HID's Dan DeBlasio on Identity Management

| 0 Comments | 0 TrackBacks

Page:   1   2   3  Next  »

DeBlasio.jpgWhen researching identity management, it's helpful to look at it along a continuum, from its IT-based logical access management issues to an enterprise's basic physical entry points. While one realm may be entirely software driven and the other filled with hardware, they're both trying to ensure identities have only the access to which they're entitled.

HID Global, one of the international leaders on the physical end of identity management (or physical access control), has its own broad perspective on identity and access management. It offers logical access control solutions through contactless, or proximity cards, as well as a myriad array of card factors and readers for physical access.

One key goal, says Dan DeBlasio, director of business development for identity and access management, Americas, for HID (pictured), is to help enterprises find "risk appropriate" methods of physical and logical authentication. Matching security methods to evoked risks will be increasingly important as logical and physical identities merge. Security Squared's Sharon J. Watson talked with DeBlasio about that issue and much more in late May.

The following is an edited, abridged version of our conversation.

Sharon Watson: What interest are you seeing from customers and prospects about more tightly linking their physical identities with logical identities in the HR and directory systems?

Dan DeBlasio: What we see as the driver is the capability to minimize risk first and foremost. Companies are saying how can we start to minimize that risk, and identity comes into that because you're saying, all right, people are getting in the door and what else can we do to link security on the physical side of the business [with] what we're doing the IT side of the business, and understanding we have varied identities or double identities across the system.

SJW: Once that question is raised, what are the first steps toward addressing the issue?

DD: I tend to look at this in a segmented way, from small, medium, large enterprise or corporation. If you're talking about a large enterprise corporation, I think many of them already are realizing they have some challenges in that they have multiple identities for one individual across the corporation. So they're looking at ways to phase in--because there are not many companies who say they're going to do this in one project because it can be pretty all-encompassing--so let's number one ask where are we creating identities for our employees, contractors, temps, visitors, and at least ensure we have good documentation on where all those identities are created. Then they look at a phased approach of getting central identity management--either a system or location of creation.

I'm excluding the federal government because they've done a pretty good job with HPSD-12 and FIPS-201 credentialing in documenting how that process is done.

SJW: Once the companies embark on the process of cleaning up identities, managing them better at logical level, how often are they able to drive those new policies and rules down into a card management system?

DD: With card management systems (CMS)...the challenge you always have is you have these existing databases that those CMS now need to talk to. The Suns, IBMs, look to add value. CMS is one piece of that. They look to add value to pieces of that equation around provisioning.

Provisioning is probably the biggest challenge, and right behind that is de-provisioning.
What happens when you go to de-provision an individual? Here's where some of the risks are that keep the security officers both on the IT side and the physical access side up at night. [An extremely large global corporation] I worked with did a study. They found out it took them about two weeks to guarantee that an individual who had left the firm for whatever reason was no longer capable of getting in physically or logically into either the physical buildings or the data the company owned. Those are the challenges.

SJW: It's my understanding those kind of companies have acquired different physical access control systems as they've acquired facilities or other enterprises, and they've just not been able to merge them. So it's almost an individual process to ensure someone is out of each of those systems. Would you agree?

DD: Hopefully they've put boundaries to that and are not crossing individuals into both or multiple systems, that they've taken a deep breath before they've tried the integration effort and asked: Which system are we going to use that is the master repository for identity when we're crossing between companies in a merged environment?

In fact, one of the first things that occurs [when corporations do merge] is a new identity from a physical access badge is defined and gets reissued so they can purge some of these systems, at least on the physical access control side, and say we've got one graphical identity.

From an employee's perspective, we have new badge because we have a new logo of the merged or acquired firm taking on the brand or identity of the firm that acquired them. First thing they're doing is giving them a new graphical badge so they're at least standardized around that, and you certainly hope with issuance of that physical security badge that it's going into one system or systems are tied together so there's a hierarchy of what's the master and how do the others fall underneath that so you can always understand, as you're moving forward, that you have one identity that you can trust.

Page:   1   2   3  Next  »

DeBlasio.jpgWhen researching identity management, it's helpful to look at it along a continuum, from its IT-based logical access management issues to an enterprise's basic physical entry points. While one realm may be entirely software driven and the other filled with hardware, they're both trying to ensure identities have only the access to which they're entitled.

HID Global, one of the international leaders on the physical end of identity management (or physical access control), has its own broad perspective on identity and access management. It offers logical access control solutions through contactless, or proximity cards, as well as a myriad array of card factors and readers for physical access.

One key goal, says Dan DeBlasio, director of business development for identity and access management, Americas, for HID (pictured), is to help enterprises find "risk appropriate" methods of physical and logical authentication. Matching security methods to evoked risks will be increasingly important as logical and physical identities merge. Security Squared's Sharon J. Watson talked with DeBlasio about that issue and much more in late May.

The following is an edited, abridged version of our conversation.

Sharon Watson: What interest are you seeing from customers and prospects about more tightly linking their physical identities with logical identities in the HR and directory systems?

Dan DeBlasio: What we see as the driver is the capability to minimize risk first and foremost. Companies are saying how can we start to minimize that risk, and identity comes into that because you're saying, all right, people are getting in the door and what else can we do to link security on the physical side of the business [with] what we're doing the IT side of the business, and understanding we have varied identities or double identities across the system.

SJW: Once that question is raised, what are the first steps toward addressing the issue?

DD: I tend to look at this in a segmented way, from small, medium, large enterprise or corporation. If you're talking about a large enterprise corporation, I think many of them already are realizing they have some challenges in that they have multiple identities for one individual across the corporation. So they're looking at ways to phase in--because there are not many companies who say they're going to do this in one project because it can be pretty all-encompassing--so let's number one ask where are we creating identities for our employees, contractors, temps, visitors, and at least ensure we have good documentation on where all those identities are created. Then they look at a phased approach of getting central identity management--either a system or location of creation.

I'm excluding the federal government because they've done a pretty good job with HPSD-12 and FIPS-201 credentialing in documenting how that process is done.

SJW: Once the companies embark on the process of cleaning up identities, managing them better at logical level, how often are they able to drive those new policies and rules down into a card management system?

DD: With card management systems (CMS)...the challenge you always have is you have these existing databases that those CMS now need to talk to. The Suns, IBMs, look to add value. CMS is one piece of that. They look to add value to pieces of that equation around provisioning.

Provisioning is probably the biggest challenge, and right behind that is de-provisioning.
What happens when you go to de-provision an individual? Here's where some of the risks are that keep the security officers both on the IT side and the physical access side up at night. [An extremely large global corporation] I worked with did a study. They found out it took them about two weeks to guarantee that an individual who had left the firm for whatever reason was no longer capable of getting in physically or logically into either the physical buildings or the data the company owned. Those are the challenges.

SJW: It's my understanding those kind of companies have acquired different physical access control systems as they've acquired facilities or other enterprises, and they've just not been able to merge them. So it's almost an individual process to ensure someone is out of each of those systems. Would you agree?

DD: Hopefully they've put boundaries to that and are not crossing individuals into both or multiple systems, that they've taken a deep breath before they've tried the integration effort and asked: Which system are we going to use that is the master repository for identity when we're crossing between companies in a merged environment?

In fact, one of the first things that occurs [when corporations do merge] is a new identity from a physical access badge is defined and gets reissued so they can purge some of these systems, at least on the physical access control side, and say we've got one graphical identity.

From an employee's perspective, we have new badge because we have a new logo of the merged or acquired firm taking on the brand or identity of the firm that acquired them. First thing they're doing is giving them a new graphical badge so they're at least standardized around that, and you certainly hope with issuance of that physical security badge that it's going into one system or systems are tied together so there's a hierarchy of what's the master and how do the others fall underneath that so you can always understand, as you're moving forward, that you have one identity that you can trust.

<!--nextpage-->

SJW: My understanding is a lot of companies haven't taken those steps [to ensure a single trusted identity].

DD: That's an opportunity for many of our partners and of course it's a challenge for those companies. The best thing I can suggest is that they look to work with the appropriate partner, consultant, who would review and understand what their challenges are. That's the biggest step, identifying in very thorough fashion what the challenges are and then laying out a clear phased approach of how they would tackle that challenge. Because part of risk mitigation is identifying your risk. I say that a little tongue in cheek because that is a challenge. But it is the first step.

SJW:
As logical and physical identities get more converged, there's that "keys to the kingdom" issue, you're giving more access rights, whether physical or logical, to that more converged identity. So there's talk of needing to make sure the person logging in is really physically who you think they are. I'd seen literature on your site about the need for two factor or multifactor authentication, and I wondered, Dan, if you could address some of the trends and best practices in that area?

DD: So the best-case scenario is if you had systems showing John badged into the building at 7:55 a.m. and at 8:10 a.m. he was accessing his PC via our internal network. Therefore that gives you a green flag to grant him access to the network--versus we show John badging in at 7:55 a.m. but he's trying to VPN in from outside--and that's a flag, I'm not going to allow that access w/o some form of validation. If our systems are out of sync, what occurred?

That's one piece of convergence which I look at as the backend, getting identities converged into one system or a minimum number of systems and then having a hierarchy of identities within those systems, i.e., what's the master record?

The second piece is for the backend systems in this convergence strategy to talk to one another to quickly minimize risk, especially on the de-provisioning side, so you know an employee, contractor, temp is out of all the systems they had been provisioned for.

Now we talk about the front-end convergence where we say, now, okay, I'm going to that one identity document, let's call it a badge, that gets me in the door and then use that for logical access.

There are some different thoughts in this area. Those different thoughts include: we issue everyone a contact smart card, [put a] chip on to that badge, so we're using PKI and digital certificates. So they'd have to have card with chip on it, they'd be using a PIN, so it's something you have as well as something you know, so it's true two-factor authentication, it's recognized by the industry as best practice strong authentication.

To take that even a level higher, you could add a biometric, where you use match on card, where the biometric template is kept on card, you have the card, biometric access to card, then you have the PIN, so that releases the digital certification. That's pretty much the highest form of authentication. It's also the probably the biggest challenge today in trying to implement that across a large organization. So most organizations say today, at our highest level of risk, we need to use biometrics along with a card, we'll do that for a very small subset.

There are also challenges around biometric with standards, but it's getting much, much better today than it was.

Then you step down and say I can use a badge with chip and digital certificate, PKI, and I have two-factor authentication. Again, because of some of the challenges of provisioning the card, managing the card, the infrastructure, companies have not adopted this as [widely] as maybe some of us in the industry would like. So there's been the infrastructure aspect and the cost aspect.

<!--nextpage-->

SJW: Step back and tell me what the infrastructure issue is.

DD: You have to have certificate authority, card management system, the readers, etc. The readers that may or may not have come with PC or laptop are barriers to entry. Today that's getting better. Most laptops have option for or come with a smartcard contact reader.

There's been huge adoption over the years of one-time passwords (OTP), which are just right below that two-factor authentication via PKI and digital certification. That OTP device is a secondary device. The [employees] have a badge and they have an OTP device for authentication to an application. Its strongest application is remote authentication.

Another is the USB token that can carry a digital certificate, do PKI authentication. But again, that means you're carrying at least two different tokens and that in itself presents a challenge to end users in ensuring adoption.

SJW: Something I need to make sure I understand: Where is the data ultimately coming from that populates the card?

DD:
You're asking where that information would come from if card is used for logical access, it typically would be from Active Directory. Or if it's not Active Directory, it's an LDAP directory.

SJW:
Do you think more and more these cards [used for logical access] will pick up the logical policy data companies are creating and populating directories with and will those policies include physical access rights and permissions?  The reason that comes up for me is that as I talk to IT identity management specialists, and they talk about how important roles-based provisioning is becoming, it seems logical to associate physical access rights to those logical roles. And some IT vendors say they could handle those physical aspects.

DD:
That's a true statement. The challenge goes to provisioning, and can one tool provision both sides of the house? I've not heard of at least today a provisioning system saying it can do both. That doesn't mean a week from now we won't see a press release that says one of them is doing it and has a reference account we can talk to.

There are just challenges to that. If you look at an organization, how many organizations have a CSO where the physical security officer and CISO report up to one person in the organization? So we have an organizational challenge, and even if we did have an actual solution set that could do it, the fact is the organization isn't even configured to allow it. That has been one of the traditional challenges....

We certainly see a trend where physical devices are moving onto the IP network. Video cameras, some of what [HID is] doing around Edge, the ability to have IP connections to the door reader that talks to the back end, physical access control. The challenge goes to the infrastructure, the costs associated with going to complete IP door readers, etc., across the network infrastructure where that provisioning system could manage all of those access locations. Because if you're going to provision them, how are you going to manage them? That's a huge challenge.

What I think [IT identity management solutions] can tackle is where the physical access control says to some metadirectory or IDM system, John has entered the building or John has exited the building. They can take that data from an audit perspective and look to grant rights for what John can or cannot access at that moment. But when you look at all the devices that a physical access system manages, and say, let's look to one system to do both [physical and logical], boy, that's a challenge.

SJW:
What had you come prepared to discuss that we haven't?

DD: If you're not budgeted to do something large around identity management projects, what [you] can do today to help mitigate risk is just to look at risk appropriate authentication, especially on the IT side. Most companies feel pretty confident around physical security, and their data security as far as how they provision it, but if it's all based on username and password, is there a weak link at what I would call the door to the IT side? How can we strengthen that access at the IT side and do it in a convenient way, with minimum cost of entry and yet make it multi-application to minimize risk?

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/49

Leave a comment