Government and critical infrastructure facilities face a threat landscape spanning physical and digital spheres. Securing this “phygital” space demands constant ingenuity to stay one step ahead. Protecting the personal information of U.S. citizens and government institutional data is critical to national security — a standard becoming increasingly difficult for federal facilities to meet.
A recent report from the Senate Homeland Security Committee found glaring gaps among federal agencies in properly protecting personally identifiable information (PII). These agencies, often underfunded and operating in a collaborative but decentralized model, have fewer resources to develop, fund, and implement mandatory cybersecurity standards.
One bright light in the report acknowledges the current budgeting model does not support compliance with cybersecurity mandates. Mandated, but not funded, makes it very difficult for government agencies to comply in any meaningful way. Federal Identity, Credential, and Access Management (FICAM) compliance is a perfect example of a mandated-but-not-funded challenge for government agencies.
The increasing vulnerability of connected devices and the discussion around how to keep the data they hold secure present other challenges. With the shift to the anywhere-operations model over the past year — a change most likely permanent for many — there is a greater importance on identity management and access control industry-wide, but within government and critical infrastructure, it is fundamental. The rise of connectivity and remote operations, long in the making but accelerated by the pandemic, forces the increased reliance on connected devices and puts organizations at a higher security risk.
Multilayered, authenticated access should be built into spaces, logistics, platforms, products, and services; this is non-negotiable in infrastructure and government development activity due to strict regulations within these sectors, combined with the increasingly connected environment. The goal here is to secure these sectors while also reducing risk without sacrificing operational performance. It is a fine line to walk.
Critical infrastructure and government facilities have unique requirements for managing the physical and logical access of people — employees, contractors, and the visiting public — into and throughout facilities with varying security levels. Considering government facilities include law enforcement, intelligence, judicial, research facilities, and more, physical access control and identity management systems must be flexible, reliable, connected, and secure at all times. While traditional security methods like visitor management and perimeter surveillance still apply, you must consider the complex challenges of regulatory requirements. Today’s modern technology is up to the challenge. There is technology today meeting all of the aforementioned parameters and offers secure visitor controls, access to cyber resources, asset tracking, and attack prevention. Government and critical infrastructure facilities are designed to be among the world’s most secure facilities and therefore, require high-grade access control and identity management solutions.
In a market saturated by solutions, how can these organizations identify the innovations to best meet their privacy, safety, and security needs?
Government and infrastructure organizations must remain vigilant in protecting their data and assets in today’s phygital world. As new technologies designed for the successful delivery of infrastructure assets and operations emerge, here are some of the latest (and best) access control and identity management options:
FIDO 2.0 -- Implementing strong authentication solutions adhering to modern security standards like FIDO 2.0 will help improve defenses preventing PII theft. Standards-based FIDO authentication ends the reliance on passwords, demonstrating the future in authentication technology.
Multi-Factor Authentication -- Federal agencies should consider including hardware security key-based multi-factor authentication (MFA) into all security strategies. Without two-factor authentication (2FA), they increase the vulnerability of their network and their organization. Mandating and earmarking funding for MFA in the U.S. federal government is important for addressing cybersecurity issues.
Smart Card Readers -- Smart card readers and identity devices protect login to PCs and networks, encrypt hard drives, and digitally sign and encipher email, leading to a wide variety of applications. Available as contact, contactless, or mobile options, these identity verification readers provide a high level of security to ensure data is protected.
Tokens -- Compact tokens enable secure mobility for mobile desktop applications and can autonomously act as contactless smart card tokens. They combine something familiar, like a password, to something new, the token, to enable 2FA.
Mobile Apps -- Advanced mobile apps support CAC, PIV, and derived credential multi-factor access to secure web browsers, deliver the ability to sign, encrypt, and decrypt emails, enable mobile PDF signing, and secure app development.
Password Protected Doors -- Many public spaces utilize password-protected doors. The door restricts access to only those with the correct password — an effective means of safeguarding a location that houses sensitive information.
Smart Cards -- Based on digital certificates, high-security smart cards offer flexibility in card application and can be programmed with multiple credentials. Meeting security criteria far beyond their legacy, proximity card counterparts, smart cards provide strong authentication, digital signatures, secure remote access, desktop login, and PII and data encryption.
Biometric Readers -- Currently, the spotlight is on biometrics playing an important part in identification measures. The associated security solutions will continue to capture greater market share and make physical access control systems more secure. Biometric readers do not require an additional physical device or use mobile devices either. The identity of a person is authenticated by the individual themself. Biometric technologies take the form of numerous applications: fingerprint and palm scanners are more typical variations, but facial recognition, eye scanners, and voice recognition are all cutting-edge technologies available on the market. Biometrics are extremely sophisticated and often more expensive than alternative access control credentials. Without the need for a device, and being impossible to imitate, they are some of the most convenient and secure access control methods.
As the physical and digital worlds continue their integration, physical access control and identity management solutions providing a secure flow of information across this new phygital ecosystem are imperative. Not only is physical access control critical, but security solutions must address the challenges of anywhere operations arising with the growing remote workforce. This intersection is important for any facility’s security plan. Security should be a part of an organization’s day-to-day operations and designed to drive results-oriented cooperation between previously disjointed security functions. The integration of physical security, logical security, information security, business continuity, risk management, loss prevention, and more should be part of a holistic security strategy for any facility. We are seeing more cross-functional involvement in physical and logical access decision-making as this phygital conflux becomes more prominent.
While critical infrastructure and government sectors have fully embraced the Internet of Things (IoT) in recent years, criminals and their attacks have become increasingly sophisticated, creating a never-ending fight for organizations to protect themselves. A multilayered, authentication security solution — composed of many of the above technologies — is the best answer to addressing and solving these challenges.