Integrating Physical and Logical Access Control
Two security approaches, working in tandem, provide superior enterprise protection.
By Jeff Nigriny, CEO, CertiPath
Insider threats, financially motivated and malicious attacks on networks and systems, accidental access, and lost or stolen hardware. These are just some of the nightmares that keep enterprise IT teams awake at night. They are also the motivation behind much of innovative solutions used to protect information assets -- from firewalls and anti-virus software to identity management solutions that rely on cryptography and biometrics to provide higher levels of assurance.
Although access to buildings is also often highly controlled, that's where the similarities end. In many cases, employees use a badge to enter the front door and then a different credential to access the systems on which they do their work. There's no connectivity between the two systems -- although both are designed and deployed to meet a common goal: protection from loss, damage, or theft through knowledge of who is doing what, when, and where.
That scenario is changing, albeit slowly. Savvy companies are recognizing that the integration of physical and online access control is a game-changing approach to enterprise-wide security. Whether the resources that need to be protected are in a sensitive room or are a sensitive piece of data in a corporate database, the requirement to identify the requestor is the same. Giving further credence to the case for bringing physical and online access control together are the similarities already present in how access rules are defined for physical and online systems.
What's behind this evolution? In many industries, the growing reliance on mobile workforces only increases risk and cost -- creating armies of employees who don't have a single site where they work and who "hotel" at various employer sites. Add dozens of consultants, contractors and visitors who may need access for days or for months to complete a project, and the business case for a more integrated approach to access becomes apparent.
Lower Costs and Higher Security
CISOs at many organizations struggle to justify the cost of high-assurance identity credentials for use in their IT systems. CSOs have struggled with this same cost vs. benefit problem for high-assurance physical access control system (PACS) capabilities, such as support for biometric readers.
Today, enterprises creating successful business cases look at physical and logical access as the same problem that can -- and should -- leverage the same solution. Convergence saves money and improves security, a rarity in this space.
Public Key Infrastructure (PKI), the de facto standard for high-assurance transactions in online or Logical Access Control Systems (LACS), is now the best-of-breed authentication mechanism for Physical Access Control Systems (PACS) -- ensuring that the weakest link in enterprise security is not the front door.
The resulting federated identity strategy and systems enabled by PKI offer significant benefits, including:
- The ability to identify and authenticate a user once and use that identity information across multiple systems, including external partner Web sites
- The means to improve privacy compliance by allowing the user to control what information is shared, or by limiting the amount of information shared
- Better end-user experience by eliminating the need for new-account registration through automatic "federated provisioning" or the need to redundantly log in through cross-domain single sign-on
- The lower cost of issuing multiple badges and reducing the risk caused by lost credentials
The Real Gain: Better Operational intelligence
More important, the common framework for identity-based access enables a higher level of sophistication in detecting potentially malicious behavior.
CISOs and CSOs have not traditionally talked to one another given the silo-like nature of these areas. What opportunities are missed as a result? If a user is logged in from home on their VPN and at the same time the same person displays a badge at the office to enter the building, it's very likely there's a problem.
Even PACS talking to PACS in the same organization is unusual. What if a user displays their badge at their main office in the morning and at a branch office across the country an hour later? Attackers are looking for blind spots and the "PACS/LACS barrier" represents tempting, low-hanging fruit.
When physical and logical access control systems are tied together, companies get greater situational awareness. It is possible to confirm that when a person enters the building they are accessing information from that location; if access occurs from two locations simultaneously, a red flag must be raised immediately.
Extending Access to Your EcoSystem: The Final Frontier
Once the benefits of identity federation have been realized within an organization, there's more to be found by looking outward.
Identity federation is commonly accepted as the most effective way to gain assurance of the identity of persons external to an organization. In other words, organizations can recognize and accept a partner's own corporate-issued credential for access into the organization's applications. The organization receives the most up-to-date identity information about the partner, verifies the person's employment status, and avoids provisioning and maintaining credentials for these external users.
Interoperable credentials and a trust framework that backs them allow any organization to leverage their partners' credentials for PACS and LACS simultaneously.
What are You Waiting For?
Today, the U.S. Federal Government is leading the way, with PIV (personal identification verification) and PIV-I (personal identification verification-interoperable) as the dominant high-assurance credentials intended to be used for both PACS and LACS. Everything from desktop login to e-mail already take advantage of PIV- or PIV-I-based credentials, and today PACS vendors are releasing systems compatible with these credentials, enabling PACS-LACS integration.
It's no surprise, then, that the aerospace and defense industry is quickly moving to deploy integrated platforms that manage both physical and logical access as a means to better support government customers, reduce costs and lower the risk of security breaches.
Unfettered by the mandates that are accelerating adoption in government and markets that serve the government, commercial industries will move more slowly. However, organizations that accelerate the adoption of these models will quickly find that the benefits far outweigh the costs -- from facilitating collaboration to overcoming fragmented, expensive, and vulnerable approaches to managing identity authentication and access control.
Jeff Nigriny is CEO of CertiPath, a company specializing in high-assurance identity management. He can be reached at firstname.lastname@example.org