Identity and Access Management, ASIS Style

| 1 Comment | 0 TrackBacks
Users and vendors talk enterprise directory, physical/logical integration

Physical access control has a new best friend: identity and access management (IAM). And IAM isn't coming to the party alone. It's bringing enterprise directory integration and single physical/logical credentials with it.

That seemed to be the case at the ASIS International Show in Anaheim, Calif., last week. Discussions and demos of cards, card readers and door panels are standard fare; the twist on many of them was how this equipment can now integrate with more sophisticated software deeper in the network and the resulting capabilities for enterprise security and business objectives.

At HID Global's ASIS strategy briefing, William Phillips, vice president and chief security and safety officer for CNA Insurance in Chicago spoke about the company's new credentialing program, which crosses 36 states, more than 1,000 readers and 65,000 transactions per day.

In addition to discussing the logistics of streamlining access control, Phillips also pointed out the importance of the solution's interface between Active Directory and the physical access control system. That integration will be critical to achieving another project goal, using a single credential for physical and logical authentication.

Similarly, Bhavesh Patel, senior director of global risk operations for the health care products firm Genzyme, talked about how both HR systems and employee directories feed data to the company's security system server. This integration also is necessary to support Patel's strategy of eliminating several physical credentials and moving to a single smart card to be used for everything from cashless pay systems to HIPAA-compliant logical and physical access at multiple sites.

The themes sounded by Patel and Phillips--directory integration, single logical/physical credentials, stronger physical and logical IAM--were echoed by at least a few vendors on the show floor. While we couldn't visit everyone displaying physical/logical IAM solutions, the following offerings did catch our attention:

*****
Hirsch Electronics was demonstrating its Physical Access Control-Network Access Control enterprise convergence solution, in conjunction with networking company Juniper Systems and Infoblox, a network services vendor.

In the demo, a card swipe or PIN entry at the door triggered a message from Hirsch's Velocity security management system to Infoblox's Network Services Appliance, a metadata server. In turn, this server notified the Juniper network access control (NAC) appliance of the entry into the building. The appliance then enforces pre-defined NAC policies.

The NAC policies essentially control a user's access to network resources at the network level. That is, if the physical authentication is denied, questionable or didn't occur because someone tailgated in behind a legitimate user, the NAC appliance prevents the person from logging in.

Similarly, in the Hirsch scenario, if the NAC device detects a network security issue, it can send an event message to Velocity, which can then enforce physical security policies, such as dispatching a guard, turning on video, or locking a door.

The network devices, all rack-mountable blade servers/appliances (see photo), are Hirsch-PAC-NAC_interop_deom.jpginterconnected via the open Trusted Network Connect architecture and the IF-MAP open-standard protocol for metadata exchange endorsed by the Trusted Computing Group (TCG). According to the TCG, IF-MAP (metadata access protocol) defines a shared, real-time network information service with a real-time publish/subscribe/search mechanism for data about network devices, their status and their activities. IF-MAP automatically aggregates and correlates real-time information from many different sources.

In the Hirsch demonstration, the Infoblox IF-MAP-compliant appliance acts as a "metadata clearinghouse," said Scott Howell, director of worldwide marketing for Hirsch. 
"Any authenticated device publishing information in the IF-MAP standard can send it to the metadata clearinghouse, and any device subscribed to the clearinghouse can use it," he told Security Squared.

Velocity's data about who is physically present in a building can thus be shared with the NAC, enabling the enterprise to write and enforce security policies in which physical presence is a key component, Howell said. For instance, in addition to requiring a badge-in to access local network resources, badging out could shut down LAN access while enabling VPN or remote access upon remote re-authentication.

******
(Note that NAC is also an area in which Cisco Systems offers solutions with an eye toward providing ever more precise location-based data. Similarly, 3Com, a Cisco rival in networking, is promoting security at the network element level as well, although its strategy doesn't seem to incorporate traditional security elements like video surveillance and physical access control.)

***

Meanwhile, PlaSec, Inc. was showing its PL-1000 physical access control platform that delivers physical/logical identity integration in a single appliance, according to Terry Neely,
CEO.

The browser-based appliance is built on a Linux-based IP network appliance architecture and supports LDAP (Lightweight Directory Access Protocol), SAML (Security Assertion Mark-up Language) and XACML (eXtensible Access Control Mark-up Language).

Because the appliance matches up with the "object classes" typically used by directory vendors, the box synchronizes automatically with enterprise directory data, Neeley told Security Squared. "What used to be an SDK exercise now just works," he said.

Examples of data that can be imported into the PL series include any physical roles or rules-based policies already present in the enterprise directory or related identity and access management system. So if an employee is terminated, or access rights change at the logical IAM level for a group of employees, these automatically propagate to the PlaSec appliance.  Browser-based control of the appliance itself enables administrators to set up physical access rights based on employee groups, as defined by the enterprise directory.

The appliance also monitors alarms and offers onboard log management capabilities via Splunk. At ASIS, PlaSec also demonstrated integrating the PL1000 with ArcSight's Enterprise Security Manager, a leading IT security information and event management (SIEM) platform. SIEM platforms typically gather log and event data from network hardware, databases, and applications. The PlaSec appliance and ArcSight's SIEM communicate via the Common Event Format (CEF), an open log management standard.

"We're trying to make access control part of the network fabric, to blend it in, and use IT best practices," said Neely.

PlaSec's smallest box, the PL500, can manage up to eight doors; the top-of-the-line PL-1000 handles up to 2,048 doors, 500,000 identities and can store 500 million transactions. All the boxes support HID Edge and Edge Plus, Isonas, Mercury Security and Corestreet physical access control hardware.

****

At the Lenel booth, CoreStreet was showing aspects of its physical/logical identity validation solutions, which are designed to meet the complexities of HSPD-12 and FIPS-201 identity verification standards, which essentially require vetting of an identity as well as at least two factors of authentication.

First, adding CoreStreet's FIPS-201 F5 module to a standard door panel brings it to FIPS-201 compliance by enabling the use of smart cards. At ASIS, CoreStreet showed its board deployed literally next to a standard Lenel board. That would enable any of the flavors of PIV-compliant cards to be used. By definition, these cards accommodate physical/logical access.

CoreStreet also was demonstrating its PIVMAN solution suite, essentially designed for authenticating identities and privileges in emergency situations.  A core technology here is CoreStreet's Identity and Privilege List (IPL) Publisher. It draws data from the identity and privileges databases maintained by third parties, such as different federal, state and local agencies or private entities, like contractors. From these sources, it creates an IPL that it publishes to PIVMAN-enabled devices. CoreStreet can also generate mini-Credential Revocation Lists, compressed versions of sometimes-voluminous revocation files.
pivman_system_diagram.gif
The IPLs and mini-CRLs are pushed to handheld PIVMAN readers so they are constantly up-to-date; there's no impact on underlying databases owned by the individual entities. The mobile devices store the data internally, so they can operate even when communications are down, validating credentials and associated data, such as a person's medical training. When communications are restored, the devices upload log data to a central management system, such as a physical access control system.

Most private entities that don't have federal contracts probably don't need the layers of security called for by FIPS-201. But some of the infrastructure and capabilities being honed to comply with HPSD-12 could make sense in other environments with complex identity management needs.

"You can implement this to different extremes," said Todd Freyman, general manager and vice president products, physical access, for CoreStreet. "You would expect the private space to want a much thinner application of all these technologies, but still take advantage of the same level of security."

Think of health care, where one hospital system might want to give physicians access to three or four acute care facilities plus a network of clinics plus remote access, as well as verify credentials in an emergency or disaster response situation. Freyman said other private sector users have come from the finance and pharmaceutical sectors.

It will be interesting to see how much the FIPS-201 work finally influences private sector authentication as the federal government rolls it out and as state and local governments implement pieces of it. Freyman noted Colorado, Virginia and Pennsylvania are using IPL Publisher and mobile PIVMAN readers in conjunction with FEMA for authenticating first responders.

"They're taking the right steps toward an interoperable, nation-wide network," said Freyman. "So when there's a hurricane in Louisiana and someone from Pennsylvania shows up to help, they'll know he's a trained medic, not a random someone who wants to be a hero."

# # #

Users and vendors talk enterprise directory, physical/logical integration

Physical access control has a new best friend: identity and access management (IAM). And IAM isn't coming to the party alone. It's bringing enterprise directory integration and single physical/logical credentials with it.

That seemed to be the case at the ASIS International Show in Anaheim, Calif., last week. Discussions and demos of cards, card readers and door panels are standard fare; the twist on many of them was how this equipment can now integrate with more sophisticated software deeper in the network and the resulting capabilities for enterprise security and business objectives.

At HID Global's ASIS strategy briefing, William Phillips, vice president and chief security and safety officer for CNA Insurance in Chicago spoke about the company's new credentialing program, which crosses 36 states, more than 1,000 readers and 65,000 transactions per day.

In addition to discussing the logistics of streamlining access control, Phillips also pointed out the importance of the solution's interface between Active Directory and the physical access control system. That integration will be critical to achieving another project goal, using a single credential for physical and logical authentication.

Similarly, Bhavesh Patel, senior director of global risk operations for the health care products firm Genzyme, talked about how both HR systems and employee directories feed data to the company's security system server. This integration also is necessary to support Patel's strategy of eliminating several physical credentials and moving to a single smart card to be used for everything from cashless pay systems to HIPAA-compliant logical and physical access at multiple sites.

The themes sounded by Patel and Phillips--directory integration, single logical/physical credentials, stronger physical and logical IAM--were echoed by at least a few vendors on the show floor. While we couldn't visit everyone displaying physical/logical IAM solutions, the following offerings did catch our attention:

*****
Hirsch Electronics was demonstrating its Physical Access Control-Network Access Control enterprise convergence solution, in conjunction with networking company Juniper Systems and Infoblox, a network services vendor.

In the demo, a card swipe or PIN entry at the door triggered a message from Hirsch's Velocity security management system to Infoblox's Network Services Appliance, a metadata server. In turn, this server notified the Juniper network access control (NAC) appliance of the entry into the building. The appliance then enforces pre-defined NAC policies.

The NAC policies essentially control a user's access to network resources at the network level. That is, if the physical authentication is denied, questionable or didn't occur because someone tailgated in behind a legitimate user, the NAC appliance prevents the person from logging in.

Similarly, in the Hirsch scenario, if the NAC device detects a network security issue, it can send an event message to Velocity, which can then enforce physical security policies, such as dispatching a guard, turning on video, or locking a door.

The network devices, all rack-mountable blade servers/appliances (see photo), are Hirsch-PAC-NAC_interop_deom.jpginterconnected via the open Trusted Network Connect architecture and the IF-MAP open-standard protocol for metadata exchange endorsed by the Trusted Computing Group (TCG). According to the TCG, IF-MAP (metadata access protocol) defines a shared, real-time network information service with a real-time publish/subscribe/search mechanism for data about network devices, their status and their activities. IF-MAP automatically aggregates and correlates real-time information from many different sources.

In the Hirsch demonstration, the Infoblox IF-MAP-compliant appliance acts as a "metadata clearinghouse," said Scott Howell, director of worldwide marketing for Hirsch. 
"Any authenticated device publishing information in the IF-MAP standard can send it to the metadata clearinghouse, and any device subscribed to the clearinghouse can use it," he told Security Squared.

Velocity's data about who is physically present in a building can thus be shared with the NAC, enabling the enterprise to write and enforce security policies in which physical presence is a key component, Howell said. For instance, in addition to requiring a badge-in to access local network resources, badging out could shut down LAN access while enabling VPN or remote access upon remote re-authentication.

******
(Note that NAC is also an area in which Cisco Systems offers solutions with an eye toward providing ever more precise location-based data. Similarly, 3Com, a Cisco rival in networking, is promoting security at the network element level as well, although its strategy doesn't seem to incorporate traditional security elements like video surveillance and physical access control.)

***

Meanwhile, PlaSec, Inc. was showing its PL-1000 physical access control platform that delivers physical/logical identity integration in a single appliance, according to Terry Neely,
CEO.

The browser-based appliance is built on a Linux-based IP network appliance architecture and supports LDAP (Lightweight Directory Access Protocol), SAML (Security Assertion Mark-up Language) and XACML (eXtensible Access Control Mark-up Language).

Because the appliance matches up with the "object classes" typically used by directory vendors, the box synchronizes automatically with enterprise directory data, Neeley told Security Squared. "What used to be an SDK exercise now just works," he said.

Examples of data that can be imported into the PL series include any physical roles or rules-based policies already present in the enterprise directory or related identity and access management system. So if an employee is terminated, or access rights change at the logical IAM level for a group of employees, these automatically propagate to the PlaSec appliance.  Browser-based control of the appliance itself enables administrators to set up physical access rights based on employee groups, as defined by the enterprise directory.

The appliance also monitors alarms and offers onboard log management capabilities via Splunk. At ASIS, PlaSec also demonstrated integrating the PL1000 with ArcSight's Enterprise Security Manager, a leading IT security information and event management (SIEM) platform. SIEM platforms typically gather log and event data from network hardware, databases, and applications. The PlaSec appliance and ArcSight's SIEM communicate via the Common Event Format (CEF), an open log management standard.

"We're trying to make access control part of the network fabric, to blend it in, and use IT best practices," said Neely.

PlaSec's smallest box, the PL500, can manage up to eight doors; the top-of-the-line PL-1000 handles up to 2,048 doors, 500,000 identities and can store 500 million transactions. All the boxes support HID Edge and Edge Plus, Isonas, Mercury Security and Corestreet physical access control hardware.

****

At the Lenel booth, CoreStreet was showing aspects of its physical/logical identity validation solutions, which are designed to meet the complexities of HSPD-12 and FIPS-201 identity verification standards, which essentially require vetting of an identity as well as at least two factors of authentication.

First, adding CoreStreet's FIPS-201 F5 module to a standard door panel brings it to FIPS-201 compliance by enabling the use of smart cards. At ASIS, CoreStreet showed its board deployed literally next to a standard Lenel board. That would enable any of the flavors of PIV-compliant cards to be used. By definition, these cards accommodate physical/logical access.

CoreStreet also was demonstrating its PIVMAN solution suite, essentially designed for authenticating identities and privileges in emergency situations.  A core technology here is CoreStreet's Identity and Privilege List (IPL) Publisher. It draws data from the identity and privileges databases maintained by third parties, such as different federal, state and local agencies or private entities, like contractors. From these sources, it creates an IPL that it publishes to PIVMAN-enabled devices. CoreStreet can also generate mini-Credential Revocation Lists, compressed versions of sometimes-voluminous revocation files.
pivman_system_diagram.gif
The IPLs and mini-CRLs are pushed to handheld PIVMAN readers so they are constantly up-to-date; there's no impact on underlying databases owned by the individual entities. The mobile devices store the data internally, so they can operate even when communications are down, validating credentials and associated data, such as a person's medical training. When communications are restored, the devices upload log data to a central management system, such as a physical access control system.

Most private entities that don't have federal contracts probably don't need the layers of security called for by FIPS-201. But some of the infrastructure and capabilities being honed to comply with HPSD-12 could make sense in other environments with complex identity management needs.

"You can implement this to different extremes," said Todd Freyman, general manager and vice president products, physical access, for CoreStreet. "You would expect the private space to want a much thinner application of all these technologies, but still take advantage of the same level of security."

Think of health care, where one hospital system might want to give physicians access to three or four acute care facilities plus a network of clinics plus remote access, as well as verify credentials in an emergency or disaster response situation. Freyman said other private sector users have come from the finance and pharmaceutical sectors.

It will be interesting to see how much the FIPS-201 work finally influences private sector authentication as the federal government rolls it out and as state and local governments implement pieces of it. Freyman noted Colorado, Virginia and Pennsylvania are using IPL Publisher and mobile PIVMAN readers in conjunction with FEMA for authenticating first responders.

"They're taking the right steps toward an interoperable, nation-wide network," said Freyman. "So when there's a hurricane in Louisiana and someone from Pennsylvania shows up to help, they'll know he's a trained medic, not a random someone who wants to be a hero."

# # #

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/120

1 Comment

Unfortunately you present FIPS 201 as involving layers of complexity as opposed to best practices and an open standard for convergence. At its core FIPS 201 is based on the use of digital certificates for strong authentication and a policy for establishing identities that can be trusted across organizations. There is nothing complex about interoperable strong authentication. In fact IDmachines argue that this decreases complexity in almost any enterprise by simplifying authentication factors and the requirements for directories and databases.

The fact that the National Institute of Standards has produced very detailed specifications is because the standard is open and FIPS 201 does not require users to accept security by obscurity. It also allows for the evolution of the standard, for commercial-off-the-shelf solutions and for "deep" understanding for those that desire it.

In most cases the identity infrastructure required is available as a service. Very few commercial enterprises will stand up Public Key Infrastructure that is cross-certified to the United States Federal Government Bridge Certificate Authority. This removes much of the complexity in one fell swoop.

An analogy IDmachines often uses is that leveraging the interoperable FIPS 201 identity infrastructure is like electricity. You can make the statement that electricity has layers of complexity (power generation, distribution, local facility integration, device requirements, etc.) but in reality you just plug things in and they work.

Convergence really turns on being able to understand how to plug things in and make them work. not on each organization having to build and maintain its own infrastructure from cradle to grave. The end-users, system integrators and vendors that enable this will be the winners.

Leave a comment