access management solutions through smart cards or more sophisticated credentialing, keep your head out of the technology razzle-dazzle.
That’s the shared view of chief security officers, consultants and experts, who instead emphasize focusing on business needs of the enterprise as well as the most threatening current and emerging risks. And there are plenty of trends and challenges – new and old – impacting the risk landscape. Among them:
- An ever-evolving knowledge-driven workforce must have access to assets, both physical and digital, but with limitations that make sense to the enterprise.
- More of that workforce consists of independent contractors, freelancers and people at other partnership organizations who access, share and collaborate over assets.
- Homeland security mandates as well as requirements and regulations emerging from specific types of organizations – healthcare, government and military, to name a few – demand enhanced security and identity processes.
- Mobility is today’s proverbial two-edged sword. Things are moving beyond enterprise-provided laptops, smartphones, flash drives and remote access capability. It’s called BYOD, as in Bring Your Own Device. More workers use their own gear in and into facilities and assets.
- As Personal Identity Verification (PIV) cards and log-ins, required for all U.S. Government employees and contractors to gain physical and logical access to government resources, mature and spread, a new kind of “card” – the Commercial Identity Verification (CIV) credential – is catching on with enterprises. The CIV leverages the PIV-I specifications, technology and data model without the requirement for cross-certification. Any enterprise can create, issue and use CIV credentials according to requirements established within that enterprise’s unique corporate environment.
- In-the-cloud continues its march inside enterprises. With the exploding adoption of “whatever”-as-a-service applications, security and enterprise IT are fundamentally changing. While on-demand services provide a certain level of return on investment, they also introduce new challenges that must be overcome to truly capitalize on their potential. Identity management problems such as controlling who is granted access to which applications and data and how to control access to these applications leveraging on premise directories, have become increasingly important. Single Sign-On and user management solutions that are optimized for the cloud are necessary to help address these challenges.
- Public/Private Key Infrastructure (PKI)-based validation in logical access control and digital document signing is fairly commonplace. PKI authentication has proven to be a highly efficient and interoperable method for protecting data. But it can also be used for physical access control to protect facilities, which has come to be known as “PKI at the door.”
- The massive $6 billion money-laundering fraud enabled by a shadowy Liberty Reserve kind-of-bank and the shocking but continuing American government and military contractor intellectual thefts allegedly engineered from China all put more pressure on security, identity and access management policies, procedures and application of technology solutions.
So it is not surprising that, with so much swimming around in such a growingly complex enterprise environment, smart cards, higher level identity and credentialing are increasingly attractive to security executives, who may not always be familiar with new-age nooks and crannies.
What follows are fine-focused briefings on several of the issues addressed in the eight headaches highlighted above.
Executive Briefing: Size, Growth of Nontraditional Workforce
According to the U.S. Bureau of Labor Statistics (BLS), the nontraditional workforce includes “multiple job holders, contingent and part-time workers and freelancers as well as people in alternative work arrangements.” Nearly four out of five employers, in establishments of all sizes and industries, use some form of nontraditional staffing. People in “alternative work arrangements" include independent contractors, employees of contract companies, workers who are on call and temporary workers.
There are no official numbers on how many contingent workers are employed in the U.S., partly because there's almost constant disagreement over what that term means but also because the U.S. Department of Labor hasn't counted completely since a survey in 2006 when the figure stood at 42.6 million people, or roughly 30 percent of the American workforce, though that number included self-employed workers as well.
But BLS estimates that the number grew around 29 percent from 2009 to 2012, as the country was struggling back from a recession. And an independent study from software company Intuit suggests the proportion of the workforce could hit 40 percent by the end of the decade.
Executive Briefing: BYOD? Deploy a Mobile Device Management Strategy
A recent industry study showed that almost 60 percent of employees bring some type of mobile device into the workplace. Consultant Marcus LaFountain calls it User Introduces Unsecure Device onto My Network and Then Loses My Secure Data (UIUDOMNTLMSD).
Alright, so he made that last one up, but that is how many security and IT executives feel when the discussion is started about BYOD. An end user bringing a device to work is both a gift and a curse for any sized company. We see an increase in productivity but also the increased threat of data being lost or stolen. Having a strong Mobile Device Management (MDM) strategy can help companies reap the benefits of BYOD while limiting the consequences.
There are many reasons to justify a BYOD policy:
Productivity– An employee who uses their personal device for both work and play is on average likely to work an extra 240 hours per year than those who do not. They can answer emails on the go, answer phone calls while on the road (using a hands-free device of course!) and receive that last-minute meeting update. Most employees won’t want to bring a work laptop home just to check emails after dinner or during downtime at home. Letting them receive push emails may empower them to write a quick message back to a client in a different time zone rather than having to wait until the morning.
Cost– There is also a cost justification. Not having to provide every employee with a business-only device can save not only the cost of the device but the monthly service plan that goes along with it. The number of devices can be reduced as well. A mobile phone is a cheaper and sometimes more convenient alternative than a laptop with a 4G cell card. Employees can still stay connected when not physically at their desk.
User Experience– Tech-savvy employees tend to have strong preferences when it comes to the technology they choose to use. Giving employees the ability to choose their mobile operating system, screen size and other technical specs may make them more likely to use the device rather than it sitting in a desk drawer unused.
However, it isn’t all sunshine and rainbows in the world of BYOD, points out LaFountain. As the use of mobile devices increase in the workplace, so do the number of malicious attacks. According to the Ponemon Institute, six out of 10 security breaches were traced back to mobile devices. Businesses must have policies and security measures in place to protect their assets. In 2009, the U.S. Government enacted the Health Information Technology for Clinical Health Act (HITECH) that requires healthcare companies to notify patients if they have had their health records compromised. Similar acts were also put in place in the financial industry.
So constructing a comprehensive Mobile Device Management (MDM) policy is imperative.
Security– A lost or stolen device is the most common type of security breach. A company must have measures in place to combat this. Among common features: Both Android and Apple offer AES 256-bit encryption as a standard. Lock screens, passwords and certificates all play a role. Microsoft Active Sync and other software also allow security and IT administrators to perform a remote wipe of a compromised device. This is a necessary requirement when employees have company data on their mobile phones. Samsung has developed an Enterprise suite called SAFE that allows the user to partition company data with personal data. It also gives administrators the ability to perform a complete or selective wipe, tracking of the device and local password enforcement. Apple and other mobile providers are starting to or already have incorporated these features as well. If your company is using application virtualization, you may need to define new rules for allowing mobile devices. Users will also need a way to get a hold of someone 24/7 in the event of a lost or stolen device.
Support – This may be a slippery slope for some. Most security and IT policies only allow for support of company devices. So who supports a personal device that is used for business? Depending on the size of your enterprise, you may want to assign a dedicated resource to manage your MDM policy.
Executive Briefing:PKI Moves to the (Physical) Door
Until now, the primary application of Federal Information Processing Standard Publication 201 (FIPS 201) has been for Public/Private Key Infrastructure (PKI)-based validation in logical access control and digital document signing. PKI authentication has proven to be a highly efficient and interoperable method for protecting data. It can also be used for physical access control to protect facilities, which has come to be known as “PKI at the door.”
PKI does not depend on a shared, secret key for authentication. Instead, a pair of linked public and private keys is used. Information processed with one key can only be decoded or validated using the other key. Trust between cross-certified agencies PKIs is established using the Federal Bridge. These cross-certified agencies generally have separate and independent infrastructures, each with its own root certificate authority. With trust established, secure information can be exchanged including digital signatures and certificates sent from and between various other participating government organizations.
To implement PKI strong authentication, users are issued Personal Identification Verification (PIV) smart cards carrying a digital certificate that includes the user’s public key. These PIV cards also leverage biometric technology (a digitally signed fingerprint template), and support multifactor authentication methods. When PIV cards are used to enter a building, their digital certificates are checked against a Certificate Revocation List (CRL) which is provided by certificate authorities.
Agencies are deploying PKI at the door in phases, as budget permits. To facilitate this phased approach, agencies are configuring their infrastructure so that, when they are ready, it can be quickly and easily upgraded to PKI strong authentication for physical access control. The first step is to enroll all of their PIV card holders into their head-end system. This enables them to simply deploy Transitional Readers as defined by the General Services Administration (GSA).
This Transitional equipment reads the unique identifier from the card and matches it with the enrolled card holder, but doesn’t use any FIPS-201 authentication techniques. Later, however, the Transitional readers can be reconfigured in the field to support multifactor authentication. The other option is to start with Transparent Readers, but this precludes the ability to upgrade in the field to FIPS-201. GSA-approved Transparent Readers listed on the APL do not, by themselves, constitute an “Authentication System” as defined by the GSA, and therefore do not, in and of themselves, provide the required validation mechanisms.
The bottom line for such an authentication system: There is no need to replace the readers, or the existing door controller and panel functionality, in order to achieve this capability.
PKI-at-the-door solutions are expected to become more widely adopted as FIPS 201 evolves and there is broader product availability. The technology won’t be restricted to smart cards, either. In the future, PIV cards will move to NFC-enabled mobile phones, along with associated strong authentication capabilities for both logical and physical access control.
In support of these mobile platforms, a new set of specifications called FIPS-201-2 is expected to include extensions such as the concept of derived credentials. This will enable a credential derived from the PIV card to be carried in the phone’s secure element. This digital version of the credential will provide the same cryptographic services as the card.
Another expected feature of FIPS 201-2 is that it will allow the use of the Open Protocol for Access Control Identification and Ticketing with privacY (OPACITY) authentication and key agreement protocols. OPACITY will add roughly four times the performance for critical tasks. It will also deliver secure wireless communications, which will enable the use of PIN and biometrics on the contactless interface. This will further strengthen authentication for both physical and logical access control.
Executive Briefing: Knowledge Workers More Innovative and Potentially More Dangerous
Groups of innovative employees – enabled by new social models and behaviors, high-powered portable devices, and situation-aware applications – are starting to work differently, switching seamlessly between real-time and asynchronous modes of collaboration.
By harnessing their own resources and exploiting free or low-cost solutions, next-generation knowledge workers are applying their consumer personas to business tasks and activities, be it in the office or in the field. In doing so, they are changing the way the job gets done and the results that are achieved; but many of these behaviors and approaches are not proactively supported by today’s physical security and cybersecurity strategies. In considering how they want to proceed, realize that enterprise asset sharing and collaboration products and cloud worker solutions selected in the next 18 months or so will determine how enterprises operate as they head though an uncertain decade toward 2020.
Business success in the 21st century is increasingly governed by an organization’s ability to link, synchronize and execute upon on its business, risk management and IT strategies in a compliant, transparent and effective manner. Business leaders are constantly on the lookout for new and effective ways to increase the value, contribution and productivity of employees. This is set against a working environment that is becoming ever more complex as organizations adapt and reconfigure their business processes and systems to address new opportunities, challenges and threats.
Executive Briefing: It’s CIV, Not Sieve
The Personal Identity Verification (PIV) card is used by Federal agencies to assign controlled resource access privileges to Federal employees and to authorize the cardholder to access both physical and logical resources. Private enterprises can also take advantage of this technology. This white paper defines the Commercial Identity Verification (CIV) credential, which leverages the PIV-I specifications, technology and data model so commercial enterprises can create, issue and use CIV credentials.
Securitymagazine has a free Webinar, “Security Convergence – The Power of Identity Management and Physical Security Integration” that educates and informs. Just go to SecurityMagazine.com/CIVWebinar.
Executive Briefing: Securing Virtual Terminals
The U.S. Coast Guard has gone Stealth, what its partner calls the Stealth Solution for Secure Virtual Terminal (SSVT). The approach allows mobile workers to securely access agency networks and data while traveling and between deployments.
Users plug the unit into the USB ports of their laptops or mobile devices to securely boot up and establish network connections with an enterprise network. It creates virtual "communities of interest" – groups that can share the same physical or virtual network without fear of another group accessing their data or workstations and servers. By assigning a cryptographic key to each community of interest, the solution can "go dark" on the network and secure the endpoint so it cannot be detected by anyone other than those authorized as part of a community of interest.
It’s Security’s Summer of 2013 Renewathon wraps up Sept. 30. Go to: www.SecurityMagazine.com/2013renewathon
Smart Cards, Credentialing Roll with Many Punches
1. Knowledge-Driven Workforce Pushes Security Envelope.
2. Nontraditional Workers Can Fall Between the Cracks.
3. There are Mandates, Requirements and Regulations that Ever-Change.
4. Mobility and Bring Your Own Device Trends Troubling.
5. The Personal Identity Verification Experience Sizes to Commercial and Enterprise Use.
6. In-the-Cloud Continues its March Impacting Enterprises.
7. Public/Private Key Infrastructure (PKI)-based Validation Moves to the Door.
8. Risks Get Trickier, More Costly.