One-Stop Converged Credentialing

| 0 Comments | 0 TrackBacks

Page:   1   2   3  Next  »

With access credentials a natural physical/logical convergence point, several vendors at ISC West and RSA 2010 last month were emphasizing new or enhanced capabilities for managing converged credentials.

At ISC, Hirsch Electronics demonstrated how its Velocity security management software can be integrated with Active Directory and digital certificate authorities to enable one-stop issuing of a smart card for both physical and logical access control.

At RSA, Microsoft's introduction of Forefront Identity Manager 2010 highlighted that tool's support for certificate issuance and credential management systems.

Further, ActivIdentity, a leader in smart card technology, told Security Squared at ISC West that "one stop issuance" is gaining solid traction as a more efficient means of credential management. It's in conversations with leading access control system vendors interested in private labeling its credential management capabilities, said Jerome Becquart, vice president, products and services, for the Fremont, Calif.-based company.

Why One Stop

Credentials are a natural convergence point, with smart cards enabling a single credential to be used for access to a facility as well as to applications and data. A card swipe at a door reader can be a prerequisite for log-in, and a smart card can carry digital or public key infrastructure (PKI) certificates for stronger logical authentication in house or remotely.

Getting that physical/logical access data onto one card has not been easy because it usually resides in different systems run by separate organizations. Data about what applications a person may access are generally found in Microsoft's Active Directory, other Lightweight Directory Access Protocol-based directories, and/or identity management user provisioning tools, available from CA, IBM, Microsoft, Oracle and others.  That information may include physical access policies--or those may be in an access control system database.

Meanwhile, human resource departments may be responsible for issuing the logical credentials, but physical security teams often handle the facilities access rights. This has led to enterprises maintaining various identity silos that are rarely synchronized, while end users sometimes carry several types of credentials for access.

It's expensive and inefficient. It's also not secure: it's difficult to ensure all credentials are deactivated when an employee's access rights change or are terminated.

Further, as enterprises turn to single sign on to eliminate password management headaches, and as cloud computing grows, they want to strengthen authentication measures, which can be done via smart cards, whicha can various factors of authentication. Once thinking about an investment in that technology, enterprises then want to get more return on it by finding other uses for it.

Streamlining Issuance

Hirsch's one-stop credentialing approach
in Velocity is to use the work IT does to provision users within any LDAP-based directory, including Active Directory, which dominates the enterprise directory market. At ISC West, John Guerrero, vice president of business solutions for Santa Ana, Calif.-based Hirsch, showed us how the groups, roles and logical access rights created by IT populate the tabbed menus in Velocity that human resources or physical security professionals can select to associate to a specific credential. These users can also add in the physical access rights.

Velocity also will be able to acquire certificates from a certificate authority; encode the smart card with the trusted certificate; associate the card to the user ID in Active Directory and push that binding data into the directory; and do real-time checks of the certificate's validity.

So from one system, the security management platform, a single converged credential is produced. Guerrero said the capabilities make sense for the SMB market, larger enterprises and any organization needing PIV-compliant credentials.

Page:   1   2   3  Next  »

With access credentials a natural physical/logical convergence point, several vendors at ISC West and RSA 2010 last month were emphasizing new or enhanced capabilities for managing converged credentials.

At ISC, Hirsch Electronics demonstrated how its Velocity security management software can be integrated with Active Directory and digital certificate authorities to enable one-stop issuing of a smart card for both physical and logical access control.

At RSA, Microsoft's introduction of Forefront Identity Manager 2010 highlighted that tool's support for certificate issuance and credential management systems.

Further, ActivIdentity, a leader in smart card technology, told Security Squared at ISC West that "one stop issuance" is gaining solid traction as a more efficient means of credential management. It's in conversations with leading access control system vendors interested in private labeling its credential management capabilities, said Jerome Becquart, vice president, products and services, for the Fremont, Calif.-based company.

Why One Stop

Credentials are a natural convergence point, with smart cards enabling a single credential to be used for access to a facility as well as to applications and data. A card swipe at a door reader can be a prerequisite for log-in, and a smart card can carry digital or public key infrastructure (PKI) certificates for stronger logical authentication in house or remotely.

Getting that physical/logical access data onto one card has not been easy because it usually resides in different systems run by separate organizations. Data about what applications a person may access are generally found in Microsoft's Active Directory, other Lightweight Directory Access Protocol-based directories, and/or identity management user provisioning tools, available from CA, IBM, Microsoft, Oracle and others.  That information may include physical access policies--or those may be in an access control system database.

Meanwhile, human resource departments may be responsible for issuing the logical credentials, but physical security teams often handle the facilities access rights. This has led to enterprises maintaining various identity silos that are rarely synchronized, while end users sometimes carry several types of credentials for access.

It's expensive and inefficient. It's also not secure: it's difficult to ensure all credentials are deactivated when an employee's access rights change or are terminated.

Further, as enterprises turn to single sign on to eliminate password management headaches, and as cloud computing grows, they want to strengthen authentication measures, which can be done via smart cards, whicha can various factors of authentication. Once thinking about an investment in that technology, enterprises then want to get more return on it by finding other uses for it.

Streamlining Issuance

Hirsch's one-stop credentialing approach
in Velocity is to use the work IT does to provision users within any LDAP-based directory, including Active Directory, which dominates the enterprise directory market. At ISC West, John Guerrero, vice president of business solutions for Santa Ana, Calif.-based Hirsch, showed us how the groups, roles and logical access rights created by IT populate the tabbed menus in Velocity that human resources or physical security professionals can select to associate to a specific credential. These users can also add in the physical access rights.

Velocity also will be able to acquire certificates from a certificate authority; encode the smart card with the trusted certificate; associate the card to the user ID in Active Directory and push that binding data into the directory; and do real-time checks of the certificate's validity.

So from one system, the security management platform, a single converged credential is produced. Guerrero said the capabilities make sense for the SMB market, larger enterprises and any organization needing PIV-compliant credentials.

<!--nextpage-->

From the Identity Side

At RSA, Microsoft emphasized features within its new Forefront Identity Manager product that streamline credential management and enable role-based access control. These include support for heterogeneous certificate management and third party certificate authorities; managing multiple types of credentials across an enterprise; and integrated provisioning of identities, credentials and resources.

The rights associated with a particular group of users, or an individual user, as defined by titles, job codes, departments, projects, can be assigned within Forefront. Forefront also manages the certificate assigning process and can push this information to a credentialing system.

Microsoft asserts that changes to a person's role and access rights--including termination--are automatically promulgated by Forefront's Synchronization Service across directories, applications and resources it controls--so in theory, these alterations could be pushed to smart cards as well. New and revised rights could be written to the card in its reader; terminated cards would deny access.

Further, Forefront enables users to manage at least some identity and access tasks, from self-service password resets and contact data to request to join various groups and distribution lists. Administrators control security question levels related to password resets.

<!--nextpage-->

Identities from IT

Microsoft and Hirsch come at credential management streamlining from different directions, yet the starting point for each is identity data and associated roles and access rights created by IT and stored in its systems.

"If the mindset exists to have a total operations view of risk in your enterprise, why manage identities in multiple ways when IT obviously has a more mature way of accomplishing that?" queried Kevin Wine, vice president of marketing for PlaSec, Inc., in talking with us at ISC West. PlaSec's access control appliance is built on open source directory technology, and the company asserts it easily synchronizes with Active Directory and other directory tools.

Not everyone would agree with Wine: we've talked with physical access control and card vendors in the last few years who say their access databases sometimes have the most current data about who is physically going in and out of an enterprise, such as contractors and visitors.

There's also the issue that physical and logical access traditionally have been managed by different organizations that now need to create a single workflow.

"A strong leader or mandate is needed," said ActivIdentity's Becquart. Without a strong driver behind one stop credentialing, it can get bogged down in turf wars, he said.

Still, he said many enterprises are adopting single credentials and are increasingly interested in streamlining the issuance of them. It seems credential management is yet another converging area in which it makes sense for security professionals to partner rather than compete.

# # #

Please see the videos related to this story: A Case for Converging Identities and Strong Authentication Bulks Up at RSA

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/211

Leave a comment