Q&A: Securing the Door as Important as Securing the Data
Organizations regard the intersection of physical and electronic security—holistic security, if you will—as the end goal
Real-time authentication. It’s a familiar concept to security managers, who create elaborate electronic networks. More organizations, especially in the financial sector, are tasking their chief security officers with control of (and responsibility for) securing both the electronic and physical realms. The thinking: all the electronic countermeasures in the world won’t help if a criminal can easily walk into the server room and leave unnoticed with a few machines. Such high-profile (and embarrassing) incidents have recently occurred at Australian customs and British ministry offices.
To discuss the state of the physical and electronic security convergence, Security Strategies spoke with Phil Libin, president of validation and authorization technology company CoreStreet, which announced, with door-lock maker Assa Abloy, the first real-time, credentialed technology for door locks. Though it might seem mundane, wired door locks are almost always relatively static devices. The new versions, however, will allow for real-time authentication, revocation, and auditing, even in wireless environments.
What’s the impetus for having real-time door locks?
Our vision is that you end to be able to secure everything, whether it's a laptop or a door in an airport cockpit. We have the United States government using [our software] to validate electronic credentials, but a big part of this vision is that you have to secure the physical side as well.
Why isn’t this the norm today?
The problem is [today’s connected locks] work for small numbers, but for millions of users there's just no easy way to get all of [the locks] connected at once. So we have this whole notion of a self-validating proof, self-validating messages. It lets you do authentication without ever having to talk to a centralized server.
How does this new type of door lock differ from what’s already available?
There are normally two main types of door locks. One type are locks connected up to a central computer—you put your card or key or whatever it is, then it asks a central computer if you're allowed to get in. They're pretty expensive; 70 or 80 percent of the cost can be that connectivity, just running the cables there and keep it running. A worry is, if someone cuts through the cable, will I lose connectivity in [say] these two buildings?
What’s the other type of common lock?
The other kind is disconnected, those that just fit into a door—of course mechanical locks fit that category as well as some electromagnetic locks. But those doors only allow a certain number of keys [or codes]. The advantage is you can easily manage [what those keys are]. The disadvantage is they're hard to manage [in the sense that] if someone gets fired, you have to go around and change all of the locks.
How frequently do companies update codes on disconnected locks?
One of our employees used to work as a flight attendant for the airlines three years ago, and she can still get in to most of the locks in airports in the United States and Canada, because they have so many doors, thousands of employees; [hence] they’re changed infrequently.
How do your new locks differ?
Our whole technology is based around the concept of self-validating messages or proofs. One of these messages contains information about who can do what and when. So it says, Phil can go through purple locks today. That message is constructed in a way where there are no secrets there, so you can distribute it over any unprotected networks. And it’s small—20K or less. That 's the main difference—in others [types of locks], you have to connect to a secure computer. With ours, you can get it from anywhere; it doesn’t have to be from an expensive, secure computer. Now that we've separated out the secure operations from the data, you have a bunch of different—as well as easier and more cost-effective—ways of managing physical security.
Can you give me an example of how the new types of locks work?
Let's say you have an airport, you can have the front and back doors, and they’re connected to an unsecured computer—that’s already better; you don't have to pay for an expensive network. So if I'm going in, it checks [for example] my card … and verifies I have access. But then it also takes the message proof and puts it back on my card, for a [delimited] time, and with that I can access other unconnected doors throughout the site. [Also] the whole way these messages are constructed is in a way that can't be spoofed. I can't make it up. Then there are a few enhancements as well, say, if someone gets fired, how do you lock them out as soon as possible.
So do all locks in the facility need connectivity?
No, only the ones at the perimeter. It will vary from installation to installation. Let's say this is an office building, the front door and back door might be connected, but then the 2000 locks inside might be unconnected. A very small number would be connected. You can also have wireless locks—a disconnected lock with a pager inside it. You can do that if you can't actually put wires to the connected ones. It's possible to do wireless with this technology, where it wasn't before, because the information that's being transmitted doesn't have to be protected.
How do unconnected locks know which security authentications to accept?
All the locks have a security policy that's put into them when installed, and you could change that security policy, but you'd have to go to all the locks to do so. The security policy basically says, I am a cockpit lock, and the only people allowed to go into the cockpit are pilots and cockpit inspectors. To authenticate, the perimeter requires biometrics [for example]; it says, okay, give me proof that you're a cockpit inspector or pilot.
At what stage is the technology?
All of our current customers are using the software to validate their electronic credentials. That's been deployed in the Department of Defense and federal government, and some large global 1000 companies, for things like computer log in [and] secure e-mail access. So it's the same technology that's being put into the locks. The locks will be installed in the first beta customers around the beginning of the year.
Will companies retrofit their installations to use the new locks?
At least initially, we're not going after the retrofit market, initially it's new construction with very high security requirements. Initially it will be in the military and government sphere.
Is retrofitting an option for security-conscious companies?
It's pretty simple, because it will work with your existing infrastructure. What you're doing is just putting the locks where you want them. [They don’t have to be everywhere.] So … you can do an upgrade to your connected ones, then you're just putting new locks in on the disconnected ones.
How, exactly, do the locks authenticate users?
Well, there is a difference between authentication and validation. We think that in order for any transaction to be secure, there are always two questions that have to be answered. One is, "Are you who you say you are?" You have to prove your identity. The second thing—this is the unique thing we focus on—is, "Okay you've proven too me that you are who you say you are, but are you allowed to be doing what you say you’re supposed to be doing?" Is Private Phil Libin allowed to access the nuclear reactor this late at night? There, you have to prove your credentials—called authorization, validation, or access controls, depending upon which industry you're in.
What are the benefits to this kind of security over what’s already in place?
For the [end] user, the [benefit is that the overall] experience is easier. If security is going to be ubiquitous, then you can't train users on it. If you have to explain to an end user what the security is, then you've already failed; it's not ubiquitous. Then for the installer it's easy because you're not running wires everywhere.
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.