Getting Involved
CIO and CSO see changes as information and facility security converge
- By Brandon Arcment
- Nov 01, 2015
Physical security administrators and IT departments
have both gotten much more
involved with each other in system deployment
decisions, ever since video surveillance
first began transitioning from analog
to network cameras. This trend is accelerating
now that ID cards and mobile phones are being used
together for both physical and logical access.
The CSO and CIO must work together to clearly understand
today’s threats and how best to combat them, while also coordinating
system workflow and security enhancements. They also
must collaborate on all aspects of designing, implementing and
maintaining robust security capabilities, while also understanding
and following best practices that extend across physical and
logical access control.
Best Practices for Convergence
Physical security professionals helped spur security convergence
with the transition from analog to network security cameras. IT
departments now play key roles in purchasing decisions and daily
oversight in this area. Meanwhile, there has been a push to integrate
video, access control, intrusion detection and other system
components into Physical Security Information Management
(PSIM) and other unified systems.
A capability called tap authentication provides an additional
push toward unified solutions. Tap authentication enables the
same card used to open a door to also be used for logical access
control. It can be tapped to a laptop, tablet, phone or other Near
Field Communications (NFC)-enabled device to access data,
cloud apps and web-based services. Tap authentication replaces
dedicated one time password (OTP) solutions for permitting access
to computers, data, applications and cloud-based services.
The same smartphone and other mobile device that the user
tapped his card on can also be employed as a trusted credential
for unlocking doors and opening gates.
Realizing these capabilities requires an access control platform
based on open standards that can support the move to mobile access
control, converged solutions, and web-based credential provisioning.
In the case of mobile access control, the best deployment
route may be a gradual one in which upgraded readers are phased in over time. In other cases, it may make better economic sense to upgrade everything at once, without taking the time and expense to
evaluate each reader and panel and making a case-by-case decision.
There are other questions to answer. Does everyone in the
organization need mobile access on their smartphones for
opening doors? Will the company be provisioning mobile access
only to company-issued devices, or will it support a BYOD
model? Many organizations have a mobile device management
platform (MDM)—corporate apps are published and run in a
specific container on the user’s mobile device. Making sure the
mobile access solution is interoperable with this MDM platform
can be important, especially if the platform is also used to control
security settings.
In general, the access control platform should support as
broad a range of smartphones, tablets and other mobile devices
as possible. There shouldn’t be any requirement for additional
sleeves or other accessories to support various devices, and there
should be an equally smooth experience regardless of mobile
platform. Solutions that support various read ranges and gesture
technology offer additional benefits. They enable phones to open
doors by tapping them to a reader or twisting them from a distance
as a user drives or walks up to it.
Organizations need to determine the types of doors that
should be mobile-enabled, at which entry points, and what kinds
of features to include. For instance, parking garages, main entrance
doors and elevators can all benefit from the convenience
of a longer read range. Conversely, a tap experience is better in
areas where there are multiple readers in close proximity to one
another, because they minimize the risk of a user opening the
wrong door.
The same access control platform that offers these innovative
mobile ID capabilities for facility security can also fulfill numerous
logical access needs. This includes enabling tap authentication for
accessing network resources, cloud apps and web-based services. A
faster and more seamless and convenient solution than using dedicated
OTPs and display cards or other physical devices, tap authentication
reduces the need for complex passwords and diminishes
password fatigue. In many enterprise environments, it can require
20 or more logins each day to access data and services. Tap authentication
eliminates this situation, enabling users to authenticate to
multiple apps and services on multiple endpoint devices without
having to recall and re-type additional codes and passwords. Users
can take advantage of a single smart card to seamlessly access data,
login to cloud resources and open doors.
Tap authentication is particularly attractive for mobile device
users, giving them secure access to corporate cloud applications,
data and services anywhere, at any time, from their preferred mobile
device. It also is easy to deploy, through the simple process
of installing authentication system software and device apps,
synchronizing users with the authentication cloud service, and
notifying them when they can begin using the system. Administrators
can also give their customers the option of deploying
conventional card reader accessories on logical access endpoints
that do not have built-in mobile-ready readers.
Deploying Solutions
A key requirement for deployment is a robust mobile identity
management system with proven processes for managing users
and the entire life cycle of mobile identities. Outsourcing is an option,
with offerings like HID Global’s Secure Identity Services for
managing the entire process of how an employee is on-boarded
and issued a mobile identity.
As soon as a user’s name is added, an invitation email is sent
to the employee with instructions on how to install the mobile
app. Once the app is installed and configured, the system
provisions a mobile identity to the mobile device, and the security
administrator is notified when the process is complete.
Each mobile identity is unique, and automatically configured to
match the specific attributes of the organization and the facilities
where it will be used.
For organizations with global offices and multiple access control
systems, an employee visiting another location can receive
an additional mobile identity before leaving or upon arrival. Additionally,
employees can connect with different mobile devices as
needed, and when it is necessary to remove a digital key from a
device, the mobile identity can be revoked over the air. To reduce
security threats when a device is stolen, mobile identities can be
configured to only engage with readers when the mobile device is
unlocked. An unauthorized user would have to get past the device
PIN or biometric authentication to use it for opening doors and
accessing the building.
The same system platform can be used for logical access control.
There is a simple, 3-step process for using ID cards and mobile
devices to access data and cloud services with tap authentication
solutions. The user first opens a browser on his or her
NFC-enabled device and then types the URL for the desired application.
After entering the corporate username and password,
the user taps his or her access control card to the back of the
NFC-enabled mobile device or tablet to provide the second authentication
factor. Once the card has been tapped, the OTP is
now unusable. There are no passwords to remember of additional
tokens to deploy, manage or carry, just the same card used to
open doors.
As physical and on-line access applications merge onto a
combination of cards and phones, an organization’s physical and
information security teams will also need to jointly manage multiple
ID numbers for multiple applications on multiple devices.
They will need to determine how best to support a growing number
of application identities and associated lifecycles, while also
ensuring that various groups can each be responsible for their
own application and identity lifecycle needs.
Creating unified access control solutions offers valuable opportunities
to improve security and convenience. To fully realize
these benefits, facility and information security teams will need
tight coordination. This requires that CIOs and CSOs both embrace
their changing roles and the benefits that come from a close
working relationship.
This article originally appeared in the November 2015 issue of Security Today.