Two Worlds Converge

May 12, 2009
A look at the role of smart cards and biometrics in today’s converging physical and logical access control systems

Physical and logical security has traditionally been viewed as two different domains with disparate technologies governing their practices and implementations. However, as the needs for network security and online identity authentication grow, these systems are becoming more sophisticated and driving an ever-increasing convergence of physical and logical access control.

Enterprises working toward convergence are looking to create a single identity credential and are increasingly turning to smart card technology. In many cases, plans also include an additional biometric element, says Greg Thornbury, vice president of SecureNet, a Dallas-based security systems integrator specializing in converged physical and logical access control implementations.

“We’re seeing more demand for converged solutions based on smart card technology, and about 20 percent of them want to add biometrics to the access control system,” Thornbury says.

SecureNet — a Gemalto VAR and a Microsoft Certified Partner — has been a part of the evolution of physical access control systems. From the early days of using magnetic stripe identity cards that carried little to no personal information, to the use of more sophisticated identity solutions, the pull for more advanced technologies has opened the door for SecureNet.

This technology has not developed in a vacuum; the demand for these systems comes from the market, with an increasing push towards sophisticated access control implementation, including the use of biometrics. Now, physical and logical worlds are converging, with a single identity credential used to gain access into a building and log onto a corporate network.

Biometrics

While there is growing market pull for biometrics in physical access control, it still remains a small subset in most facilities — limited to high security areas. “If you have 100 doors in a facility you might see biometric access on two, if at all,” Thornbury says.

Thornbury believes that biometric access control works well, though it is still too slow for a main entry point, and the costs have come down. Another deterrent in some environments is employee resistance. Hospital pharmacies are a prime example of a door with a high physical access security need; but, it is also a place where people feel an extreme sensitivity to germ transfer on fingerprint access control readers. Overall, Thornbury says, in most cases, security executives conclude it is just not worth the extra effort required to implement biometrics for physical access.

This changes when enterprises begin looking at convergence.

“There is better acceptance of biometrics for logical access control,” Thornbury says. “If your issue was germs, that goes away with your own computer. The throughput issue goes away, too. And there is a big plus — people don’t have to remember passwords or PIN codes anymore. People don’t forget their finger.”

Multi-Technology Cards

The typical model for converging physical and logical access control on a single employee badge is a multiple technology card, according to Randy Vanderhoof, executive director of the Smart Card Alliance, an industry organization with a large constituency in identity and security. Sometimes called a hybrid card, it combines contact smart card and legacy access control technology, either proximity or magnetic stripe (see graphic, right).

“Contact smart card technology, either in a card or a USB token, is the preferred approach for two-factor authentication,” Vanderhoof says. “You can put a digital identity certificate in the smart card instead of leaving it on the PC. Couple that with a PIN to unlock the smart card, and you have a great tool for accountability and non-repudiation — something that is really critical for regulatory compliance and legally valid digital signatures on electronic documents.”

The microprocessor inside the smart card provides strong security by authenticating the server, and then authenticating itself dynamically without having the certificates leave the card. It can also provide session keys to encrypt communications as well as e-mail or disk encryption and digital signature.

If the card is also an employee’s access badge, there is another advantage — they have to take it with them as they move around the facility. This builds in a natural means of enforcing employee security policy adherence, which is to not leave the smart card and certificates in the PC reader.

Government, Healthcare Lead the Way

Using smart cards for network security and identity management is a trend that has been building for years. In some industries, like defense and federal contractors, it is on the cusp of becoming pervasive.

“Now that every federal employee will soon have a smart card-based Personal Identity Verification (PIV) card, the government’s attention has turned to enabling systems to recognize those cards for strong authentication, encryption and digital signature,” Vanderhoof says. “And defense and government contractors are right behind them, lining up to issue PIV-interoperable cards with identities federated across the federal bridge.”

The federal government and its legion of contractors are not the only sector working collectively to set cross-industry guidelines for creating trust in online identities. Biopharmaceutical and healthcare industry leaders formed the SAFE-BioPharma Association to help the industry achieve a common goal of a fully electronic business environment by 2012. This organization focuses on defining digital identity and signature standards that are acceptable to government regulators and can work throughout the pharmaceutical and healthcare industry.

A strong case study for universal benefits of digital identity standards comes from Pfizer, one of the industry leaders and a SAFE member. Pfizer implemented a converged physical and logical access control solution based on Gemalto smart card technology. As a regulated pharmaceutical company, they are required to conduct many studies to bring drugs to market, and their scientists must maintain signed and witnessed lab books. Until recently, those had to be paper notebooks that were passed around for review. With smart card-based digital signatures, Pfizer was able to convert those “wet” signatures to electronic ones, creating a significant return on investment (ROI) for Pfizer and increased trust in pharmaceutical practices from consumers.

Similarly, the healthcare industry is being driven by Health Insurance Portability and Accountability Act (HIPAA) guidelines to increase the security in hospitals and other healthcare providers.

“For years, it was common practice on shared workstations in hospitals that the first nurse would log-in and everyone else used that identity for the rest of the shift — that does not provide any accountability,” Thornbury says. “With HIPAA, everyone must log-in individually and log-out when they are done. As you can imagine, that takes a lot of time, so a smart card-based authentication device can be a real time saver, especially if coupled with a roaming desktop concept.”

Another issue looming on the horizon for healthcare is a Drug Enforcement Administration (DEA) initiative to require strong authentication for e-prescriptions for controlled substances. Like HIPAA, this budding requirement lends itself to smart cards and biometrics.

Chemical, energy and other critical national infrastructure industries — dams, power plants and grids — are also moving into smart card-based logical access control. Driving factors include stronger security goals, strict auditing requirements and other regulations that dictate a two-factor solution. These applications are also prime candidates for biometrics, according to Thornbury.

Providing ROI

An advantage of convergence for both security practitioners and technology providers is that there is a good ROI case to be made for logical access control — something that has always been hard to come by in physical access control, Thornbury says. Typical ROI payback elements in logical access control include password resets and support costs, audit savings and productivity gains. Particularly in today’s business environment, a clear ROI is moving logical access control and convergence to the top of IT departments’ priorities.

Another factor that improves ROI is that many of the components for converged physical and logical access control are now off the shelf. This is especially true in a Microsoft environment. Microsoft has worked closely with its Gold Partner Gemalto and others to create a total solution including Identity Life Cycle Manager (ILM) and Active Directory integration. Gemalto has created mini-drivers that are supported out-of-the-box for Microsoft Vista or ready downloads for Windows XP, removing the client middleware requirement.

The ready availability of off-the-shelf strong authentication solutions has made it possible for any sized organization to implement strong authentication. For example, Virchow Krause, the nation’s 13th largest accounting firm and a Microsoft shop, was able to implement smart card tokens from Gemalto that included one-time password (OTP) capabilities and Microsoft digital certificate authentication. Two years ago, this would have required custom development.

Biometrics for logical access control will also get a boost from out-of the-box support. In April at RSA 2009, Microsoft and Gemalto are demonstrating a new solution that supports biometrics on smart cards in a Microsoft desktop.

“Smart cards are a natural fit with biometrics,” Vanderhoof says. “By storing the biometric template on the smart card, you can do a match-on-card verification of the cardholder’s identity. Like a certificate authentication, the fingerprint template never leaves the card, making the entire system more secure. In addition, the template goes with the badge holder, so you can do the authentication locally without a network connection to a central database for lookup.”

The Future

The U.S. federal government remains the leading user of smart cards combined with biometrics technology. The electronic passport, the PIV card and the Transportation Worker Identification Credential (TWIC) being issued by the Transportation Security Administration all combine smart cards and biometrics.

As we look to the future, the level of physical and logical convergence will only increase. Government regulation and an increased awareness of the need for better access controls continue to fuel the movement. Although the convergence of physical and logical access is still faced with challenges, the flexibility of smart cards continues to rapidly adapt to emerging requirements — like biometrics — as enterprises learn how to most efficiently use and manage these devices.

Furthermore, with mainstream IT infrastructure players such as Microsoft providing out-of-the-box solutions for the deployment and management of smart cards, the implementation and use of converged identity credential solutions will only get easier and more cost-effective.

Tom Flynn is Director of Marketing, Identity & Access Management, for Gemalto North America, where he leads the team that is responsible for defining Gemalto’s business strategy and technical solutions for enterprise network security and converged badge solutions. Visit Gemalto at www.gemalto.com.

The Smart Card Alliance has online resources available in smart cards, convergence, physical and logical access control and smart cards and biometrics at http://www.smartcardalliance.org/pages/smart-cards-applications-enterprise-id. The Alliance has active industry and technology councils in Identity and Physical Access, and encourages interested parties to learn more at www.smartcardalliance.org.