Expanding information security requirements are prompting IT departments to implement stronger logical access control to critical systems and networks, especially for remote workers (such as those traveling or working from home). Independently, some corporate security departments are considering upgrading outdated legacy physical access control systems to current technology. Often this prompts questions, such as the one below, about using a single card for both physical and logical access, and as a corporate photo ID badge as well.
Q: We'd like to approach IT about using a single smart card for physical and logical access control. I have read that some companies like Boeing, Microsoft and Sun Microsystems have implemented a single card for physical and logical access. We know that the U.S. federal government has issued the FIPS 201 standard for government use for combined physical and logical access on a smart card. Are there any standards for private companies?
A: Many companies are now looking to upgrade the levels of assurance for their logical and physical access control. FIPS 201 is the U.S. Federal government standard that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors. The set of FIPS 201-related standards has been expanded, and there are now two additional standards for cards issued by private-sector organizations: PIV-Interoperable (PIV-I for short) and PIV Compatible (PIV-C). The Smart Card Alliance (www.smartcardalliance.org) provides a wealth of information for private-sector application of PIV requirements that includes standards, case studies, technology announcements and notes on applications in specific business sectors. Detailed information can be found on its Web site. In particular, take a look at this page: http://tinyurl.com/smart-cards-for-enterprise-id. This page provides many document download links about the use of smart cards for physical and logical access in non-government settings.
The Key Factor Is Establishing Trust
Between people, high degrees of trust are established by successful interaction or performance over a period of time, and also by association - for example, someone we trust recommends or vouches for another person for a specific purpose and in a specific context. Thus, there are different levels of trust required for different situations, and different levels of assurance.
You would select a heart surgeon in the context of his or her surgical practice and an association with a particular hospital. You know that the hospital has performed a high level of background checking before allowing the surgeon to practice. You may do some reference checking on your own. This is not a 15-minute process, and could be longer than a 15-day process. You may select a house painter through a contractor referral service. That may be a 15-minute process or less. For this reason, FIPS 201 and related standards do address varying levels of assurance.
A Trusted Credential
For electronic access control - whether for computers and networks or for facilities and physical building areas - we use an electronic credential of one kind or another. This can be a photo badge, a name and password, or something more. We substitute recognizing the credential for recognizing the person, which means two important things. First, the process of issuing the credential must include verification of the person's identity through some trusted approach (such as birth certificates, driver licenses, etc.). Second, the credential is bound to the person through one or more biometric associations. Typically, this has been through a printed name and photo on an access card or badge. With smart cards, this can include a biometric signature (scan of fingerprint, retina, hand geometry, vein pattern, etc.) that is stored on the card. Data on the card can be stored and retrieved using information security technology that guards against forgery, alteration and misuse of the card. With that in place, we have a situation in which we have a high level of identity assurance in the use of the credential.
Are You Who You Say You Are?
If a highly trustable technology produces a card that is issued through a process with weak identify verification, what use is the advanced technology? The card could be issued to the wrong person. This is a situation that the FIPS 201 Personal Identify Verification (PIV) requirements address, and they do so through defining requirements (including roles and responsibilities) for three key processes:
- identity proofing and registration;
- card issuance and maintenance; and
- access control.
An excellent introduction to these processes and other aspects of PIV requirements is found in a white paper produced by CoreStreet, "Important FIPS 201 Deployment Considerations," which you can download from: http://tinyurl.com/FIPS-201-Key-Considerations. Note that card "personalization" (a term used in the whitepaper) refers to the process of printing the photo and other information on the smart card, and encoding electronic information specific to the cardholder.
If you are not familiar with the specifics of FIPS 201 and Personal Identity Verification, the white paper is a good place to start. Follow that up by identifying relevant information from the Smart Card Alliance Website. This information can help get corporate security and IT security walking down the same path.
Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services. Mr. Bernard has also provided pivotal strategic and technical advice in the security and building automation industries for more than 23 years. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is also a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).