• Advertise
  • Subscribe
  • Forums
  • Buyer's Guide
  • Contact Us
  • Connect on LinkedIn
    1. Access & Identity
    2. Access Control

    Sharing Credentials

    Sept. 6, 2016
    Using the same smart identity card for logical and physical access control is opening opportunities for integrators
    Photo: HID Global
    Migrating IT access from username and password authentication to smart card-based technology provides more security while adding convenience and reducing operational costs.
    Migrating IT access from username and password authentication to smart card-based technology provides more security while adding convenience and reducing operational costs.

    Today, many security systems integrators are providing Physical Access Control (PACS) platforms with identity credentials that are based on smart card technology, providing high levels of security for physical access to buildings and doors.

    At the same time, organizations’ IT security policies are not matching these high security levels and, with the persisting threats of data breaches, are looking for a solution that will increase security and operational efficiency. This presents security systems integrators who want to expand their services and generate additional revenue with an opportunity — as an ideal solution lies in extending the use of the smart card-based credential used for PACS to secure IT system log-on.

    Data Breaches Spur Need for IT Security

    The onslaught of data breaches in recent years is leaving organizations searching for better IT security solutions. According to ABI Research, the number of reported data breaches grew from 3,332 in 2014 to 3,970 in 2015; a separate study from Gemalto estimated the number of records lost in data breaches was a staggering 707 million in 2015. Some breaches were well-publicized and affected well-known organizations, and the trend does not show any sign of reversing.

    The common practice of using username and password authentication to log on to IT systems is a major factor in data breaches. According to the Verizon Data Breach report, 63 percent of all data breaches involve the use of stolen, lost or weak credentials. When username and passwords are used to log on, there is no verification of trusted origin and no detection that the password provided has been compromised. Relying on passwords to log on to each role (or account) is subject to increasingly sophisticated attack methods, including data packet capture and replay, keystroke logging and brute force attacks.

    Extending the use of smart card technology-based credentials for IT system log-on can mitigate these risks for organizations by moving beyond username and password authentication with strong, multi-factor authentication.

    Extending the PACS Credential for Secure IT Access

    Credentials based on smart card technology are not susceptible to the same attacks as username and password authentication. Two- and three-factor authentication processes are made possible with smart identity credentials that use both private cryptographic keys and a six- to eight-digit card PIN that is selected and known only by the authorized card holder. The PIN is stored in a secure, tamper-resistant part of the card.

    In order to compromise the credential, a hacker must have physical possession of the card and know the PIN that is required to initiate the cryptographic active authentication process. Active authentication such as a challenge-response mitigates the threat of capture and replay attacks, and having the PIN stored in the card mitigates brute force attacks. The PIN mitigates the risk of an unauthorized person using a valid stolen card to authenticate and log on. In addition, a biometric match of the original card owner and the person presenting the card mitigates the threat of an authorized card owner allowing someone else to use a valid card.

    A smart identity credential’s cryptographic processes can be used to authenticate both the credential and credential holder to an Active Directory (AD) account. AD accounts are created according to corporate (or agency) policies and log-on authentication can include multi-factor authentication to mechanisms.

    Data security is further enhanced by using the smart credential cryptographic capabilities to achieve either, or a combination of the following goals: confidentiality, integrity and proof of trusted origin (non-repudiation).

    • Confidentiality of data means that the information is encrypted and only revealed to individuals who both are in possession of the proper key needed to decrypt the file and also are authorized to access the encrypted data. Both data at rest and data in transit can be encrypted.
    • Integrity means that the data is original and unaltered. This does not need to include confidentiality; integrity may be required in public transactions.
    • Non-repudiation means that there is proof that the data originated with the sender. Non-repudiation may be used without need for confidentiality.

    Directories, folders and files can be structured and organized to allow various access control policies to be focused exactly as required in the organization’s role definitions. Role definitions are not limited to company networks, but may include websites and cloud access control as well.

    Common applications, such as Microsoft Word, may be available to anyone with a simple log-on. Authorized individuals may be required to provide multi-factor authentication to access and decrypt specific files or applications. Certain files may be restricted so that they may only be viewed, but not copied, edited or downloaded. Confidentiality, integrity and proof of trusted origin are significant objectives and drives use of smart identity credentials for network log-on.

    Importantly, for security systems integrators talking to customers about extending the use of their smart credentials to IT access, migrating IT access from username and password authentication not only provides more security, it also has been proven to offer both more convenience and reduce operational costs.

    PACS Meets IT Access: Securing the PACS Back-end

    Smart card technology-based credentials can be used to secure IT access to all systems, including corporate networks, the internet, web apps and email. Since PACS are increasingly considered to be part of a corporate IT infrastructure and already required to perform one-, two- and three-factor authentication of cards and cardholders at the access control point to gain physical access to an area, the same authentication process can be leveraged when PACS operator log on to the system.

    It is important to secure the back-end of PACS systems, where system administrators, operators and service engineers are performing diverse functions as defined in their specific operator role and system accounts. Just like other IT systems, the practice of using username and password authentication to log on is a common attack vector used by hackers. PACS operator roles often include critical functions such as to alter system configuration and physical access authorization parameters, which presents a significant security risk to an organization.

    In addition, PACS inherently contain a user database with personally identifying information (PII) of executives, employees and contractors, therefore the database itself is often an attractive target for hackers.

    Using a common credential that is based on smart card technology in this example has numerous benefits, as it allows the same level of assurance that is required to physically enter an area to govern how operator accounts and operator roles are defined, created and accessed.

    A PACS database can be partitioned according to the different physical areas that are controlled by the system. Authentication factors required to access these various partitions should match the authentication mechanisms that are required to access the physical area that the portion of the PACS is designed to protect. For example, a person at an access control point leading in to a limited area is required to provide the smart card technology-based credential. The same therefore can be a minimum required for an operator to access and modify limited area PACS system functions.

    Using a common credential is also very beneficial when an employee leaves the organization. A simple certificate revocation is sufficient to revoke both the physical access and the log-on privileges across the entire enterprise.

    Cost Savings with Smart Cards

    Using smart card technology-based credentials to log on to networks has many security benefits but also cost-savings benefits that many organizations are looking for in an IT security solution. Below are two examples from Department of Defense (DoD) and Department of State of first-year cost benefits after requiring all employees to use their smart identity credential to log on to unclassified networks.

           Department of Defense:

    • Decreased the number of successful intrusions; in the previous year, they decreased by 46 percent because of a requirement that all DoD personnel log on to unclassified networks using a Common Access Card (CAC) credential.
    • Eliminated the need to use passwords, the major problem in protecting DoD networks.
    • Decreased the number of successful socially engineered email attacks against DoD users.
    • Employees do not need to remember as many passwords that frequently change.

           Department of State:

    • State Department annual password management costs approximately $12.5 million for 63,500 users, making around 21 calls each to the IT help desk (of the 1,334,109 total calls, 30 percent (or 365,000 calls) are requesting password reset.
    • Different password composition rules on multiple servers at the department level lead to inconsistent passwords across systems and increase the number and types of passwords employees maintain.
    • IT help desk service tickets related to password management: 365,000 calls, $31.00 each.
    • Percentage in reduction of total help desk tickets related to password management: year one: 33 percent; year two: 22.4 percent; year three: 25.1 percent; and year four – 22.7 percent.
    • Today, less than 5 percent of Department of State help desk calls are password related.

    Opportunities Abound

    Recent hacks, some well publicized, have forced commercial enterprises to re-evaluate their IT risk profile and security policies, opening up the door for security systems integrators to respond to current market changes.

    Security consultants and system integrators have a new and emerging market with large corporations to serve. An increasing number of service companies are emerging to assist private enterprises with products and services to enable secure, multi-factor authentication for logging onto corporate networks and email accounts. Services range from policy creation, implementation assistance to completely host identity credentialing and CA services. Professional services opportunities may be expanded by offering consulting and engineering services, credential management services and both PACS and IT access system maintenance service contracts.

    The future does indeed look bright for our industry.

    Lars R. Suneborn, CSCIP/P, CSEIP, is the Director of Training Programs for the Smart Card Alliance (www.smartcardalliance.org).