IT Identity Management Logical Fit for Physical Security

| 0 Comments | 0 TrackBacks

Page:   1   2   3  Next  »

What does an apparently IT-centric topic like "identity management" have to do with physical security? That's the central question Security Squared addresses in this conversation with Sebastian Rohr, an identity management and convergence consultant based in Germany.

Rohr (pictured) knows identity, both its logical and physical aspects, from a range of positions that include stints as network security consultant for Siemens AG; head of the Lab for Mobile Rohr.jpgSecurity & Convergence at the Fraunhofer Institute for Applied Research on Information Security; solution strategist for eTrust Identity & Access Management at CA; chief security advisor for Microsoft, and since 2007, as partner and senior analyst for Kuppinger Cole Ltd., the Dusseldorf, Germany-based identity and access management consultants.

In addition, Rohr is the founder and CTO of accessec, which offers convergence consulting. He's also the brain and architect behind a "convergence framework" called "ONEaccess" that combines physical access control, identity management, smart cards, biometrics and more. Originally conceived as a demonstration of physical-logical identity convergence possibilities, ONEaccess stirred enough interest in European physical and logical security professionals that it has been developed as a commercial offering by  new|frontiers Software .  (Rohr now consults on the ONEaccess architecture but does not sell or develop the product.)

Security Squared's Sharon J. Watson talked with Rohr via telephone last week, discussing why he thinks it's imperative--and natural--for physical security professionals to be conversant with identity management technology; the critical need to verify physical identity for truly secure cloud computing; the role of biometrics in identity convergence; and the vital step of thinking through and managing the intersection of humans and converged identity technologies.

The following is a transcription of our conversation, edited for length and clarity.
****

Sharon J. Watson: Let's talk about why a physical security professional should care about the realm of identity management, which seems so very IT oriented.

Sebastian Rohr: Yes, it is, definitely. First of all, from my contacts with the physical security realm, over the last decade the rather proprietary technology used in physical security more and more came to a situation where today the security solutions almost 100% are based on some sort of everyday IT technology....And all the guys who before had to hand out punch cards or keep track of people getting in and out of facilities and had to write in a manual keeping track of everything, now have to deal with electronics and IT systems that keep track of that.

Everybody has to work with badges, and those badges are not written by these guys, they are all produced and manufactured with the use of IT technology. So it is a must for the physical security guy to look into IT itself. And then the next big thing is looking into identity management within IT because what the security professionals have done in the physical realm for the last century is actually deal with identities in a way that nobody else besides HR has done.
It's only extending their own area of competence of keeping track of how the identities themselves have shifted their shape from being more physical ones to being more virtual or IT-related identities. That's the main reason. Identities are moving from physical to virtual, and thus IT and the physical guys have to keep track of them.

SJW: It seems important to continue to associate some kind of physical component with the logical identity. With the growth of cloud computing and some of the cyber crime risks, you must know the physical person that logical identity represents is [the person] you think it is.

SR: That's exactly the big problem we're facing right now. Another one that's tightly attached to that is the authorization, the authentication of an individual. Actually making sure that individual who is claiming to be a person really is that person does pose significant risk to everything we are doing today. That's holding true for the internal applications as much as for the cloud technologies. The only [way] this can actually be overcome is if you have a multi-factor authentication process which includes a biometric system. Because the standard two-factor authentication, which might include a badge and a certificate stored on that, and a personal identification number to unlock that certificate, that just doesn't give us real proof.

You could steal away the badge from somebody, you could social engineer the personal identification number out of him, you could actually threaten the PIN out of him so you gain access. You really wouldn't be able to say, yes, that guy who just used his state-of-the-art smartcard with that 10-digit PIN, that is really Sebastian who just connected. You just can't tell unless you have something that actually is that person, a fingerprint, a retina scan, maybe a voice pattern. Something like that so we definitely have something that attaches to that physical person....You just need biometrics there. You cannot circumvent that.

SJW: Can biometrics-based factors of authentication solve the problem in which cyber criminals break into a fully authenticated session and take it away from you and then pretend to be you?

SR: That's definitely another threat--an absolutely different world, though. You always have to bear in mind that we are talking about still very separate realms, the physical reality one and the one that's digitized, the one on the network. You can only do so much with regard to authenticating somebody who is actually using a machine he's sitting right in front of in contrast to using a system that's somewhere in the clouds and only electrons and bits and bytes being transferred that represent that person who is actually remotely accessing that session. It's a totally different system, and you have got to be aware that somewhere there is software and communications engineer who created the session technology and that's probably not the same guy who actually implemented the solution or application that you're using. So it boils down to trusting technology that you probably do not really know who has created it, how secure it actually is. You've got to trust the guys who create the standards like VPN, SSL and IPSec 3DEStriple , all the authentication schemes around it.

As one who really follows what's going on in the community, you always tend to find something is corrupted somewhere, and somebody broke into say, an SSL-authenticated session where a server can now be hijacked and the sessions can now be hijacked.  You will always find that. I think the IT security community is tackling one big problem with SSL server certificates right now and are in the midst of finding a solution for that. I like to quote Bruce Schneier on that: 'If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.' That will hold true for most of us for years to come.

SJW: Going back to the biometrics and smart cards and multi-factors of authentication: How do physical security professionals get involved in those kinds of discussions?

SR: It all boils down to the basic security principles of integrity, non-repudiation, the basic principles of protecting the data that you are trying to process or transfer from computer A to computer B. As we already discussed a few moments ago, it's more and more important for companies to actually be able to say, 'yes, this transaction actually has been submitted by Sebastian on that date and he actually was allowed to do that and we were able to authenticate him to this and that, and it was all okay.'

On the other hand, they have to say, 'yes, this and that transaction was submitted, but it didn't go through because the person who did it wasn't on-site, wasn't even in the country during that time, and that's why the transaction didn't go through. All the other systems just found out the guy was on vacation, and somebody must have gotten his credential.

So the risk management technology needed to be tightly integrated and the only way to do that is by raising the barrier and implementing stronger methods of authentication. One that has been in the market for quite some time was smart cards, or tokens of any sort, and the idea of combining them with biometrics was just the next technical evolutionary step.  Because today you have technologies like match on card, which basically means you have the biometric information stored on the badge and not on the centralized system--which especially here in Germany is a very, very important thing to do because the labor unions always say that they don't want biometric information of the employees stored in a central system. They want you to carry your smartcard--you have your biometrics information with you--so you can actually compare the biometric pattern that is presented to the sensor to the information that's on the card.

So biometrics and smart cards used for authentication was just the next big thing to happen, and we're seeing adoption of that in high-security environments more and more.

Page:   1   2   3  Next  »

What does an apparently IT-centric topic like "identity management" have to do with physical security? That's the central question Security Squared addresses in this conversation with Sebastian Rohr, an identity management and convergence consultant based in Germany.

Rohr (pictured) knows identity, both its logical and physical aspects, from a range of positions that include stints as network security consultant for Siemens AG; head of the Lab for Mobile Rohr.jpgSecurity & Convergence at the Fraunhofer Institute for Applied Research on Information Security; solution strategist for eTrust Identity & Access Management at CA; chief security advisor for Microsoft, and since 2007, as partner and senior analyst for Kuppinger Cole Ltd., the Dusseldorf, Germany-based identity and access management consultants.

In addition, Rohr is the founder and CTO of accessec, which offers convergence consulting. He's also the brain and architect behind a "convergence framework" called "ONEaccess" that combines physical access control, identity management, smart cards, biometrics and more. Originally conceived as a demonstration of physical-logical identity convergence possibilities, ONEaccess stirred enough interest in European physical and logical security professionals that it has been developed as a commercial offering by  new|frontiers Software .  (Rohr now consults on the ONEaccess architecture but does not sell or develop the product.)

Security Squared's Sharon J. Watson talked with Rohr via telephone last week, discussing why he thinks it's imperative--and natural--for physical security professionals to be conversant with identity management technology; the critical need to verify physical identity for truly secure cloud computing; the role of biometrics in identity convergence; and the vital step of thinking through and managing the intersection of humans and converged identity technologies.

The following is a transcription of our conversation, edited for length and clarity.
****

Sharon J. Watson: Let's talk about why a physical security professional should care about the realm of identity management, which seems so very IT oriented.

Sebastian Rohr: Yes, it is, definitely. First of all, from my contacts with the physical security realm, over the last decade the rather proprietary technology used in physical security more and more came to a situation where today the security solutions almost 100% are based on some sort of everyday IT technology....And all the guys who before had to hand out punch cards or keep track of people getting in and out of facilities and had to write in a manual keeping track of everything, now have to deal with electronics and IT systems that keep track of that.

Everybody has to work with badges, and those badges are not written by these guys, they are all produced and manufactured with the use of IT technology. So it is a must for the physical security guy to look into IT itself. And then the next big thing is looking into identity management within IT because what the security professionals have done in the physical realm for the last century is actually deal with identities in a way that nobody else besides HR has done.
It's only extending their own area of competence of keeping track of how the identities themselves have shifted their shape from being more physical ones to being more virtual or IT-related identities. That's the main reason. Identities are moving from physical to virtual, and thus IT and the physical guys have to keep track of them.

SJW: It seems important to continue to associate some kind of physical component with the logical identity. With the growth of cloud computing and some of the cyber crime risks, you must know the physical person that logical identity represents is [the person] you think it is.

SR: That's exactly the big problem we're facing right now. Another one that's tightly attached to that is the authorization, the authentication of an individual. Actually making sure that individual who is claiming to be a person really is that person does pose significant risk to everything we are doing today. That's holding true for the internal applications as much as for the cloud technologies. The only [way] this can actually be overcome is if you have a multi-factor authentication process which includes a biometric system. Because the standard two-factor authentication, which might include a badge and a certificate stored on that, and a personal identification number to unlock that certificate, that just doesn't give us real proof.

You could steal away the badge from somebody, you could social engineer the personal identification number out of him, you could actually threaten the PIN out of him so you gain access. You really wouldn't be able to say, yes, that guy who just used his state-of-the-art smartcard with that 10-digit PIN, that is really Sebastian who just connected. You just can't tell unless you have something that actually is that person, a fingerprint, a retina scan, maybe a voice pattern. Something like that so we definitely have something that attaches to that physical person....You just need biometrics there. You cannot circumvent that.

SJW: Can biometrics-based factors of authentication solve the problem in which cyber criminals break into a fully authenticated session and take it away from you and then pretend to be you?

SR: That's definitely another threat--an absolutely different world, though. You always have to bear in mind that we are talking about still very separate realms, the physical reality one and the one that's digitized, the one on the network. You can only do so much with regard to authenticating somebody who is actually using a machine he's sitting right in front of in contrast to using a system that's somewhere in the clouds and only electrons and bits and bytes being transferred that represent that person who is actually remotely accessing that session. It's a totally different system, and you have got to be aware that somewhere there is software and communications engineer who created the session technology and that's probably not the same guy who actually implemented the solution or application that you're using. So it boils down to trusting technology that you probably do not really know who has created it, how secure it actually is. You've got to trust the guys who create the standards like VPN, SSL and IPSec 3DEStriple , all the authentication schemes around it.

As one who really follows what's going on in the community, you always tend to find something is corrupted somewhere, and somebody broke into say, an SSL-authenticated session where a server can now be hijacked and the sessions can now be hijacked.  You will always find that. I think the IT security community is tackling one big problem with SSL server certificates right now and are in the midst of finding a solution for that. I like to quote Bruce Schneier on that: 'If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.' That will hold true for most of us for years to come.

SJW: Going back to the biometrics and smart cards and multi-factors of authentication: How do physical security professionals get involved in those kinds of discussions?

SR: It all boils down to the basic security principles of integrity, non-repudiation, the basic principles of protecting the data that you are trying to process or transfer from computer A to computer B. As we already discussed a few moments ago, it's more and more important for companies to actually be able to say, 'yes, this transaction actually has been submitted by Sebastian on that date and he actually was allowed to do that and we were able to authenticate him to this and that, and it was all okay.'

On the other hand, they have to say, 'yes, this and that transaction was submitted, but it didn't go through because the person who did it wasn't on-site, wasn't even in the country during that time, and that's why the transaction didn't go through. All the other systems just found out the guy was on vacation, and somebody must have gotten his credential.

So the risk management technology needed to be tightly integrated and the only way to do that is by raising the barrier and implementing stronger methods of authentication. One that has been in the market for quite some time was smart cards, or tokens of any sort, and the idea of combining them with biometrics was just the next technical evolutionary step.  Because today you have technologies like match on card, which basically means you have the biometric information stored on the badge and not on the centralized system--which especially here in Germany is a very, very important thing to do because the labor unions always say that they don't want biometric information of the employees stored in a central system. They want you to carry your smartcard--you have your biometrics information with you--so you can actually compare the biometric pattern that is presented to the sensor to the information that's on the card.

So biometrics and smart cards used for authentication was just the next big thing to happen, and we're seeing adoption of that in high-security environments more and more.

<!--nextpage-->

SJW:  Typically are those adoptions driven by the information security professionals or by the physical security professionals? Are they working more together to bring those to the enterprise?

SR: That working together thing--I think we're repeating what other professionals have mentioned before--is something that is not yet happening on a very broad scale. It's really, really innovative and strong security managers and information security managers who go down that path, actually work together to get that dealt with. But most of the time it's really the information security guys.

Again, the European and German markets might be a little different there because the use of biometrics has always been discussed...here regarding physical access control. It has been widely adopted at production technology sites, logistics, vertical industries around that...because some very, very fast and convenient forms of biometric identification, like finger, hand geometry or even vein recognition on the back of your hand have been deployed at port authorities, airports, to give a fast and convenient way of access.

So it really depends on what vertical you look into. So if it's more high-tech, you'd see biometrics being adopted by IT information security guys or driving the adoption of that. In logistics, or more production-oriented verticals, physical security guys push [the adoption of biometrics] because they have so many trucks, so many truck drivers getting on and off the premises, that they want to have fast access to their facilities. So it really depends.

SJW:
Even when you have biometrics in use and you have a smartcard so you have a strong means of authentication, I'm trying to understand how easily integrated that data is from using the card at the front door to get into facility and then using it again at the personal computer or the laptop to get the network authentication.

SR: That is something that hasn't been very well integrated yet. Sharing biometric information between physical access control systems and let's say IT security systems is something that is uncommon, yet I'm pretty sure you can work something out and I'm pretty sure there are systems that can share the biometrics templates, the patterns, but that would possibly require the systems to have a centralized point where all the biometric information is stored. If you want to do match on card on the physical access and on the IT system itself, I don't say that's impossible, you can work it out, but it's rather complex.

Usually you roll out the card, which has access control and logical access combined, and then the enrollment of the biometrics features can be done by the employee himself at his desk. He's actually using smartcard with the PIN to authenticate the first time, and then the system sees that there is a biometric capability on the system and card available, and you can enroll your fingerprints with that scanner.

The physical access control systems tend to be the centralized ones where you have more the finger press than this swipe type [reader] that you have at your personal computer. So these sensors are little bit different, while the manufacturer of these sensors possibly could be the same--maybe AuthenTec or Upek--they have been coming out with solutions that have APIs, so the physical guys can integrate those into their physical access control.

SJW: Let's say we're not necessarily sharing the biometrics patterns between the systems but that I would like my IT security system or my network security system to know that Sebastian is physically present in the building, he has badged in and authenticated. How easy are those data flows these days between physical access control and the network?

SR: It heavily depends on what technology brand, vendor you have deployed on the physical side. If I may quote one of your interview partners from a few months ago, [Dave Hansen] from CA said that identity management in the IT world is a completely different realm than the one done in the physical, and that the guys in the IT really wouldn't like to fuss around with all the physical identity. That's still the case. He also said he'd like other guys to implement that, and I definitely see that.

We have been in market analysis around that for quite some time, and only recently have there been products, and integration projects around connecting these two. So getting the physical access system hooked up to the identity management system in IT has been done for quite some time but always [as] individual integrations. Deploying some sort of standardized connector to do that is something that has only been in the market for, say, 18 months. And it always depends, because all the physical access control vendors really do stuff on their own. There are no standards, there's zero interoperability between the technologies, and that's giving the guys in the IT identity management a real big headache.

Because if the company has a Lenel system in their headquarters in New York but they have a branch office in California that [has] a Honeywell system, those different systems can't communicate with each other, and the guys who commute between New York and California probably need to have two badges. That's really a big, big issue. Only recently companies have been coming out with ideas on combining that and integrating those physical access control systems.

As indicated by some of your other interview partners, you have to have some sort of standardization or you have to have a company that comes up with all the connectors by themselves. In America, I think that Quantum Secure with their SAFE product is one of those players. In Europe, it would be the ONEaccess product, which targets a more European physical access control vendor community. But it's really a brand-new market. The need for such technology is definitely there but it hasn't been adopted quite that much yet.

SJW: Sebastian, are you familiar with the work of the Trusted Computing Group in this area--the IF-MAP standard? I'm curious about your reaction to that work and if you think it's got legs or traction.

SR: Trusted Computing is a very important contributor to information security overall. The idea of extending that architecture and that way of tackling the whole problem, we find there is definitely a plus. The only problem I see there is that the Trusted Computing Group has been around for quite a while now, and it hasn't been that far adopted by most companies. The technology is readily available. If you buy a standard enterprise grade laptop or computer today, it usually has a TPM chip inside and you could actually deploy that. If you have up-to-date Microsoft operating systems, there's lots of Trusted Computing technology inside there, but the IT industry took like 5 to 8 years to get that far with providing basic means of adopting the technology. Still, very, very few companies have taken the chance to deploy this technology and actually make use of it. So I think it's a good direction but it will take lots of time, at least two to three years to really get into the market and find some basic adoption.

<!--nextpage-->

SJW: The last thing I wanted to touch on, Sebastian, is the development that work I've been reading about with identity management systems being able to incorporate roles for the users and groups of rights and responsibilities being assigned to people. I'm fascinated by how much those rules might be able to govern a person's physical access. I wonder if you're seeing if the identity management systems will one day be the repository for all of the roles a person has or if you think perhaps there will be a separate repository for physical access roles.

SR: Actually it's been implemented. I'd call it one of the major achievements of the demonstrator of ONEaccess as presented last year. I have been working in the IT and the identity management area for quite some years as a technical/business consultant, and roles have always been one of the drivers or one of the key requirements to actually establish working identity management.

The guys in physical security always implemented sort of profiles, roles, every vendor calls it a different name but it actually boils down to being a sort of role, and it was only a natural step to integrate that. One of the basic ideas of the [ONEaccess] product was to take the roles profiles that are created inside the physical access control system and map them or reflect them inside the IT identity management system. So it would just become another sort of role being attached to your digital identity that is reflected in the identity management system.

You are getting the role of internal employee, a location role and you're getting the role of a manager so those would be your three IT-related roles. But first of all, both the manager role and the location role have an impact on what your physical role might be. So depending on the two roles--manager and location/New York--you're giving physical access control roles. If you have a multi-location physical access control system that comes from the same vendor, it's is quite easy: You just say, okay he gets access to all of the facilities in New York but he also is a manager so he gets access to management offices on the third story, and he also gets access to the meeting rooms. He also gets access to the branch locations in New Jersey. That's dependent on his manager role. You can extend that and say, okay he has the manager role in marketing and there are also marketing guys working out of California, he will get access to the California office because he has to supervise his team members there. So it's interconnected.

The fun thing now is when you have separate physical access control systems, you just abstract the rules derived from those, say it's Honeywell in New York and Lenel in California. You abstract those roles and give them to the identity management system. The identity management system really doesn't have to care that it's Honeywell or a Lenel system, it just says he's a manager so he needs access to these locations in New York, New Jersey and California, and it's deployed.

There are more and more IT technologies that will definitely influence that shifting of roles to the IT realm because role management might get separated from identity management itself. This is a trend we see in the IT security world. The next big thing might be the access to resources will also be taken from all the applications and that would include the physical access control system.  That's the claims-based approach that has been postulated by Kim Cameron from Microsoft and a few of his fellow identity management gurus last over the last two years. That's going to be a very, very exciting few years to see how this is going to be implemented.

SJW: I'll have to do more research, Sebastian. I do not think I have come across the claims-based terminology.

SR:  We can do an off-line session on that because it's really, really exciting. It actually takes all of the identity repositories out of the applications, and you only define access rights and claims that you have to fulfill to access a certain resource.  You just access that application and claim that you need to enter or change information on the subject "Sebastian." The application would say 'To do that, you must be an internal employee of that company, and you must have a role of data owner or data administrator.' The application would ask a centralized repository, 'the individual who just accessed - does he fill the claims of internal employee and [owner or administrator]. If it comes back positive, you can make the changes, and if not, access is denied.

So there is no "Sharon" inside that application anymore, there's just a set of access rights and corresponding claims to it--so no more identity silos anywhere. This is something that definitely is a revolution rather than an evolution of identity management.

SJW: Sebastian, was there something you had come prepared to talk about, some point you wanted to emphasize we haven't gotten to yet?

SR: Yes, there's one big thing: Process.

We've been talking about integration and combined use of technology, technology, technology. But what we definitely need to talk about is processes. If you integrate so much technology, it probably gets out of hand, and it's like opening Pandora's box. I've come to several customers who implemented strong authentication and multifunctional smartcards, and all the employees had those cards. But when an employee arrived at the gate and just found out at [that moment] he lost his card or didn't have it with him, he said, 'John, dear entrance security guy, write in a day off for me because I forgot my badge, and it doesn't makes sense for me to enter and go to my desk because a) I can't book my time being here; b) I can't access my computer; c) I can't read my encrypted e-mail--and the list goes on and on.

The processes for replacing cards for enabling people who have lost their credential or don't have access to their credential needs to be taken care of in a very, very good fashion. The processes around creation and management lifecycle of tokens and identities is definitely a very, very big issue. Again, the workflow technologies you find inside the identity management systems do offer some insight to that and some cure for that, but you definitely have to have a very good process design before you implement any technology. You have to make up your mind about all the different problems that people might run into: forgotten cards, damaged cards, lost cards, stolen cards, whatever. And especially there's the sales guy who has the CEO appointment at one of his customers and the [technology] doesn't work because his card is broken. What does he do? He needs access to his computer, he needs to make the presentation, otherwise millions are lost.

You've got to have a process for that, you have got to have a solution that doesn't compromise security totally. So there needs to be some sort of out-of-band authentication, you've got to have some sort of access through a telephone hotline or an SMS token that's being sent to you.

Unless you have that implemented, I would definitely advise not to implement such a complex integration solution because it's all about the processes, it's all about usability. Because all of the security technology we deploy, it tends to make stuff harder and not easier, and you've got to compensate for that. You've got to have processes in place...to actually get user acceptance high and not have people trying to move in circles to get past the security system because it's such a hassle to get through all the loops.

# # #

Prefer to read this in hard copy? Just click the Share button below for a print option. Don't hesitate to register to leave a comment--your personal data stays private with us!

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/166

Leave a comment