How to apply the “Bring Your Own Device” model to access control

With mobile provisioning, there is no risk of cloning. It is also significantly easier to issue temporary credentials, revoke or cancel credentials at will, or when they are lost or stolen, and monitor and modify security parameters when a security area’s threat level increases. The systems administrator can either de-provision a digital key over-the-air or via a managed service portal, or remove access rights in the access control system database.

Organizations also can support variable security levels and use additional data elements. They can perform dynamic, context-based role-setting, such as invoking two-factor authentication during an elevated threat level. For instance, an application could be pushed to the phone that requires the user to enter a 4-digit pin or perform a gesture swipe before the phone can send the message to open the door.

There are many types of keys and credentials that can reside simultaneously on NFC-enabled smartphones. This includes credentials for purchasing items at the company cafeteria, and for using secure printing equipment. Smartphones can also generate One Time Password (OTP) soft tokens for securely logging on to another mobile device or desktop computers in order to access a network. With all these physical and logical access capabilities on BYOD smartphones, IT departments know they must develop solutions to protect their systems, data and facilities.


IT Security Concerns

First, to preserve personal privacy for BYOD users while protecting the enterprise from compromised personal apps, all applications and other ID credentials must be containerized between personal and enterprise use. Applications must be enabled for use with digital keys and cards, including applications that enable smartphones to support PIN entry to “unlock” key usage for authentication or signing. Also, middleware application programming interface (API) technology must be standardized so that ID credential functionality can be exposed to the application.

Smartphones used for access control may also need to support derived credentials and support Public Key Infrastructure (PKI), including personal identity verification (PIV) credentials, as used by U.S. federal workers. The combination of containerization and derived credentials will also create the need for hierarchical lifecycle management. This will enable organizations to, for instance, revoke all credentials when a phone is lost, or to only revoke “work” credentials in the case of phones carrying PIV credentials. This is a multi-dimensional mobile ID management challenge that the industry must address as the BYOD model proliferates.

There also must be adequate cloud storage security so that BYOD smartphones can be used for network and application logon. There are four possible approaches. While an open access model on the public internet is easy to implement using a software as a service (SaaS) provider that manages usernames and passwords, this approach offers the weakest data protection.

An alternative is a virtual private network (VPN), and have remote users first authenticate to the VPN before entering username and password. However, this does not scale well to BYOD since VPN clients must be installed on many different devices alongside personal applications, and doesn’t provide additional protection against internal threats. Another option is native strong authentication, but this is inconvenient since each application requires its own, specific security solution.

The best option is federated identity management, in which the user authenticates to a central portal to access multiple applications. Federated management supports different authentication methods and meets compliance requirements by providing a centralized audit record. It also is more convenient than alternatives because nothing must be installed on end-user devices, and it offers good protection against Advanced Persistent Threats (APTs), along with internal threats such as employee fraud.

Federated ID will also ensure that identity can be effectively managed on both plastic cards and smartphones. Plastic cards are not going away anytime soon, and the mobile access control infrastructure will augment what already exists. Many organizations will still want their employees to carry cards because they are used as a means of photo identification. Printer systems will also support both plastic and mobile credentials, as well.