Redefining Convergence 'Systematics'

Feb. 10, 2012
Logical and physical access control convergence discussions refocus on digital identity and credentials

A lot of conversations and articles for the last decade discussed the convergence of logical and physical access control. These conversations, products and projects often focused on solutions based on the concept of convergence as defined by one card. The desire is to have one card (device or token) to get into buildings; to log into networks (and single sign-on); for remote access; and for access across global enterprises and applications. While this may be a convenient way to describe the outcome it does not represent all the work, skills and the opportunity today.

Things are changing rapidly in the identity and access markets. In the very near future, one card goes the way of one smartphone. It is a matter of when—not if—the speed and breadth of the impact will occur. The solution required is not about the physical device or token type (though standards-based ones are an important consideration and there will be multiple tokens generated). It is about the creation and maintenance of trusted, interoperable digital identity and its ability to authenticate ourselves and our rights and privileges (e.g. roles) to do things across a wide range of circumstances, locations and contexts (“Personal Identity Verification (PIV) of Federal Employees and Contractors.” National Institute of Standards and Technology, June 23, 2006, http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf.); and “Personal Identity Verification (PIV) of Federal Employees and Contractors DRAFT.” National Institute of Standards and Technology, March 2011, http://csrc.nist.gov/publications/drafts/fips201-2/Draft_NIST-FIPS-201-2.pdf).

This includes policy and procedures in addition to technology and the ability to maintain these controls. System integrators need to be able to add value across the board—and not just install the technology.

Convergence conversation changes

Convergence has not gone away. But the way it is discussed needs to change. Convergence is evolution. It is technology and Moore’s Law taking its course. It does not need to be created or engineered—it just happens. And while past conversations of convergence focused on the need to leverage public and private networks, at present there is a need to focus on the digital identity of people and things.”

Additionally, while networks have always been a part of the access control solution, the security networks, however, have often not shared information over public systems. As information technology (IT) departments move more of their infrastructure, platforms and applications to the cloud, security and access control systems and its integrators will need to do the same.

Take, for example, smart devices. There are over five billion smartphone chips produced yearly, which results from the growing demand for commercial (retail) and enterprise use and continued capabilities growth ( Eurosmart, 2012, http://www.eurosmart.com/index.php/publications/market-overview.html).  What’s more, smart devices wag the dog due to individuals’ request to utilize security services at work and at home with the same device. This creates a disruptive demand for services accessed via smart device use across commercial and residential security. The vast number of devices—and again Moore’s law (increased processing power and falling costs per calculation, memory unit or pixel)—provide expanding functionality, e.g. Gigahertz processors, Gigabytes of flash memory, better displays and connectivity and application support, i.e. apps. Smart phones and tablets tilted IT departments’ individual use of personal devices at work, actions which access control systems and their integrators will also need to follow. The systems at home will meet or exceed the capabilities of the access control systems at work. In fact, home systems are already more sophisticated than work systems since the upgrade cycle is more frequent and uses more recent technology. As a result, there is a further impetus from the convergence of work and home.

Convergence is not a product category or service that is delivered. It is the result of the onward march of the connected world. And there exists a crucial set of security services that are required in this converged world related to identity registration; the privileges’ of individuals; binding these to privileges to smart devices; managing the “identity” of the devices; and the services to support them.

Recognition prospects

The identity opportunity for individuals, organizations, products and services stems from a number of factors. One aspect is the rapid rise of the Internet and our need to be connected in our daily lives. The ratio of online to offline continues to shift toward a state of continuous connectivity and with this comes a shift toward the increased use of our digital identities over our physical ones.

A related factor is that cybercrime and fraud exceed physical (kinetic) theft. And not just theft but war, for example, the priorities in the Department of Defense budget continue to shift from kinetic war to cyber warfare. One trillion dollars a year of fraud (6 percent of the national debt) stems from an increase in electronic transactions. All of these factors increase the demand for strong trusted identities. 

The National Strategy for Trusted Identities in Cyberspace (NSTIC) in the United States eschews the idea of a government issued national identity (“Identity Ecosystem" The National Strategy for Trusted Identities in Cyberspace (NSTIC), 2012, http://www.nist.gov/nstic/about-nstic.html.

 NSTIC looks to create a public/private but industry lead identity for citizens. Many other countries around the world have national identification credentials “List of national identity card policies by country." Wikipedia, January 8, 2012, http://en.wikipedia.org/wiki/List_of_national_identity_card_policies_by_country).

Thus, the United States is more of an outlier in its approach. Canada, in comparison, has a number of credential programs underway for its citizens.

Internet identities are many but there are some standards evolving. The U.S. standard for personal identity verification (FIPS 201) used for government employees and contractors provides best practices for the creation of a digital identity (as opposed to the creation of the token where it is bound). Those who wish to play in this market need to develop solutions that incorporate these best practices into their identity and credentialing process. Some of the keys to achieve this include:

  • Separation of roles in the digital identity creation process. Recognize that the strongest identity credentials are created when the applicant, sponsor, enrollment officer, adjudicator, issuance officer and system administrators all are distinct individuals with the requisite training and controls on their actions;
  • Create an enterprise registration authority as the “identity vault” where the personal data is kept and access this on a need to use basis.  Develop solutions and skills around this key requirement. This is much different than printing cards from a database;
  • Pay special attention to the individual’s binding to the access token, whether it is a smart card, key fob or smart phone. The strongest binding involves the use of secrets and biometrics unique to the identity/credential pair;
  • Use technology that is cryptographically sound and standards-based. Be very careful of claims about superior proprietary techniques;
  • Look across the enterprise at the existing applications (there are typically hundreds) that you need to support. Look to provide an identity token that meets these needs today and into the future. In this way you can create an identity, credential and access control solution that can be accessed as an authentication and access services across the enterprise; 
  • Look to develop analytics-based intelligence applied to the identity transactions supported by the enterprise identity services. The benefits in terms of governance, risk, compliance, productivity and privacy are much more powerful than consolidated graphics and reports.

Providing identity, credentials, access control and security systems and services that take into account this evolving context will increase the relevance of the security systems integrator. This positions them to deliver products and services that meet enterprise needs and place them at the front of the line for enterprise budgets as convergence happens.