Playing Your Cards Right
The convergence of physical and information security thwarts threats to corporate physical assets
REWIND the clock to the days before the Internet, and enterprise security was a much simpler proposition. Companies then, as now, devised and implemented systems and processes to protect a variety of physical assets against intrusion, theft and tampering. The most visible of these to the employee often started at the door -- the access control system.
But the explosive growth of e-business in the 1990s changed the security equation forever. Now, in addition to protecting against longstanding, well-understood threats to corporate physical assets, security officers found themselves faced with a new breed of cat -- the cyber-criminal. Using sophisticated methods, hackers and fraudsters both inside and out of organizations began using the tools of technology to their advantage. Raiding information from personal identity records or credit cards to intellectual property, cyber criminals exploit organizations' dependence on passwords and other security weaknesses.
One significant part of the solution to the IT security problem is to strengthen authentication using a second factor in addition to the password. Smart cards are rapidly gaining ground as the preferred technology for this application. Major U.S. corporations now using smart cards for IT security include Caterpillar, Procter & Gamble, Pfizer, Chevron, Boeing, SAIC, IBM, Microsoft, Hewlett-Packard and Sun Microsystems.
The use of smart cards for information security led to a trend to make a single employee badge that also can be used for physical access control, a trend IT and physical security practitioners are calling convergence.
Smart card-based authentication for IT security is leading the convergence trend. Smart cards are gaining traction and are improving security. Companies are converging physical and IT security on a single credential while maintaining compatibility with installed access control systems.
Smart Cards and Digital Security
While smart card technology may be relatively new to employee badges, it is already pervasive as a digital security technology for network-based applications. Today, smart card technology securely identifies an estimated 2.8 billion individual subscribers and payers worldwide in mobile phone, payment and DTV broadcasting networks, according estimates delivered by Axalto CEO Oliver Piou in a keynote address at this year's CardTech/SecurTech conference and exhibition in San Francisco.
"Smart card technology is already in the big leagues for digital identity security," Piou said. "In a world of 4.5 billion people aged 14 years or older, about half of them use a microprocessor card today."
These smart cards provide a personal form of digital security that protects individuals' identities and access to services over these specialized networks.
Now U.S. organizations are leading the way towards the use of smart card technology for securing employee access to information systems and networks.
There are several drivers behind the growth in smart card adoption for stronger authentication. Many of the leaders that have already taken action did so because they recognized the importance of increasing the security for high-value corporate and customer intellectual property, and for personal information of individual consumers.
Where to go for more information
The Smart Card Alliance is an industry organization with many white papers and other resources found on its Web site, and has active councils for physical access and identity management
The Initiative for Open Authentication addresses the security challenges networked entities face today with standard, open technology that is available to all. OATH is taking an all-encompassing approach, delivering solutions that allow for strong authentication of all users on all devices across all networks. Membership in the Liberty Alliance guarantees the ability to shape and impact the next phase of identity management and Web services.
The Open Security Exchange is focused on convergence and provides information and resources on its Web site. Of particular interest is the Convergence Council, a group of security practitioners that is open to members and non-members of the OSE.
In the United States, people are now getting more visibility into just how vulnerable personal information can be. One reason is the 2003 California Security Breach Information Act, which requires companies to disclose situations involving personal information loss. The Privacy Rights Clearinghouse reports that 54.8 million identity records have been compromised in the United States alone since it started tracking disclosures in 2005. This category of data loss is particularly sensitive because it touches identity theft, which again topped the Federal Trade Commission list of consumer fraud complaints in 2005, with 255,000 complaints, 37 percent of the total.
Public concern over personal information and other areas, like corporate governance and medical information, has prompted legislators and oversight organizations to create new laws and guidelines for information security. In many cases, these contribute to the growth of smart card-based security because it is seen as one of the elements important to compliance.
The government also has been at the forefront of the move to smart cards for information security. In the late 1990s, the Department of Defense decided to create a new, more secure ID credential called the Common Access Card. Important goals were to use the credential for online security and other applications such as recording the movement of troops during rapid military deployments.
DOD selected smart card technology as the best overall solution because it made identity credentials more secure, enabled online use and provided the capability for multiple applications. The program proved to be a watershed for the smart card industry because it drove the creation of new standards, identity management provisioning systems and compatible information systems security solutions. More than 7 million smart cards have been delivered to the DOD alone for the CAC program.
Then, after the tragic events of 9/11, President Bush issued Homeland Security Presidential Directive 12 (HSPD-12), mandating a common identity and IT access card for all federal employees and subcontractors.
Based upon this directive, the National Institute for Standards and Technology developed FIPS 201 including a description of the minimum requirements for a federal personal identification verification system. HSPD-12 directs the implementation of a new standardized badging process, which is designed to enhance security, reduce identity fraud and protect the personal privacy of those issued government identification.
With the standard now solidified as of March, agencies and departments are required to start issuing PIV cards to 4.5 million federal employees by Oct. 27. The PIV card initiative solidly anchors microprocessor smart cards in the domain of IT infrastructure security for employees.
"With standards and definitions set, this will be a big deployment year," said Randy Vanderhoof, executive director of the Smart Card Alliance.
One important impact of these private and public sector initiatives has been to get major players in the computer industry to add smart card capabilities to their products. PC desktop and laptop makers like Dell, HP and Acer now have many models with built-in smart card readers. Sun Microsystems' thin-client architecture has used smart cards for years, and Microsoft announced that out-of-the-box smart card support will be pervasive in the new Vista operating system and the next generation of server software. Adobe, Oracle, VeriSign and other leading software companies now support smart cards. Finally, leading system integrators like Computer Associates, Unisys, SAIC, IBM and Northrop Grumman have all worked to incorporate smart cards into their systems.
In fact, not only does the U.S. computer industry today broadly support smart card technology, most of the leaders have adopted it for their own internal systems security use.
Why Smart Cards?
Microprocessor-based smart cards are really mini-computing devices that go far beyond magnetic stripe, Weigand, proximity and other access control card technologies in terms of their capacity for security, authentication, privacy and personalization.
Typically, smart cards used for IT security have a contact -- the gold square you see on the left side -- and must be inserted into a reader that is built-in or connected to the PC. Power and data travel through the connection made between the card contact and the reader. Smart cards also are available as tokens with USB connectors that do not require readers.
Smart cards are optimized for security and have hundreds of built-in security features to protect it against attack. They use the microprocessor in the card to deliver powerful computer-to-computer security with advanced cryptographic techniques. Key generation, random challenge and response, security algorithm processing and communications encryption all take place right in the card's microprocessor, making its security independent of any device to which it is attached.
Using these techniques, the smart card provides strong, mutual authentication, meaning the card verifies itself to the system and vice versa to achieve the highest levels of data security. It is invulnerable to keyboard logging or even "shoulder surfing" because, even if someone steals your PIN successfully, they cannot use it without the smart card. This eliminates the weaknesses associated with password-based authentication.
Since strong IT security implies putting a smart card or other device in the hands of employees, it only made sense for organizations to set the goal of having the same employee badge work as an identity card, an access control card and IT security. Thus, convergence was born.
Convergence for most companies today is about getting to a single credential for both IT security and physical access control.
However, once an organization starts down the path to convergence, picking a technology is not the first step, according to Adam Stanislaus, vice president of physical security for First Data Corp.
"You really have to converge your relationships first and get the CIOs, CSOs and other stakeholders to work together as partners," Stanislaus said. "Only after that happens can they provide a unified product to the organization that will secure all of their assets."
First Data has moved all the way through this phase, according to Stanislaus.
"Our physical policy is part of our Infosec policy in an ISO: 17799 framework. When you look at First Data, you are looking at a unified set of policies and procedures," he said.
They are now entering the next phase and starting to look at provisioning and de-provisioning systems, and the implementation of solutions for physical and logical access control. According to Stanislaus, ultimately you want to get to one credential and process; that?s what convergence is all about.
For other organizations already using a converged ID today, the most common approach is to combine two technologies on one card -- contact smart card for IT security and other applications, and proximity technology for physical access control.
Often called a "hybrid card," this approach adds one very important, pragmatic advantage to the power of smart card technology, and that is compatibility with installed physical access control systems and the associated badging and enrollment stations. This eliminates concerns from security executives who fear that upgrading to smart cards entails a major infrastructure retrofit, including replacement of thousands of readers at access points and entirely new issuing equipment.
In addition to access, a converged ID card can be used to provide strong two-factor authentication for employees, even when accessing remotely or from an Internet cafe. It can be used to sign and encrypt digital documents or e-mail, along with many other applications.
Convergence is not something limited to large organizations either. Recently, Alternative Technologies, a top North American distributor for value added resellers in the network security market, began distributing a new two-factor authentication product suite from Axalto called Protiva and Cryptoflex .NET, a smart card powered by Microsoft's .NET® framework.
With smart card support available from Windows® update and a two-tier distribution channel, a converged smart card for IT security and access control is now within reach for any sized organization.
The Convergence Evolution
Over time, many see convergence evolving into a single chip card technology called contactless smart cards. This technology marries the convenience of short distance proximity reading with the advanced security features of microprocessor smart cards.
Contactless technology is used in the new electronic passports that the United States and other countries will start issuing later this year. It also is in the new generation of contactless payment products U.S. bank card issuers introduced last year from American Express, MasterCard and Visa.
Many people confuse contactless smart cards with RFID technology, but they are not the same. Contactless smart cards contain microprocessors and are capable of the same levels security as contact smart cards. RFID technology does not include a microprocessor and has no internal processing and active security features.
In access control applications, contactless smart cards hold the promise of proximity reading with even higher levels of security than can be achieved in proximity cards. The PIV standard includes contactless technology, for example, as part of the government's long-term strategy for access control.
But using the new technology requires new readers and systems designed to work with the higher levels of security and advanced data communications methods. Pragmatically, most expect PIV implementations to include proximity technology for the near term.
"Understanding the extensive installed base of HID PROX within physical access systems located in many government facilities, HID and Axalto worked together to ensure these assets were not stranded," said Eric Widlitz, manager, government and technology applications for HID Global.
Achieving a common credential for access control and IT security is not the end of convergence, however. According to the Open Security Exchange, an industry organization focused on the topic, convergence of physical security and IT extends as far as making all of the different enterprise business and security systems interoperable. For example, when a personnel manager processes a new hire and sets up payroll and benefits, why can't that same personnel application do everything that is needed to provide the new employee with building entry and IT system access, issuing a credential on the spot that does both?
The short answer is because these different systems do not talk to each other today, at least not well enough for this kind of one-stop approach. The OSE aims to solve that problem. To get the ball rolling, the organization published a technical working document called Physbits 1.0, which is a vendor-neutral approach for enabling collaboration between diverse business application systems in the enterprise and those involved in physical and IT security.
In another initiative, the OSE is now working with a group of both physical and logical access executives on its Convergence Council to draft a convergence roadmap that will incorporate members' best practices and experiences, to the benefit of the entire security industry. Participation in the council is open to security practitioners for both members and non-members.
Members of the Smart Card Alliance also are active on topics related to convergence. The organization has published a number of very informative white papers and other documents on subjects relating to secure personal IDs and the use of smart card technology in physical access control and IT security. To provide special focus on the topics, the alliance created the Physical Access Council and the Identity Management Council, both actively working on projects related to convergence.
A third relevant organization is the Liberty Alliance. This global consortium is working on another important part of the equation -- the convergence of open federated identity standards and identity-based Web services.
"Successful identity management has become a critical factor in application development and the necessary foundation for deploying all Web services," said George Goodman, president of Liberty Alliance's management board and director of Intel's Visualization and Trust Lab.
Axalto and other members of the Liberty Alliance, working with OASIS and other global standards organizations, are developing specifications that provide a framework for interoperable, identity-based Web services.
"These specifications provide a blueprint for driving convergence between federated identity and Web services specifications, a necessary step to complete interoperability," Goodman said.
Getting involved in an industry organization like the Smart Card Alliance, the Liberty Alliance or the OSE is a good way to advance your company on the path to convergence, or just to find out more about it. It provides an opportunity to connect with peers and technology providers to help determine the best convergence course for your own organization.
"In talking to our Convergence Council members, we found they're not all starting at the same spot," said Laurie Aaron, an OSE co-chairwoman who oversees the council and is director of strategic sales for the Software House/American Dynamics division of Tyco Fire & Safety. "The common thread is they all realize it is necessary."