We’ve come a long way from a musician, John Wiegand, working for Echlin Mfg. Corp., an auto parts firm, and his twisted wire invention that still holds a big but diminishing influence in identity and physical security.
Nowadays, the emphasis is on identity and access management with government contractors, cybersecurity experts working for top multinational enterprises, computer service firms and smartphone makers all redefining secure access through doors, networks and mobile devices. Ironically, the forever balancing act between security and convenience may be tipping toward convenience with even more security.
Readers are evolving into multi-technology devices; cards are disappearing into a diversity of gear with more identity data on them or bridged through them. And, most importantly, the process of authenticating access is becoming more personal and more frequent and sometimes easier.
Obviously, the impact of September 11 continues to be felt, especially on the federal level but also seeping into state and local agencies, government contractors and many types of business enterprises. More than a decade after the tragic attack, the identity and access infrastructure continues to mature and expand.
PIV Card Expansion
One example is an integrated security system with emphasis on operational expansion of federal-mandated personal identity verification at the U.S. Department of Homeland Security Customs and Border Protection, including mission critical installations for managing and monitoring detention cells at Land Point of Entry (LPOE) along the U.S.-Canadian border.
Many LPOE facilities have detention cells to temporarily hold subjects for security purposes. As part of a recent access control system upgrade project, the General Services Administration, manager of all Federal government buildings, requested Vector Electric, Inc. (VEI) for a “guard tour” capability, utilizing existing Personal Identity Verification (PIV) cards that would provide an audit trail of guard visitations to each detention cell and document that detainees are being properly monitored, according to Duane Pittman, president of VEI.
Homeland Security Presidential Directive-12 led to FIPS 201 (with a recently in-approval-stage 2 revision), which mandates PIV cards and identity management for government workers and their contractors. The overall goal for the new, integrated system was for users to be able to use their HSPD-12 PIV cards seamlessly throughout the entire facility. The design “eliminated the need to carry several cards,” says Pittman, and the system, in addition to its core server functions, also serves as the backbone for the new duress system. Whenever a staff member presses a duress button, all other staff are made aware via sound and lights. The system pinpoints the location of the incident and records the event for any future reporting or investigation needs.
Working with a wireless provider, the DHS-CBP Detroit-Windsor Tunnel served as the “laboratory” for testing and perfecting new features and functionality including secure FIPS 140-2 wireless network transmission and enhanced network security. Installing advanced wireless transmission capability for each facility is now virtually painless. Each system is staged and tested prior to installation, and configuration and security checks are completed to ensure FIPS 140-2 wireless compliance.
One of the key aspects of the wireless capability is the high-level engineering and system-tuning so as to ensure signals do not bleed outside the designated buildings, creating another layer of security on top of the encryption used to achieve FIPS compliance, according to Bill Knapp of Capital Communications. “In the end, we have achieved a high-performing, highly secure network,” he says.
All video and access data is available through the combined interfaces, providing a full view of activity anywhere in the facility through both access control audit trails and video confirmation.
Virtualization is another way that security enterprises are moving beyond typical access control systems to higher tech identity management.
For example, the Georgia Tech Police Department (GTPD) is responsible for ensuring campus safety and building security 24/7 and is responsible for managing access to more than 1,800 doors across multiple campuses, buildings and parking garages using the Georgia Tech BuzzCard access control system.
An existing software-based access system required building managers to assign access privileges from a specific workstation, with limited Web browser support. So the enterprise identified technology to leverage its virtual IT infrastructure, reduce system maintenance and simplify facility access management.
After an initial pilot deployment, GTPD then converted 60 doors in its Student Health Center and the Institute of Paper and Science Technology to the new platform, which synchronizes card access credentials with Georgia Tech’s centralized identity management system. IT administrators are now able to partition role-based access control privileges by building, course schedule or time of day and no longer need to maintain standalone application and database servers.
Among the benefits are:
- Manage facility access from any Web browser;
- Partition role-based access control privileges by building;
- Synchronize with campus-wide identity management systems;
- Eliminate the cost and complexity of legacy security systems; and
- Leverage investments in hardware virtualization.
In another virtualization design, the U.S. Coast Guard uses secure virtual terminals that allow mobile workers to securely access agency networks and data while traveling and between deployments.
The approach keeps a mobile user’s data secure and readily available only to those authorized to view the data. SSVT creates virtual “communities of interest,” which are groups that can share the same physical or virtual network without fear of another group accessing their data or workstations and servers. By assigning a cryptographic key to each community of interest, Stealth can “go dark” on the network and secure the endpoint so it cannot be detected by anyone other than those authorized as part of a community of interest.
The SSVT devices allow Coast Guard reservists, for example, to work remotely and keep up with their active-duty applications between their weekend and annual two-week reservist duties. SSVT can cut costs compared to the Coast Guard’s traditional use of virtual private networks combined with smart cards for remote access.
Biometrics also plays a role in emerging identity and access management solutions. While the perennial joke has been that biometrics will hit it big in 12 months only no one knows which 12 months, advances in the integration of fingerprint biometrics with smart telephones may be the tipping point.
Earlier this summer, a Fujitsu Android smartphone was recently launched in NTT DoCoMo stores all over Japan. This is a Disney-branded phone, containing Fingerprint Cards’ swipe sensor technology. Finger sensors in smart devices have become an increasingly essential way to ensure that these devices are secure and at the same time they add convenience for users.
Such developments complement an enterprise trend called BYOD or Bring Your Own Device. Security and IT executives are concerned that BYOD may threaten protection of corporate and government networks and data.
In January, at the Consumer Electronics Show, a Samsung Android phone was demonstrated that includes a fingerprint sensor underneath its screen. The sensor allows a user to log into an Android-based smartphone with a single swipe of a finger.
In addition, and as reported in BiometricUpdate.com, Apple is also undertaking incorporation of biometric technologies into its devices. Apple entered into an agreement last year to purchase AuthenTec, which specializes in developing strong fingerprint-based security, ideal for mobile devices.
There also is impact of the cloud. Organizations are transitioning from traditional identity management to cloud ID management, as the need for affordable and manageable identity management solutions and popularity of cloud models are increasing. Traditionally, most enterprises have on-premise identity and access management solutions, but with an increasing trust in cloud-based services, the market for IAM in the form of hybrid model is expected to increase in the near future.
No doubt, the cloud provides significant problems and opportunities for identity and access management, according to global analyst firm Ovum. It is a disruptive technology that is challenging the status quo within the IAM sector.
According to Andrew Kellett, principal analyst for IT security solutions and author of the Ovum report, “The increasing use of cloud-based services is driving the need for better and more interactive single sign-on and federated identity management (FIM) facilities. For the foreseeable future, organizations will continue to make use of a mixed range of on-premise, hosted and cloud-based systems and services.”
Maybe the ultimate in identity and access management is facial recognition. The U.S. Department of Homeland Security tested a crowd-scanning project called the Biometric Optical Surveillance System – or BOSS – last fall. The automated matching of close-up photographs has improved greatly in recent years, and companies like Facebook have experimented with it using still pictures.
Still, even with developments in computer power, technical hurdles are far more challenging. Crowd scanning is still too slow and unreliable.
PIV Cards Do More
- Compliance– The system provides an effective way to meet the requirements of CBP Directive 3340-030b.
- Unalterable Audit Trail– All activity is stored in a secure database that cannot be altered.
- Ease of Use– Officers use agency-issued PIV cards to log visits and other activity right at the cell.
- Customized Reports– CBP’s existing reports can be produced electronically at will using an intuitive interface.
- A Diversity of Devices– Monitor the system from a workstation or a handheld device over a FIPS 140-2 secure wireless network.
Single Sign-on Has a Role
Single sign-on (SSO) means that a user logs in once and gains access to all systems without being prompted to log in again at each of them while signing out terminates access to multiple software systems. As different applications and resources support different authentication mechanisms, single sign-on has to internally translate to and store different credentials compared to what is used for initial authentication. Benefits of using single sign-on include:
- Reducing password fatigue from different user name and password combinations;
- Reducing time spent re-entering passwords for the same identity; and
- Reducing IT costs due to lower number of IT help desk calls about passwords.
- SSO shares centralized authentication servers that all other applications and systems use for authentication purposes and combines this with techniques to ensure that users do not have to actively enter their credentials more than once.
- SSO users do not need to remember so many passwords to log in to different systems or applications.