Lessons learned from early access pilots
The Bring Your Own Device movement coupled with near field communication-enabled smart phones are on a course to change enterprise identity management. The latest pilots of mobile access control reinforce the need to support both of these trends with an infrastructure that delivers security and an optimized user experience. This will require over-the-air credential provisioning and management within an ecosystem of interoperable products and services.
HID Global explored these issues during pilots of NFC-enabled smart phones with Netflix and Good Technology. In both pilots, proximity readers used with cards, key fobs or tags were replaced with HID Global’s iCLASS SE access control platform including iCLASS Seos credentials that are portable for use on NFC-enabled smart phones.
Both Netflix and Good Technology cited the convenience of the mobile access control model as a key benefit for the enterprise, especially in a BYOD environment. Today’s workers treat their mobile phones almost like an extension of their identity. They are authenticated by their financial institution using these devices so they know they can trust them. They also store their memories, photos and videos on them, so they literally are an extension of their identity. Furthermore, employees carry these devices wherever they go, and are far more likely to forget or misplace their badge than their phone.
In order for mobile access control to be successful, it must be extremely easy to use. In each pilot, participants uniformly felt that the mobile access control model was more convenient than what they were currently using.
Another observation that was shared after the pilots was that there is a critical need for everyone in the industry to be in lockstep, contributing to a shared vision for the deployment and use of mobile credentials. It is believed that, over time, users will organically migrate to the solutions that give them the device features, applications and credentials they want to use. It will also be very important that all solutions be hardware- and platform-independent and based on open standards so that investments in today’s solutions can be leveraged in the future.
Improved security was also important to both companies that participated in the pilots. One impetus for enterprise deployment is that it enables companies to treat physical access just like any other entitlement from an IT perspective and to tightly couple the two. In other words, the way in which access is granted to an IT system and a door reader should be similar. The mobile platform is also seen as an ideal convergence point for device, identity and access management, especially in highly regulated industries.
The security of the mobile access control model is ensured through a) the use of a new type of identity representation, b) the smart phone’s secure element, and c) a trusted boundary so that BYOD smart phone and its transactions can also be trusted within the access-control managed network. Smart phones that do not feature NFC technology can be securely upgraded to this capability by using an NFC-enabled add-on device such as a microSD card. Digital keys and credentials are provisioned either by connecting the mobile device to the Internet or over the air via a mobile network operator and Trusted Service Manager.
The personal privacy of BYOD users within a mobile access control environment is also important. There is tension between employees who want to carry their own smart phone and IT teams that must enforce organizational requirements for strong authentication.
Containerization is a potential solution. It enables companies to secure organizational data residing on a private mobile device by first creating a remotely-managed encrypted zone inside this device and then, according to policy, limiting interaction between this zone and the rest of the device. All applications and other ID credentials are containerized between personal and enterprise use and strong authentication is required to access the applications and data.
Security will be further optimized through new applications that can be used with digital keys and cards, for example, an application for pushing multi-factor authentication to a phone if the threat level rises.
In government applications requiring strong authentication, smart phones will need to support PIV credentials that are used by U.S. Federal workers, derived credentials and Public Key Infrastructure. In a BYOD environment, this combination of derived credentials with a containerization solution will also drive the requirement for hierarchical lifecycle management so there is a distinction between PIV and personal credentials when it comes to provisioning and de-provisioning smart phones.
Enterprise users also will likely use smart phones for network and application logon, as well as opening doors. This puts a focus on cloud storage security. The best approach is federated identity management, which enables users to access multiple applications by authenticating to a central portal. This supports a variety of authentication methods without requiring any device changes. It also meets compliance requirements by providing a centralized audit record of any accessed applications and can support a hybrid environment of both plastic cards and smart phones.
A number of opportunities were identified during the Netflix and Good Technology pilots to improve the mobile access control experience as the industry moves closer to deployment. This includes bringing more mobile network operators and handset manufacturers into the ecosystem so that users have more service and product choices. Additionally, participants cited the need for an “always on” access control experience, which requires that NFC handsets be able to open doors without having to start an app. It will also be essential that secure elements–either embedded in the phone or in their subscriber identity module (SIM) cards–are made available for over-the-air communications directly with service providers.
Pilot participants highlighted the need for solutions that do not excessively drain battery, are available even when the battery is dead, don’t interrupt other tasks and deliver an intuitive user interface.
The convergence of physical and logical access control on BYOD smart phones and other mobile devices promises many valuable benefits, including improved convenience, more flexible management and enhanced security. The foundation has already been laid for highly secure transactions between NFC-enabled smart phones, computer and networking resources, physical access control systems and a new cloud-based and over-the-air identity delivery infrastructure.