By Stephen P. Howard, VP Operations, CertiPath LLC & Salvatore D’Agostino, CEO, ID Machines
It’s here: next generation physical access control. The key drivers of physical access control systems are interoperability, security, scale and convergence of the logical and physical–people and things. These features come when leveraging the benefits of smart card credentials. Moreover, the standards behind next generation PACS provide a basis and building blocks that enable cost-effective and secure solutions.
The next generation systems are a new class of enterprise identity application that promises tremendous value. However, one critical consideration to bear in mind: these solutions must support integration with enterprise identity infrastructure–in particular, the emerging Personal Identity Verification credentials (PIV) issued by federal agencies, and the new Personal Identity Verification-Interoperable credentials (PIV-I) from non-federal issuers.
Navigating the Threat Landscape
Today’s cyber environment is full of threats and security risks. A next-gen system gains resiliency from its use of strong authentication, ensuring it cannot be fooled by clones and copies. A resilient physical access control system must take advantage of public and enterprise IT infrastructure, providing the provisioning and integrity of the credential within the system.
Identity and financial fraud runs into the tens of billions per year. Physical access control cannot be the weak link in solving this problem. To combat fraud, the next generation system upgrades credentials and hardware. The traditional lifespan of most physical access control systems exceeds 10 years. In some cases, technology refresh can take decades. As an example, look at physical keys, keyways and locksets. More than 100 vendors recognize this, and have made substantial investment in next generation products and people.
PKI: The Next Step
Throughout industry and government, public key infrastructure is widely used to enable cloud infrastructure, platforms and applications. Standards developers claim that using PKI to bring strong authentication to physical access systems is the next logical step.
Next generation solutions are at the forefront of strong authentication technology that supports the ubiquitous use of identity credentials and devices. These physical access control systems leverage PKI and biometrics for contact and contactless solutions, as appropriate to users’ needs.
The type and number of authentication factors adapt to the resource being accessed:
- What you have: e.g., digital certificates with challenge response protocols
- What you know: Fortunately, this can be a single PIN
- What you are: Typically a fingerprint and facial image, although increasingly iris and vein patterns.
PKI use has always been driven by the scale and key management asymmetric cryptography can provide. However, its implementation at scale presents challenges. At the U.S. Department of Defense, PKI lumbered under the load of revocation list data required to handle millions of users and high credential turnover.
Today, distributed validation products have been specified and deployed to support the growing population of more than 5 million PIV and PIV-I credentials. The next generation PACS makes use of this identity infrastructure and follows its expansion into critical infrastructure and other enterprises.
The Rise of PIV and PIV-I
PIV and PIV-I break open traditionally proprietary systems. Complying with these standards enables end-users and system integrators to gain flexibility with the system components used. This occurs in credentials, readers, panels, servers, sensors, alarms, video and networking gear. Complete interoperability enabling mix-and-match service providers isn’t yet a reality, but standards have paved the way for customer options.
Physical access isn’t the only reason enterprises should use interoperable credentials that deliver strong authentication and interoperability. PIV and PIV-I provide the scope and flexibility to address enterprise information application needs with authentication, encryption, signing and multiple form factors–and are particularly well-adapted to mobile form factors. Replacing a dual interface smart card with a mobile phone using its SIM and/or wireless capabilities already exist in “version 0.1” demos.
PACS environments are ideal for deploying strong authentication of both users and devices. PACS devices and controllers will make use of mutual strong authentication and encryption in accordance with the National Institute of Standards and Technology guidance on information security. These standards include FIPS 140, 199, 187 and 201. In fact, next generation physical access control deployments leveraging these standards are a pre-cursor to its use by supervisory control and data acquisition systems for critical infrastructures, manufacturing and process control.
Protecting Against Attack
In this continuum physical access control systems are no longer isolated. Deployed systems often run on their own dedicated IT network–rather than just a dedicated subnet–and their own dedicated servers. This isolation leads to a false sense of security.
Systems isolated from the internet are not immune to cyber and direct attack, especially given the expanding use of internet protocol devices by vendors. IP cameras deployed in the last decade without strong authentication or encryption are everywhere. Case in point: the United States government drone cameras that were sending video in the clear.
Next generation systems, along with PIV and PIV-I credentials and devices use strong authentication to address these challenges in two ways:
- Via the enterprise databases that exchange data with the PACS
- At the door, to mitigate attacks against individuals and assets.
With these new operational models in place, physical access moves away from just something that opens doors to a system that is part of a building. It is now a key application that must be built on the same architecture as IT networks and other corporate assets–such as the identity management and credential issuance system (IdM-CIS), for issuance of PIV and PIV-I credentials. They participate in high-assurance provisioning of the credentials and applications with individual access roles, rules and attributes.
Increasing sensors and resolution, a need for security in depth, increased use of analytics–all create the need for more data assigned to and consumed by access control systems.
By their very nature these systems deal with personally identifiable information, and the next generation will necessarily have to deal with the security of data at rest and in motion. Access control systems may contain biometric identifiers, emergency contact information, name, address, and related personal information. To minimize this information, next generation systems will take advantage of the mutual registration capabilities of PIV and PIV-I credentials. The ability to write to the card and also to anonymize or encrypt these identifiers represents an easy way to address the overhead associated with using “real” personal information.
Compliance Best Practices
PACS distributed databases need to be protected like any other IT system on the network–such as HR, ADFS, or payroll records. Consequently, administration and management of the security of these systems must involve traditional controls. In the Federal enterprise, this is FISMA certification. For corporations, it is often industry-specific, with an alphabet soup of compliance mandates, including CFATS, HIPAA, PCI, and SOX.
Proper implementation of the four A’s of access is key to establishing and maintaining compliance:
Together, these form a best practice checklist to ensure next generation PACS align with compliance goals.
A Shifting Market
Who are the vendors in the next generation marketplace?
Interestingly, it is fairly dynamic. Over time, different companies become market leaders and then go to pasture. Consolidation among building controls companies–SCM/Hirsch, Honeywell, Tyco, United Technologies, Johnson Controls, Siemens and Schneider–continues while the technology shift presents opportunities for new and innovative solutions. All of IT, TCP/IP and smart cards bring new technologies and partnerships–as well as a healthy dose of technology infusion.
However, access control systems are delivered by installers and system integrators–the overwhelming percentage of which are small to medium-sized businesses. These installers have extensive experience providing service–access, life/safety, burglar and fire alarms–and growing recurring monthly revenue. An important step in the transition of next generation systems will involve partnership between these businesses, as well as adoption of by global integrators and, increasingly, by global services organizations.
Large IT product and services companies have a foot in the door. Examples include Cisco, Verizon, HP, Unisys, CSC, Booz Allen, and others. As physical access control systems become an enterprise application and funding overlaps with IT, these organizations will be forced into the arena–and will look to grow their businesses supporting early use cases. Some already have involvement in the issuance of the credential and the supporting infrastructure.
In this transition, the access control perspective offers an alternative viewpoint. Specifically, the integration of PIV and PIV-I into deployed PACS, as well as emerging architectures for PACS going forward. There must be a value proposition to vendors. How exactly do they make money as a result of these changes in the marketplace?
Good customer communications with regard to single sign-on and strong authentication should blaze the trail of discovery. Convergence, single sign-on and strong authentication are driving forces in corporate and agency IT strategies.
The Road Ahead
Certainly, questions remain. How does a physical access control vendor differentiate itself in the market if the credentials and issuance systems for those credentials are now standardized? How do these vendors deal with separate identity infrastructure and enterprise identity management solutions? How do access control vendors issue temporary or replacement credentials? Is it possible to do local PIV-I electronic personalization?
Consider the ease of badging with a traditional prox card versus issuance of a PIV-I credential. Next generation systems need capabilities to deploy, register, enroll, issue and activate PIV-I credentials approaching the same, easily personalized solutions of prox cards.
One way to differentiate is in the means of integration. “How” becomes more important than “what” particularly when standards-based components are involved. This is true whether it is green field deployment or upgrading deployed systems: The ability to offer services for migration and management of change will be critical to success.
When it comes to standardized credentials and their impact on the credentialing ecosystem, PIV-I will have a larger overall influence than PIV. Why? Consider the potential volumes. The government–Executive Branch only–represents the PIV community, supporting about 6 million credentials today, expected to grow to about 10 million.
PIV-I represents the supply chain into the federal agencies. The Defense Department alone has a supply chain that numbers in excess of 20 million. First responders, utility providers, telecommunications, state and local government, legislative and judicial branch, are all PIV-I communities. There is an opportunity for PIV-I to dwarf PIV, as it represents well over 150 million individuals with a relationship to the federal government.
With a footprint this large, it is not reasonable to be an ostrich and stick our heads in the sand. PIV-I will be a major force for physical access control.
The market has seen a dramatic shift away from physical access control as a building asset to seeing it as an IT asset. This helps breaks down the stovepipes separating the chief information officer, the chief information security officer and the chief security officer’s organizations.
Identity is a common tool that spans these organizations. Provisioning, and more importantly, de-provisioning, is critical to any cyber security and PACS strategy. Next generation access control leveraging PKI and PIV-I will become a hallmark of the successful enterprise.