Page 5 of 3
Finding Flexible Systems In The Age of Converged Security
While access control is an essential consideration for
any business, nowhere is it more necessary to maintain
real-time oversight of who is on-premise than
in a governmental facility — whether at the federal,
state or local level. Leveraging the proper technology to achieve this
goal helps create a space that is safe and secure, but also accessible
to authorized individuals. In areas with highly sensitive information,
having security measures in place that are cutting-edge, impenetrable,
and trusted are of the utmost importance.
Considering that government facilities range from basic office
space, often in shared buildings, to law enforcement, intelligence,
diplomatic, military, judicial, correctional, and research facilities,
physical access control and identity management systems must be
flexible, reliable, connected, and secure at all times. In particular,
there are a few key requirements to keep in mind when selecting a
government-grade access control solution.
Federal Identity, Credential,
and Access Management (FICAM)
Since its creation in the fall of 2008, the Identity, Credential, and Access
Management (ICAM) program has focused on addressing challenges,
pressing issues, and design requirements for digital identity,
credential, and access management.
It also focuses on defining and promoting consistency across approaches
for implementing ICAM programs as reflected in the FICAM
Roadmap & Implementation Guidance (FICAM Roadmap).
The FICAM Roadmap was developed to outline a common framework
for ICAM within the federal government and to provide supporting
implementation guidance for federal agencies as they plan
and execute a segment architecture for ICAM management programs.
FICAM compliance is mandatory in all government buildings, so it is
crucial to choose a solution that abides by these protocols.
Advanced FICAM solutions will address the typical pain points associated
with FICAM compliance through ease-of-use and by planning
for future upgrades to PIV reader capabilities as standards evolve. Endusers
should choose a technology partner that is established and has a
portfolio of products dedicated to FICAM compliance; however, they
should also select a provider that is well-positioned to develop new solutions
as the threat landscape continues to evolve.
Trustworthy technology partners will be able to provide a convenient
and compliant performance solution that is capable of leveraging existing
systems while also being future-proof as new security recommendations
are made down the road. Of all the considerations to take into account,
FICAM compliance is the most necessary, as it is a federal requirement.
One of the most significant needs for flexibility is a result of the ongoing
growth and changes an organization experiences. For example, if an enduser
reaches out and wants to add a new building with 38 doors that need
to be secured to the system, or if they decide to renovate a wing of an
existing facility with drastically increased access protocols, they will want
the ability to seamlessly add these functions on to their current platform.
Choosing an access control provider that has a mix of on-premises
and cloud-based solutions ensures users have the scalability they
need. In addition to the flexibility in the previous example, users can
also save money on hardware by virtualizing environments.
For example, if a government agency has 60 systems all running
on their own network, users can opt to centrally manage all of these
locations. This approach allows users to leverage existing systems while
simultaneously eliminating the need for 60 different systems, which is
costly to maintain. From licensing to administrative costs, partnering
with a provider that has the capability to converge the management of
multiple solutions into one is necessary when planning for the future.
Cloud-based access control is one way to accomplish this by granting organizations the ability to effortlessly make changes to their
systems when needed. Users can begin by defining their current demands
and leverage the cloud to meet such needs, instead of investing
in high-expense servers and technologies of traditional systems
that may become obsolete or need to be expanded in the future at
further expense to the organization. Agencies can work with cloudsmart
companies to continually redefine their needs and establish a
price that fits their specific use.
According to the 2019 Verizon Data Breach Report, almost 80 percent
of all network intrusions detailed in the survey were the result
of the exploitation of weak authentication systems (password hacks),
the same results of their 2013 study. It is no wonder Bill Gates himself
declared the password dead in 2004.
But old habits die hard — especially if they are cheap and easy.
When you consider that the average cost to U.S. companies of a data
breach is more than $8 million, clinging to these single-factor authentication
systems is anything but inexpensive.
Organizations, particularly government agencies, have woken
up to the fact that the current cybersecurity situation is broken and
are looking for better solutions. Many of those organizations rely on
physical security solution providers to deliver secure, reliable physical
access control solutions – and many are now turning to those
same providers to achieve the same level of security to the virtual
world. There are a few essential cybersecurity tools that all government
agencies should leverage, many of which are also FICAM requirements.
Multi-factor authentication is essential for government security
and is also a central component in achieving FICAM compliance.
Every major hacking incident in the past decade — from Target to
Ukraine’s power grid — has had one thing in common: the lack of
multi-factor authentication. Usernames and passwords, even the
most secure and frequently changed ones, are still susceptible to being
compromised. The very best passwords can, with the right equipment,
be cracked in a matter of weeks. With multi-factor authentication,
users add an additional element to the log-in process that makes
hacking nearly impossible.
Multi-factor authentication can include various elements, from
the inclusion of biometrics to the use of one-time passwords. The
most common form of multi-factor authentication is two-factor authentication.
Two-factor authentication requires something you have
and something you know. In 2004, President George W. Bush signed
HSPD-11, which began the U.S. government’s road toward mandated
From that directive, the government settled on using a smart card
with encrypted security certificates — something you have — and a
six to eight digit personal identification number (PIN) — something
you know — as a requirement for access to all government systems.
The smart card also offers a third factor authentication — something
you are — such as a biometric template (i.e., fingerprint).
Still, it is important to note that not all multi-factor authentication
protocols are created equal. Both native and third-party tools for
web access and email, the two most common needs of an employee
on their mobile device, are either completely absent or else lack the
features needed for an enterprise deployment.
Luckily, as manufacturers have specialized and become more acquainted
with the government space, they have developed a series of
applications that meet these challenges and conform to FICAM compliance.
For Identiv, that meant developing an entire suite of different
applications that provide users with the ability to use two-factor
authentication to access websites and to sign, encrypt, and decrypt
Physical and Logical Access Control Convergence
Working with a PACS provider to strengthen LACS security issues by
converging the two areas can provide several advantages, including
- Physical access control. PACS data can be encoded into a highfrequency
portion of the card for organizations, like government
agencies, demanding a more secure platform than proximity. This
high-frequency contactless interface protects the data exchange between
card and reader with a secure, standards-based encryption
technique, eliminating the chance of anyone “cloning” the card data.
- Two-factor logical access control. This protocol allows workers to
securely log onto desktops, laptops, VPNs, and mobile devices.
Some smart cards have a contact element that includes PKI public
and private encryption keys and certificates, providing a secure
means to log onto computers without having to remember complex
passwords, or more likely, write them down.
- Protect data in transit. Digitally sign and encrypt emails.
- Protect data at rest. Encrypt files and hard drives.
- Secure mobile devices. Generate One-time passwords (OTP) for
- Secure access to web apps. Access Office 365, Google Drive, Salesforce.
com, and more.
- Physical ID. Design and print badges as would be done with any
The convergence of PACS and LACS solutions can significantly
enhance the overall security of any organization. Applying advanced,
two-factor physical access control concepts and technologies to cyber
and network security can help overcome the inherent limitations of
single-factor password technology.
As organizations begin this convergence in earnest, these advantages
will undoubtedly result in reduced risk, improved risk management,
and operational efficiencies, and are considerations all users
should make when choosing an access control system.
Ask yourself: “Can my PACS provider also contribute to heightened
levels of cybersecurity?” If the answer is no, you should continue
your search elsewhere.
The Bottom Line
When choosing an access control system, it is vital to keep these tips
in mind to be sure a system meets all compliance regulations and has
room to grow as needs evolve.
When in doubt, partnering with a trusted technology provider
that has established itself as a government-grade supplier is one way
to be sure all of these points are considered. Federal security is unlike
security for other vertical markets and requires a specialized and
focused understanding of current trends and regulations.
This article originally appeared in the May/June 2020 issue of Security Today.
David Helbock is the senior sales engineer at Identiv.