High Assurance Credentialing

High Assurance Credentialing

Moving to higher ground within the commercial enterprise space.

Recent cyberattacks highlight the need to know who you are interacting with in email and online activities, and who you grant access to your networks and physical facilities. Technology exists and is validated with large scale deployments that can reduce risk of cyberattacks and unauthorized breaches. The use of biometrics in user authentication is becoming more common and enables the positive identification of individuals prior to giving access rights or conveying trust in communications.

Commercial organizations can leverage this technology, proven and supported by rigorous standards, to move beyond “flash passes” for building access or simple user names and passwords for network access.

The End of “User Name and Password” Identification

Data breaches can be detrimental – and extremely costly – to any enterprise organization. Such breaches commonly occur when the identity of an employee, executive or partner/vendor is compromised. Attackers may use phishing approaches to get an initial user’s credentials, at which point they have a foothold to begin working internally to breach their ultimate target – for example, databases, email accounts or cryptographic keys. Once an attacker has an in, they can plant malware on enterprise devices or even use the organization’s own admin tools against them to operate under the radar of IT’s cyber security solutions.

The rising prevalence of outsourcing, bring-your-own-device (BYOD) and remote access has made it even more difficult for enterprises to protect their networks. According to the 2016 “Data Risk in the Third-Party Ecosystem” survey conducted by the Ponemon Institute, 49 percent of organizations surveyed have experienced a data breach caused by a third party vendor that resulted in the misuse of sensitive or confidential information (an additional 16 percent were unsure if they have), and 34 percent have experienced a data breach caused by a cyberattack that resulted in the misuse of sensitive or confidential information (an additional 30 percent were unsure if they have). Only 41 percent of respondents felt their vendors’ data safeguards and security policies and procedures are sufficient to respond effectively to a data breach.

The standard “user name and password” approach to credentialing is no longer sufficient to protect against the threat of unauthorized access and, ultimately, damaging breaches. High assurance credentials incorporating multi-factor-authentication (MFA) methods are the best way to decrease risk and improve trust in an organization’s ability to secure critical infrastructure.

The Emergence of Biometric Modalities

Strong MFA solutions require verification of a combination of identifiers. For two-factor validation, a physical token (keycard, USB dongle) is typically combined with a PIN to allow access. A third factor can be added using biometric identifiers (facial recognition, fingerprints, etc.) to elevate the security level of assurance for even greater access control.

Commercial Identification Verification (CIV) can be provided at this level of security using smart cards that combine identifiers such as a photo ID with MFA for physical and logical access, secure digital signature recognition for non-repudiation, and a secure audit trail of enterprise activities. Secure document, transaction and data flow can be assured with session key encryption utilizing a CIV that meets FIPS201 and OMB11-11 specifications. Many vendors now support standardized products for new deployments and for transitioning legacy systems to support high assurance credential usage.

Capturing Biometric Data

Biometric live capture enrollment is an emerging technological approach used in both commercial and government settings to collect and analyze some of these types of identifiers and bind them to a specific user. But in order for biometrics systems to be beneficial, an organization’s IT team must be able to easily assimilate them into the organization's existing security infrastructure.

Biometric data capture, such as collection of fingerprints and photographs, can be performed automatically with the use of a self-service kiosk, or by a trained security agent or HR representative. A combination of the two can also be used to speed up the process. The interface and workflow of the kiosk are critical considerations for user adoption. The kiosk should be easy to identify, use and understand. It’s possible for the interface to adjust workflow in accordance with the user’s demographic. The speed of the question/answer workflow may be adjusted to meet the user’s anticipated needs, without the user even realizing it. The interactive technology will detect inconsistencies and adjust the workflow to allow correction or to automatically abort an attempt. Anti-fraud measures can also be built in and biometrics can be proofed with background adjudication.

The real benefit of a self-service ID kiosk occurs after the credentials have been issued – when they are checked at the point of entry to a network, area or building. Here, biometric data can be matched offline on the issued credential or online against a central database. Fingerprints can be quickly scanned and matched; a signature can be validated; or a photo can be used for a facial recognition (FR) comparison. Many of the security functions enabled by the technology can take place seamlessly without the user’s express step-by-step direction because they occur in the background. Once an individual’s background and identity are vetted through the appropriate authoritative agencies, it won’t have to be done repeatedly.

Considerations for Credentialing

In order to successfully implement an interoperable, high-assurance identity credential in a commercial enterprise, requirements must be business case-driven for the stakeholder. Business cases should be developed to leverage the identity management/credential process with other mandates specific to the industry. Factors including replacement of current flash pass technology, specific identity credentials with centralized lifecycle revocation management, improved certificates and the adoption of new use cases must be addressed in order to drive implementation.

While the thought of implementing a biometrics solution may sound intimidating, there are actually many existing standards that can be leveraged to avoid having to reinvent the wheel. With vetting and high-assurance credential issuance, many current functions requiring secure authentication (such as physical and logical access control, secure email with digital signatures, secure signing of documents for nonrepudiation, etc.) can be implemented with the high-assurance credential. Examples include the FIPS201 standard, which is already well established based on the federal government’s efforts to optimize ID management and credentialing processes. Commercial Identity Verification credentials or CIV is aligned with FIPS201, but provide flexibility to the commercial entity for policy management based on compatible technology.

The Role of Systems Integrators

Systems integrators must guide commercial organizations as they find their footing in the complex high- assurance credentialing ecosystem. Integrators can help enterprises to meet government mandates without reinventing the wheel or going too far afield, and to secure their facilities and operations.

Expertise in physical and logical access requirements are crucial responsibilities of the systems integrator. A successful integrator will understand and be able to educate customers about the requirements. They must also secure access management of corporate IT resources. To succeed, the integrator’s knowledge of new and proven technologies, control systems and use-case value propositions is essential.

There are different options for biometrics deployment models. Optimal systems integration will incorporate products that support nationwide implementation, meet appropriate mandates, and perform across the infrastructure. Standardization is required, so systems integrators should be involved in this process in order to make sure the standards are deployed, as well as to understand them and be able to incorporate them into the technology solutions.

Interoperability and consistency are essential, and the most effective integrators will be actively engaged in the establishment of a shared security infrastructure. They also need the ability to securely add workflow automation. To become a part of a holistic security solution throughout the critical infrastructure, integrators need to balance their business goals with commonalities shared across the industry and its stakeholders.

Access control and identification credentials can and should be developed to fit an organization’s individual security requirements – without compromising the interoperability that will allow true authentication and validation of an identity based on an organization’s identity management policy.

Installing a self-service biometric capture and enrollment kiosk on-site in a facility’s lobby or Human Resources office will save time and resources. Access credentials issued by this means will allow access management for entry at facility gates, doors and secure areas. Different levels of security clearances can be embedded in the credential to validate authorized entry to designated security zones. Kiosks can even be remotely deployed, for use at job fairs, other off-site venues for life cycle management of the identity credential. Self-service kiosks that can be connected to national databases are available for live biometric capture and identification proofing.

In addition, the value-added capability of biometrics solutions is enabled with the technology to protect and secure network data and to control who can access emails and IT infrastructure, which is essential to preventing damaging data breaches.

Featured

  • Survey: 54% of Organizations Cite Technical Debt as Top Hurdle to Identity System Modernization

    Modernizing identity systems is proving difficult for organizations due to two key challenges: decades of accumulated Identity and Access Management (IAM) technical debt and the complexity of managing access across multiple identity providers (IDPs). These findings come from the new Strata Identity-commissioned report, State of Multi-Cloud Identity: Insights and Trends for 2025. The report, based on survey data from the Cloud Security Alliance (CSA), highlights trends and challenges in securing cloud environments. The CSA is the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment. Read Now

  • Study: Nearly Half of Companies Exclude Cybersecurity Teams When Developing, Onboarding and Implementing AI Solutions

    Only 35 percent of cybersecurity professionals or teams are involved in the development of policy governing the use of AI technology in their enterprise, and nearly half (45 percent) report no involvement in the development, onboarding, or implementation of AI solutions, according to the recently released 2024 State of Cybersecurity survey report from ISACA, a global professional association advancing trust in technology. Read Now

  • New Report Series Highlights E-Commerce Threats, Fraud Against Retailers

    Trustwave, a cybersecurity and managed security services provider, recently released a series of reports detailing the threats facing the retail sector, marking the second year of its ongoing research into these critical security issues. Read Now

  • Stay Secure in 2024: Updated Cybersecurity Tips for the Office and at Home

    Cyber criminals get more inventive every year. Cybersecurity threats continue to evolve and are a moving target for business owners in 2024. Companies large and small need to employ cybersecurity best practices throughout their organization. That includes security integrators, manufacturers, and end users. Read Now

Featured Cybersecurity

Webinars

New Products

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3