Many benefits to strong authentication
04 February, 2015
category: Corporate, Government, Smart Cards
Steve Bell, Chief Technology Officer for Security, Gallagher
A 2014 global study of U.S. based companies by the Ponemon Institute and Hewlett-Packard found the average cost of cyber-crime climbed by more than 9% year on year, with recent high profile attacks on Target and Home Depot making prime-time news. While most attacks have targeted IT Networks and Servers, security weaknesses on access credentials and field communications protocols are also being exposed.
Legacy credentials such as 125 kHz proximity, magnetic stripe, and early contactless smart cards each have published security compromises. In some cases, they simply lack any form of authentication. In others, the cryptographic implementation has been flawed, and subsequently exposed. Toolkits exploiting these weaknesses can be easily sourced on the Internet for less than $100. With the reality and costs of these security threats growing, employees and consumers need to consider using security products and processes that enforce strong authentication and encryption standards to all layers of their security system.
In addition to addressing security concerns, open standards based authentication can also improve credential interoperability between sites, and future proof a consumer’s investment in their credentials and access control hardware. The first true attempt to address opens standards based authentication for physical access control occurred with the release of the FIPS 201 standard, introduced more than 10-years ago.
The FIPS 201 standard documented a process for Personal Identity Verification (PIV) credential issuance, enrollment, and strong authentication, which enables credentials to be interoperable between sites. Developed initially for the U.S. Federal Government Agencies, this standard has broadened to allow PIV-I credentials for Federal Agency contractors, and CIV/PIV-C credentials for general sites wishing to gain the security and interoperability benefits the standard provides. Organizations need to increasingly consider whether an open standards approach to authentication is supported by their Physical Access Control System (PACS).
While the benefits of strong authentication are clear, many organizations avoid implementing these measures.
The cost and time associated with replacing legacy systems is often cited as a reason why sites fail to implement improved authentication processes. Replacing access hardware and credentials and re-training staff can be expensive, and can also impact on operational continuity.
Additionally, current solutions for stronger authentication can reduce the convenience and speed employees expect from a PACS. For example, stronger credential authentication between an access card and card reader can require more data being transferred between the card, reader, and control panel, resulting in a lower card read range, slower door access times, and frustrated employees.
Further, despite the increased publicity of cyber-attacks and their costs, many security system consumers remain unaware and/or unconvinced of the risks and costs poor authentication measures could have on their organizations.
There are several measures the security industry can take to encourage uptake of better authentication measures by their customers:
Reducing the cost of legacy system replacement
The onus is on security manufacturers not only to implement improved authentication measures in their systems, but to also make migration to these new systems easy and cost effective. This can include measures such as providing database migration tools, utilizing existing IT authentication infrastructure, providing multi-technology credentials, and re-using existing hardware wiring to reduce the cost of wiring new hardware.
Increasing awareness to consumers of the real risk and costs of electronic attacks
The industry can improve on quantifying the risks and costs of electronic attacks. While physical access control system breaches are rarely publicized and thus difficult to quantify, taking consumers through hypothetical attack scenarios can help them gain a better appreciation of the potential costs from loss of assets, IP, business continuity, and insurance premiums that a breach might entail.
Improving the ease of use of physical access by implementing strong authentication
Security manufacturers need to be constantly improving the performance of all elements of their systems to deliver strong authentication without compromising the ease and convenience of existing access solutions. Most employees interact with the physical access control system only when badging through doors, so good credential read range and speed of access decision forms their lasting impression of the system. Typically this means ensuring that all elements of the system work together seamlessly to provide the best customer experience, while maintaining strong authentication measures.
Embracing open standard credential and authentication methods
The security industry has an important role to play by encouraging strong authentication uptake. The industry can do this primarily by working together to adopt open standards architectures for the credentials that are issued, and the authentication mechanisms that are used to validate the authenticity of those credentials. This is becoming increasingly important as credentials move into the mobile space, where new, proprietary credential formats and authentication methods threaten to lock in a new generation of customers to proprietary credential issuers. Open standards in this area will ensure strongly authenticated credentials can be issued by a multitude of suppliers without the risk of vendor lock-in, and work seamlessly across a wide range of physical access control systems.
About the AVISIAN Publishing Expert Panel
At the close of each year, AVISIAN Publishing’s editorial team selects a group of key leaders from various sectors of the market to serve as Expert Panelists. Individuals are asked to share their unique insight into different aspects of the campus card market. During the months of December, January and February these panelist’s predictions are published at SecureIDNews.