One Person, One Identity, One Credential: Converging Logical-Physical Identity and Access Management -- Part 3

| 0 Comments | 0 TrackBacks
Part 3: Physical, Meet Logical

This is the third in a four-part series on the convergence of physical and logical identity and access management (IAM). This article examines the role of the physical access control system (PACS) in identity convergence. In particular, it looks at the barriers to integrating some PACS with standards-based IT systems and how an emerging group of vendors are overcoming these issues.

IT-based identity management systems have the ability to manage physical identities and assets as well as virtual identities and assets. Yet given the complexity of the physical security ecosystem in many enterprises, most sources expect physical access control systems (PACS) to be a key to converged IAM.

PACS do bring strengths to the job. PACS architectures are built for authenticating many users in a short time, such as at a busy door. "IT systems are built to support confidentiality first," said Guy Huntington, an identity management consultant.

In addition, PACS interact with many complex systems of their own, such as door and card readers, video surveillance systems and physical perimeter defenses.

Then there's the fact that many PACS wind up being the unofficial yet central identity management system for all the non-employees who visit the enterprise: cleaning crews, maintenance workers, repairpersons, temporary employees, contractors and visitors.


Yet PACS also pose challenges to converged identities. Many enterprises operate more than one PACS because they acquired another firm or bought a physical facility or space. Further, many PACS still operate on networks independent of the enterprise network. In addition, most are based on proprietary technologies, each with their own application programming interface (API).

Different PACS with different APIs mean the IT department or its identity management vendor must write separate interfaces to each PACS--some older versions of which may not even have APIs--to ensure logical-physical integration. And most don't want to do that.
 
"For us, we have a hard enough time managing all the potential types of things we have to provision and deprovision to," said Dave Hansen, corporate senior vice president and general manager, CA Security Management. "If we had to go to every very unique, rudimentary badging system, it doesn't scale. We don't want to be experts in HID cards and smart cards and all that. There are a lot of people who do that."

Enter the bridge-builders

Those "people" include vendors building businesses on their ability to connect disparate PACs and then integrate those to enterprise directory software and other enterprise applications. These include Alert Enterprise, Imprivata, and Quantum Secure.

Each of these companies brings a comprehensive library of PACS and identity management systems interfaces to its installations. Imprivata boasts of an appliance-based approach that permits integration with practically a menu selection (see graphic below).

imprivatalist.jpgWhen searching for vendors to streamline identity management at Toronto Pearson International Airport, Deloitte found Quantum Secure to have the widest array of off-the-shelf PACS interfaces, according to Andre Romanovskiy, senior manager, security and privacy services, for Deloitte, during a webinar hosted by Quantum Secure.

In the Toronto Pearson implementation, Quantum Secure's SAFE essentially acts as the authoritative identity source, sitting between the HR systems of dozens of airport tenants and three PACS. Automated workflows handle queries among these systems, reducing initial credentialing time from an average of 10-plus hours to 20 minutes (click on graphic for large version).

Deloitte_GTAA_Soln_Overview.jpgSome leading access control vendors also say they are prepared to integrate with other databases. OnGuard, from Lenel Systems International, can be integrated with LDAP-based enterprise directories, the reigning standard, said Erik Larsen, director of product management for the vendor. (AMAG/G4Tec and Software House claim integration capabilities in their marketing materials but Security Squared's requests for interviews have yet to receive responses.)

Brivo Systems, which delivers video and access control solutions via software as a service (SaaS), bases its solutions on XML (extensible markup language), an open language that enables it to easily integrate with other systems and databases.

Streamlined identities and security

Integration of disparate PACS with each other makes it more likely a user will need to carry only one card to enter all the enterprise facilities to which he's entitled, even those that are geographically dispersed.

Bridge.jpg 

In turn, linking this streamlined physical credential with logical IAM means an individual can use a single credential for physical access as well as network and applications access. Further, the two types of access can be correlated: a swipe at the door reader tells the network that IMA PERSON has entered the building and thus should be authenticated for network access, provided Ima's SSO goes smoothly. The correlated door swipe and SSO also alert the network that Ima apparently is still in the building when someone tries to access her accounts from an IP address outside the network. Did Ima slip out without swiping her badge, or is this a hack in progress?

Authenticating the one identity

Once identities converge, it becomes critical to ensure the person holding that physical/logical credential is truly who you think they are. "At the point where customers have done enterprise single sign-on (SSO) and have created a single point of entry into ten different applications, they sometimes step back and say, 'I really need a second factor,' " said Joe Anthony, program director of identity and applications security management, IBM Tivoli, Austin, Texas.

"The big opportunity with the convergence is using the badge or physical access system as a multi-factor authentication device," said CA's Hansen.

These authentication factors can include one-time-only password generating tokens or cards; biometrics plus cards; smart cards with chips enabling use of Public Key Infrastructure (PKI) and digital certificates. It's possible video facial recognition applications might be added to this list.

multifactor.jpg

"We're seeing a lot of questions and more technologies popping up around risk-based authentication and authorization," said Daniel Raskin, chief identity strategist at Sun Microsystems. These solutions use algorithms to analyze keystrokes, location, devices and other variables to determine whether there's risk associated with someone logging into an application.

However, stronger authentication requires infrastructure investment, such as card management systems, certificate authority software and additional readers on devices.

The issue then is striking the right balance between authentication strength and its cost, said Dan DeBlasio, director of business development for identity and access management, Americas, at HID Global. "How can we strengthen that access at the IT side and do it in a convenient way, with minimum cost of entry and yet make it multi-application to minimize risk?"

HID's answer is a converged IAM strategy based on a proximity card that can be used as the primary physical credential, then act as a second factor to a user's pin or password to the enterprise network in designated settings.

Specific industries will also shape their authentication methods. Health care has high security needs but also high data availability requirements, noted David Ting, CTO, Imprivata.  He said many health care providers require a card read, plus password or PIN at the start of a shift for login. Then, as different caregivers use the same workstation throughout the day, sometimes just minutes apart, a card swipe alone is sufficient for data access.

"That gets even more secure," Ting added, "when you combine location to know the person who is swiping that badge is actually within a known location in the hospital."

Right now, enterprises may choose from many authentication devices, and several vendors mentioned expecting to see some industry consolidation around one or two methods as technologies and standards mature. "I think we'll see some nice evolutions in price points as well as types of technology people can leverage," said Anthony.

 
********

In discussing the technological challenges of converging identities, it's easy to think of the identities as abstractions. Yet the people carrying those identities are very real--and while the technical challenges of converging identities are considerable, people, processes and perspectives also are a huge component of successful identity projects. We'll look at that aspect of converged IAM in Part Four of our feature.








Part 3: Physical, Meet Logical

This is the third in a four-part series on the convergence of physical and logical identity and access management (IAM). This article examines the role of the physical access control system (PACS) in identity convergence. In particular, it looks at the barriers to integrating some PACS with standards-based IT systems and how an emerging group of vendors are overcoming these issues.

IT-based identity management systems have the ability to manage physical identities and assets as well as virtual identities and assets. Yet given the complexity of the physical security ecosystem in many enterprises, most sources expect physical access control systems (PACS) to be a key to converged IAM.

PACS do bring strengths to the job. PACS architectures are built for authenticating many users in a short time, such as at a busy door. "IT systems are built to support confidentiality first," said Guy Huntington, an identity management consultant.

In addition, PACS interact with many complex systems of their own, such as door and card readers, video surveillance systems and physical perimeter defenses.

Then there's the fact that many PACS wind up being the unofficial yet central identity management system for all the non-employees who visit the enterprise: cleaning crews, maintenance workers, repairpersons, temporary employees, contractors and visitors.


Yet PACS also pose challenges to converged identities. Many enterprises operate more than one PACS because they acquired another firm or bought a physical facility or space. Further, many PACS still operate on networks independent of the enterprise network. In addition, most are based on proprietary technologies, each with their own application programming interface (API).

Different PACS with different APIs mean the IT department or its identity management vendor must write separate interfaces to each PACS--some older versions of which may not even have APIs--to ensure logical-physical integration. And most don't want to do that.
 
"For us, we have a hard enough time managing all the potential types of things we have to provision and deprovision to," said Dave Hansen, corporate senior vice president and general manager, CA Security Management. "If we had to go to every very unique, rudimentary badging system, it doesn't scale. We don't want to be experts in HID cards and smart cards and all that. There are a lot of people who do that."

Enter the bridge-builders

Those "people" include vendors building businesses on their ability to connect disparate PACs and then integrate those to enterprise directory software and other enterprise applications. These include Alert Enterprise, Imprivata, and Quantum Secure.

Each of these companies brings a comprehensive library of PACS and identity management systems interfaces to its installations. Imprivata boasts of an appliance-based approach that permits integration with practically a menu selection (see graphic below).

imprivatalist.jpgWhen searching for vendors to streamline identity management at Toronto Pearson International Airport, Deloitte found Quantum Secure to have the widest array of off-the-shelf PACS interfaces, according to Andre Romanovskiy, senior manager, security and privacy services, for Deloitte, during a webinar hosted by Quantum Secure.

In the Toronto Pearson implementation, Quantum Secure's SAFE essentially acts as the authoritative identity source, sitting between the HR systems of dozens of airport tenants and three PACS. Automated workflows handle queries among these systems, reducing initial credentialing time from an average of 10-plus hours to 20 minutes (click on graphic for large version).

Deloitte_GTAA_Soln_Overview.jpgSome leading access control vendors also say they are prepared to integrate with other databases. OnGuard, from Lenel Systems International, can be integrated with LDAP-based enterprise directories, the reigning standard, said Erik Larsen, director of product management for the vendor. (AMAG/G4Tec and Software House claim integration capabilities in their marketing materials but Security Squared's requests for interviews have yet to receive responses.)

Brivo Systems, which delivers video and access control solutions via software as a service (SaaS), bases its solutions on XML (extensible markup language), an open language that enables it to easily integrate with other systems and databases.

Streamlined identities and security

Integration of disparate PACS with each other makes it more likely a user will need to carry only one card to enter all the enterprise facilities to which he's entitled, even those that are geographically dispersed.

Bridge.jpg 

In turn, linking this streamlined physical credential with logical IAM means an individual can use a single credential for physical access as well as network and applications access. Further, the two types of access can be correlated: a swipe at the door reader tells the network that IMA PERSON has entered the building and thus should be authenticated for network access, provided Ima's SSO goes smoothly. The correlated door swipe and SSO also alert the network that Ima apparently is still in the building when someone tries to access her accounts from an IP address outside the network. Did Ima slip out without swiping her badge, or is this a hack in progress?

Authenticating the one identity

Once identities converge, it becomes critical to ensure the person holding that physical/logical credential is truly who you think they are. "At the point where customers have done enterprise single sign-on (SSO) and have created a single point of entry into ten different applications, they sometimes step back and say, 'I really need a second factor,' " said Joe Anthony, program director of identity and applications security management, IBM Tivoli, Austin, Texas.

"The big opportunity with the convergence is using the badge or physical access system as a multi-factor authentication device," said CA's Hansen.

These authentication factors can include one-time-only password generating tokens or cards; biometrics plus cards; smart cards with chips enabling use of Public Key Infrastructure (PKI) and digital certificates. It's possible video facial recognition applications might be added to this list.

multifactor.jpg

"We're seeing a lot of questions and more technologies popping up around risk-based authentication and authorization," said Daniel Raskin, chief identity strategist at Sun Microsystems. These solutions use algorithms to analyze keystrokes, location, devices and other variables to determine whether there's risk associated with someone logging into an application.

However, stronger authentication requires infrastructure investment, such as card management systems, certificate authority software and additional readers on devices.

The issue then is striking the right balance between authentication strength and its cost, said Dan DeBlasio, director of business development for identity and access management, Americas, at HID Global. "How can we strengthen that access at the IT side and do it in a convenient way, with minimum cost of entry and yet make it multi-application to minimize risk?"

HID's answer is a converged IAM strategy based on a proximity card that can be used as the primary physical credential, then act as a second factor to a user's pin or password to the enterprise network in designated settings.

Specific industries will also shape their authentication methods. Health care has high security needs but also high data availability requirements, noted David Ting, CTO, Imprivata.  He said many health care providers require a card read, plus password or PIN at the start of a shift for login. Then, as different caregivers use the same workstation throughout the day, sometimes just minutes apart, a card swipe alone is sufficient for data access.

"That gets even more secure," Ting added, "when you combine location to know the person who is swiping that badge is actually within a known location in the hospital."

Right now, enterprises may choose from many authentication devices, and several vendors mentioned expecting to see some industry consolidation around one or two methods as technologies and standards mature. "I think we'll see some nice evolutions in price points as well as types of technology people can leverage," said Anthony.

 
********

In discussing the technological challenges of converging identities, it's easy to think of the identities as abstractions. Yet the people carrying those identities are very real--and while the technical challenges of converging identities are considerable, people, processes and perspectives also are a huge component of successful identity projects. We'll look at that aspect of converged IAM in Part Four of our feature.








No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/62

Leave a comment