The convergence of IT security and physical access control

Organisations are increasingly adopting a model in which multiple access control use cases and identities can be supported on one card or smartphone.

Organisations are increasingly adopting a model in which multiple access control use cases and identities can be supported on one card or smartphone.

This convergence of use cases and identities eliminates the need for users to remember and carry separate cards or other devices for opening doors, logging onto computers, and accessing cloud-based applications.

It also enables the inclusion of other high-value applications including cashless vending, time and attendance, and secure print management.

There is growing demand for provisioning IT and physical access control system (PACS) credentials to a single card or smartphone, using a single set of processes. Beyond convenience, however, the convergence of credentials onto a single card or device can greatly improve security and reduce ongoing operational costs.

It also centralises identity and access management, consolidates tasks and enables organisations to quickly and effectively use strong authentication throughout their infrastructure to protect access to all key physical and IT resources.

Understanding the Drivers for Convergence

Choosing an effective authentication solution for enterprise data protection has traditionally been difficult. Most available solutions are inadequate either in their security capabilities, the costs and complexities they introduce for the organisation, or the user experience they deliver.

Employees want the convenience of being able to use a single card or mechanism to quickly and easily access the resources they need to conduct business. To accomplish this, organisations must deploy a solution that can be used to secure access to everything from the door to the corporate computers, data, applications and cloud. They must combine the traditionally separate domains of physical and IT security to coordinate the management of their users’ identities and access.

The Value of Converged Access Control

Truly converged access control consists of one security policy, one credential and one audit log. In some organisations, user management is already fully converged, with a single corporate policy that defines acceptable access and use of resources, a single master user repository, and a single logging tool for simplified reporting and auditing. This approach enables enterprises to:

• Deliver Convenience – replaces one-time password (OTP) tokens and key fobs, negating the need for users to carry multiple devices or re-key OTP to gain access to all the physical and IT resources they need.

• Improve Security - enables strong authentication throughout the IT infrastructure on key systems and applications (rather than just at the perimeter), and even at the door.

• Reduce Costs – eliminates the need to invest in multiple access solutions, centralising management and consolidating tasks into a single set of administration and helpdesk processes around issuance, replacement and revocation.

Exploring Multiple Deployment Options

With a converged access control model, the credential can be delivered in a variety of form factors, such as a smart card (e.g. ID badge) or even a smartphone. Depending on the enterprise’s requirements and existing infrastructure, there are several ways to architect the solution. The following are the three most common models:

• Legacy Contactless: Enables an existing card-based physical access system to be extended to authenticate enterprise networks and applications. Software is deployed on the end user’s workstation, with a contactless reader connected to or embedded in it. The card can be “read” without needing to be physically inserted into the reader device. This is convenient for users, who can take the same card they have been using with a door reader and tap it to a personal computer or laptop in order to gain access to their computer and to corporate and cloud applications.

• Dual Chip Card: Embeds a contactless chip for physical access control and a contact chip for logical access control on a single smart card. Credentials, such as PKI certificates and OTP keys, can be managed on the contact chip using a card management system (CMS).

• Dual Interface Chip Cards: Leverages a single PKI-capable chip, with both a contact and contactless interface to support both physical and logical access control. The card can be used to support a contact card reader for logical access use cases, such as logging into a computer or signing an email, and PKI authentication for physical access.

Bringing Strong Authentication to the Door

Strong authentication will increasingly be employed not just for remote access, but also for desktops, key applications, servers, cloud-based systems and facilities. This requires bringing strong authentication to the door.

Organisations need a range of authentication methods and the flexibility to easily support different users and protect different resources appropriately. With simple-to-use solutions, enterprises can secure access to an enterprise’s resources from both managed and unmanaged devices. Without having to build or maintain multiple authentication infrastructures, enterprises can use a single solution to secure access to all their resources, from a facility door or copier to a VPN, terminal service or cloud-based application.

What About Mobile?

As we all know, users are increasingly mobile and bringing their own devices (BYOD) into the organisation’s environment using smartphones, laptops and tablets to access the resources they need.

Organisations are trying to support all this mobile access, while looking at ways to leverage their users’ mobile devices as platforms for carrying credentials for physical and logical access control.

Mobile access control requires rethinking how to manage physical access credentials, and to make them portable to smartphones so that organisations have the option to use smart cards, mobile devices or both within their PACS.

For example, HID Global’s Trusted Identity Platform (TIP) uses a secure communications channel for transferring identity information between validated phones, their SEs, and other secure media and devices. The combination of TIP and SIOs not only improves security, but delivers the flexibility to adapt to future requirements, such as adding new applications to an ID card.

With a mobile access control model, any piece of access control data can be supported on a smartphone, including data for access control, cashless payments, biometrics, PC logon and many other applications.

The authentication credential will be stored on the mobile device’s SE, and a cloud-based identity provisioning model will eliminate the risk of credential-copying while making it easier to issue temporary credentials, cancel lost or stolen credentials, and monitor and modify security parameters when required.

Users will be able to carry a variety of access control credentials as well as an OTP computer logon token on the phone that they can simply tap to a personal tablet for authenticating to a network.

By combining mobile tokens on the phone with cloud app single-sign-on capabilities, it will be possible to blend classic two-factor authentication with streamlined access to multiple cloud apps on a single device that users rarely lose or forget. Plus, the same phone can be used for opening doors and many other applications.

Mobility is driving ongoing convergence, as it forces physical and IT security teams to work together to come up with a solution. The result can be a solution for easily managing PACS credentials and IT access credentials on phones in a cost-effective way, while delivering the same level of security they were used to with cards.

The ability to combine access control for physical and IT resources on a single device that can be used for many applications improves user convenience while increasing security and reducing deployment and operational costs. It will eliminate the need for separate processes for provisioning and enrolling IT and PACS identities.

Instead, it will be possible to apply a unified set of workflows to a single set of managed identities for organisational convergence. Organisations will be able to seamlessly secure access to physical buildings and IT resources, such as computers, networks, data and cloud applications.

An effective solution will also scale to secure access to other resources, as needed, to support a fully interoperable, multi-layered security strategy that can protect the organisation’s buildings, networks, systems and applications, now and in the future.

Steve Katanas is Director of Sales for Australia and New Zealand at HID Global.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about CMSHIDHID Global

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Katanas

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts