High Assurance Credentialing

Moving to higher ground within the commercial enterprise space

• By Gerald Hubbard
• Sep 01, 2017

Recent cyberattacks highlight the need to know who you are interacting with in email and online activities, and who you grant access to your networks and physical facilities. Technology exists and is validated with large scale deployments that can reduce risk of cyberattacks and unauthorized breaches. The use of biometrics in user authentication is becoming more common and enables the positive identification of individuals prior to giving access rights or conveying trust in communications.

Commercial organizations can leverage this technology, proven and supported by rigorous standards, to move beyond “flash passes” for building access or simple user names and passwords for network access.

The End of “User Name and Password” Identification

Data breaches can be detrimental—and extremely costly—to any enterprise organization. Such breaches commonly occur when the identity of an employee, executive or partner/vendor is compromised. Attackers may use phishing approaches to get an initial user’s credentials, at which point they have a foothold to begin working internally to breach their ultimate target—for example, databases, email accounts or cryptographic keys. Once an attacker has an in, they can plant malware on enterprise devices or even use the organization’s own admin tools against them to operate under the radar of IT’s cyber security solutions.

The rising prevalence of outsourcing, bring-your-own-device (BYOD) and remote access has made it even more difficult for enterprises to protect their networks. According to the 2016 “Data Risk in the Third-Party Ecosystem” survey conducted by the Ponemon Institute1, 49 percent of organizations surveyed have experienced a data breach caused by a third party vendor that resulted in the misuse of sensitive or confidential information (an additional 16 percent were unsure if they have), and 34 percent have experienced a data breach caused by a cyberattack that resulted in the misuse of sensitive or confidential information (an additional 30 percent were unsure if they have). Only 41 percent of respondents felt their vendors’ data safeguards and security policies and procedures are sufficient to respond effectively to a data breach.

The standard “user name and password” approach to credentialing is no longer sufficient to protect against the threat of unauthorized access and, ultimately, damaging breaches. High assurance credentials incorporating multi-factor-authentication (MFA) methods are the best way to decrease risk and improve trust in an organization’s ability to secure critical infrastructure.

The Emergence of Biometric Modalities

Strong MFA solutions require verification of a combination of identifiers. For two-factor validation, a physical token (keycard, USB dongle) is typically combined with a PIN to allow access. A third factor can be added using biometric identifiers (facial recognition, fingerprints, etc.) to elevate the security level of assurance for even greater access control.

Commercial Identification Verification (CIV) can be provided at this level of security using smart cards that combine identifiers such as a photo ID with MFA for physical and logical access, secure digital signature recognition for non-repudiation, and a secure audit trail of enterprise activities. Secure document, transaction and data flow can be assured with session key encryption utilizing a CIV that meets FIPS201 and OMB11-11 specifications. Many vendors now support standardized products for new deployments and for transitioning legacy systems to support high assurance credential usage.

Capturing Biometric Data

Biometric live capture enrollment is an emerging technological approach used in both commercial and government settings to collect and analyze some of these types of identifiers and bind them to a specific user. But in order for biometrics systems to be beneficial, an organization’s IT team must be able to easily assimilate them into the organization’s existing security infrastructure.

Biometric data capture, such as collection of fingerprints and photographs, can be performed automatically with the use of a selfservice kiosk, or by a trained security agent or HR representative. A combination of the two can also be used to speed up the process. The interface and workflow of the kiosk are critical considerations for user adoption. The kiosk should be easy to identify, use and understand. It’s possible for the interface to adjust workflow in accordance with the user’s demographic. The speed of the question/ answer workflow may be adjusted to meet the user’s anticipated needs, without the user even realizing it. The interactive technology will detect inconsistencies and adjust the workflow to allow correction or to automatically abort an attempt. Anti-fraud measures can also be built in and biometrics can be proofed with background adjudication.

The real benefit of a self-service ID kiosk occurs after the credentials have been issued—when they are checked at the point of entry to a network, area or building. Here, biometric data can be matched offline on the issued credential or online against a central database. Fingerprints can be quickly scanned and matched; a signature can be validated; or a photo can be used for a facial recognition (FR) comparison. Many of the security functions enabled by the technology can take place seamlessly without the user’s express step-by-step direction because they occur in the background. Once an individual’s background and identity are vetted through the appropriate authoritative agencies, it won’t have to be done repeatedly.

Considerations for Credentialing

In order to successfully implement an interoperable, high-assurance identity credential in a commercial enterprise, requirements must be business case-driven for the stakeholder. Business cases should be developed to leverage the identity management/credential process with other mandates specific to the industry. Factors including replacement of current flash pass technology, specific identity credentials with centralized lifecycle revocation management, improved certificates and the adoption of new use cases must be addressed in order to drive implementation.

While the thought of implementing a biometrics solution may sound intimidating, there are actually many existing standards that can be leveraged to avoid having to reinvent the wheel. With vetting and high-assurance credential issuance, many current functions requiring secure authentication (such as physical and logical access control, secure email with digital signatures, secure signing of documents for nonrepudiation, etc.) can be implemented with the high-assurance credential. Examples include the FIPS201 standard, which is already well established based on the federal government’s efforts to optimize ID management and credentialing processes. Commercial Identity Verification credentials or CIV is aligned with FIPS201, but provide flexibility to the commercial entity for policy management based on compatible technology.

The Role of Systems Integrators

Systems integrators must guide commercial organizations as they find their footing in the complex high- assurance credentialing ecosystem. Integrators can help enterprises to meet government mandates without reinventing the wheel or going too far afield, and to secure their facilities and operations.

Expertise in physical and logical access requirements are crucial responsibilities of the systems integrator. A successful integrator will understand and be able to educate customers about the requirements. They must also secure access management of corporate IT resources. To succeed, the integrator’s knowledge of new and proven technologies, control systems and use-case value propositions is essential.

There are different options for biometrics deployment models. Optimal systems integration will incorporate products that support nationwide implementation, meet appropriate mandates, and perform across the infrastructure. Standardization is required, so systems integrators should be involved in this process in order to make sure the standards are deployed, as well as to understand them and be able to incorporate them into the technology solutions.

Interoperability and consistency are essential, and the most effective integrators will be actively engaged in the establishment of a shared security infrastructure. They also need the ability to securely add workflow automation. To become a part of a holistic security solution throughout the critical infrastructure, integrators need to balance their business goals with commonalities shared across the industry and its stakeholders.

Access control and identification credentials can and should be developed to fit an organization’s individual security requirements – without compromising the interoperability that will allow true authentication and validation of an identity based on an organization’s identity management policy.

Installing a self-service biometric capture and enrollment kiosk on-site in a facility’s lobby or Human Resources office will save time and resources. Access credentials issued by this means will allow access management for entry at facility gates, doors and secure areas. Different levels of security clearances can be embedded in the credential to validate authorized entry to designated security zones. Kiosks can even be remotely deployed, for use at job fairs, other off-site venues for life cycle management of the identity credential. Self-service kiosks that can be connected to national databases are available for live biometric capture and identification proofing.

In addition, the value-added capability of biometrics solutions is enabled with the technology to protect and secure network data and to control who can access emails and IT infrastructure, which is essential to preventing damaging data breaches.

This article originally appeared in the September 2017 issue of Security Today.