Organisations are increasingly adopting a model in which multiple access control use cases and identities can be supported on one card or smartphone.
This convergence of use cases and identities eliminates the need for users to remember and carry separate cards or other devices for opening doors, logging onto computers, and accessing cloud-based applications.
It also enables the inclusion of other high-value applications including cashless vending, time and attendance, and secure print management.
There is growing demand for provisioning IT and physical access control system (PACS) credentials to a single card or smartphone, using a single set of processes. Beyond convenience, however, the convergence of credentials onto a single card or device can greatly improve security and reduce ongoing operational costs.
It also centralises identity and access management, consolidates tasks and enables organisations to quickly and effectively use strong authentication throughout their infrastructure to protect access to all key physical and IT resources.
Understanding the Drivers for Convergence
Choosing an effective authentication solution for enterprise data protection has traditionally been difficult. Most available solutions are inadequate either in their security capabilities, the costs and complexities they introduce for the organisation, or the user experience they deliver.
Employees want the convenience of being able to use a single card or mechanism to quickly and easily access the resources they need to conduct business. To accomplish this, organisations must deploy a solution that can be used to secure access to everything from the door to the corporate computers, data, applications and cloud. They must combine the traditionally separate domains of physical and IT security to coordinate the management of their users’ identities and access.
The Value of Converged Access Control
Truly converged access control consists of one security policy, one credential and one audit log. In some organisations, user management is already fully converged, with a single corporate policy that defines acceptable access and use of resources, a single master user repository, and a single logging tool for simplified reporting and auditing. This approach enables enterprises to:
• Deliver Convenience – replaces one-time password (OTP) tokens and key fobs, negating the need for users to carry multiple devices or re-key OTP to gain access to all the physical and IT resources they need.
• Improve Security - enables strong authentication throughout the IT infrastructure on key systems and applications (rather than just at the perimeter), and even at the door.
• Reduce Costs – eliminates the need to invest in multiple access solutions, centralising management and consolidating tasks into a single set of administration and helpdesk processes around issuance, replacement and revocation.
Exploring Multiple Deployment Options
With a converged access control model, the credential can be delivered in a variety of form factors, such as a smart card (e.g. ID badge) or even a smartphone. Depending on the enterprise’s requirements and existing infrastructure, there are several ways to architect the solution. The following are the three most common models:
• Legacy Contactless: Enables an existing card-based physical access system to be extended to authenticate enterprise networks and applications. Software is deployed on the end user’s workstation, with a contactless reader connected to or embedded in it. The card can be “read” without needing to be physically inserted into the reader device. This is convenient for users, who can take the same card they have been using with a door reader and tap it to a personal computer or laptop in order to gain access to their computer and to corporate and cloud applications.
• Dual Chip Card: Embeds a contactless chip for physical access control and a contact chip for logical access control on a single smart card. Credentials, such as PKI certificates and OTP keys, can be managed on the contact chip using a card management system (CMS).
• Dual Interface Chip Cards: Leverages a single PKI-capable chip, with both a contact and contactless interface to support both physical and logical access control. The card can be used to support a contact card reader for logical access use cases, such as logging into a computer or signing an email, and PKI authentication for physical access.
Bringing Strong Authentication to the Door
Strong authentication will increasingly be employed not just for remote access, but also for desktops, key applications, servers, cloud-based systems and facilities. This requires bringing strong authentication to the door.
Organisations need a range of authentication methods and the flexibility to easily support different users and protect different resources appropriately. With simple-to-use solutions, enterprises can secure access to an enterprise’s resources from both managed and unmanaged devices. Without having to build or maintain multiple authentication infrastructures, enterprises can use a single solution to secure access to all their resources, from a facility door or copier to a VPN, terminal service or cloud-based application.
What About Mobile?
As we all know, users are increasingly mobile and bringing their own devices (BYOD) into the organisation’s environment using smartphones, laptops and tablets to access the resources they need.
Organisations are trying to support all this mobile access, while looking at ways to leverage their users’ mobile devices as platforms for carrying credentials for physical and logical access control.
Mobile access control requires rethinking how to manage physical access credentials, and to make them portable to smartphones so that organisations have the option to use smart cards, mobile devices or both within their PACS.
For example, HID Global’s Trusted Identity Platform (TIP) uses a secure communications channel for transferring identity information between validated phones, their SEs, and other secure media and devices. The combination of TIP and SIOs not only improves security, but delivers the flexibility to adapt to future requirements, such as adding new applications to an ID card.
With a mobile access control model, any piece of access control data can be supported on a smartphone, including data for access control, cashless payments, biometrics, PC logon and many other applications.
The authentication credential will be stored on the mobile device’s SE, and a cloud-based identity provisioning model will eliminate the risk of credential-copying while making it easier to issue temporary credentials, cancel lost or stolen credentials, and monitor and modify security parameters when required.
Users will be able to carry a variety of access control credentials as well as an OTP computer logon token on the phone that they can simply tap to a personal tablet for authenticating to a network.
By combining mobile tokens on the phone with cloud app single-sign-on capabilities, it will be possible to blend classic two-factor authentication with streamlined access to multiple cloud apps on a single device that users rarely lose or forget. Plus, the same phone can be used for opening doors and many other applications.
Mobility is driving ongoing convergence, as it forces physical and IT security teams to work together to come up with a solution. The result can be a solution for easily managing PACS credentials and IT access credentials on phones in a cost-effective way, while delivering the same level of security they were used to with cards.
The ability to combine access control for physical and IT resources on a single device that can be used for many applications improves user convenience while increasing security and reducing deployment and operational costs. It will eliminate the need for separate processes for provisioning and enrolling IT and PACS identities.
Instead, it will be possible to apply a unified set of workflows to a single set of managed identities for organisational convergence. Organisations will be able to seamlessly secure access to physical buildings and IT resources, such as computers, networks, data and cloud applications.
An effective solution will also scale to secure access to other resources, as needed, to support a fully interoperable, multi-layered security strategy that can protect the organisation’s buildings, networks, systems and applications, now and in the future.
Steve Katanas is Director of Sales for Australia and New Zealand at HID Global.