Defogging Identity-Based Access Control

Oct. 27, 2008
A simple explanation of a complex new concept that’s changing physical access control.

Professionals in every industry have a specialized and acronym-laden jargon deftly wielded to communicate insider concepts and stymie casual observers. The security industry, historically no stranger to obtuse buzzwords, is currently in even worse linguistic shape than most. The problem is convergence.

Security is attempting to bring together identity management, video surveillance, access control and IT. These meetings are earnest and clumsy, promising and frustrating, and, perhaps most of all, confusing. Experts from five different industries are now slinging incompatible jargon at each other, and a lot of pretty straightforward ideas are being obscured in the crossfire.

For the next thousand or so words, let's get back to basics and look at the four big questions in the merger between identity management and access control: What? Why? When? and How?

What Is It?

The world is becoming identity based. Today, access to physical and logical resources tends to be managed by ad-hoc, single-purpose systems. A card gets you into a building, and a password logs you onto a computer. The card and password aren't linked to each other, and neither is strongly tied to your identity. Counting physical keys, prox cards, PINs, alarm codes and computer passwords, an average person has about a dozen identity representations. I have 8,398. The disadvantages are obvious.

An identity-based access control system tries to improve the situation by separating your identity from your privileges. Your identity is then linked to a credential (a smart card or passport or entry in a database), which is secured against physical or electronic forgery attempts. Once there's a good way to determine your identity, an identity-based system lets privilege providers specify what you are, or aren't, allowed to do. Your identity is then managed by a central authority (such as your employer, industry consortia, or government), while local privileges and access rights are managed by your building facilities supervisor, IT department, HR staff, or drill sergeant.

Why Do We Need It?

There's a ribald old joke that everyone seems to know; it asks why a dog licks a certain part of its own anatomy. The familiar punch line: “Because it can.” You don't need to look for more subtle reasons access control and identity management should come together. Their merger provides improvements to security, convenience and lower total cost of ownership by eliminating the redundancies and loopholes inherent in running separate and parallel systems. If it can be done, it should.

Physical and information security were already fully converged hundreds of years ago. Think of the man riding “shotgun” on a Wells Fargo stagecoach. It's only in the past few decades that the two practices have separated. Instead of “Why should convergence happen?” the question should be, “Why has it taken so long for modern-day convergence to really get under way?”

The answer is one part technical and two parts political. Until recently, technology just hasn't been flexible enough to accomplish the most obvious integrations. Physical and IT security systems may have started out as the same organism, but they have since evolved in response to pretty different environmental pressures. Traditional physical security and access control have always stressed reliability and predictability—think CCTV and Wiegand. IT and identity management systems have stressed innovation and interoperability—think TCP/IP and .NET.

The result is that access control became too primitive and identity management too unreliable. The ugliness of the user interface screens of most head-end security systems would make a modern IT developer cringe, and the intermittent failure rate of all but the best WiFi installations is woefully too high to be trusted with as simple a task as throwing a door strike. The good news is that technology usually improves quickly under the right market motivation, and that motivation is now arriving in spades.

What are the reasons behind the new motivation? At the risk of being simultaneously too-simple and crass, they are 9/11, Enron, and Katrina. In the past five years, we've had dramatic proof that our information-rich and interconnected systems are too vulnerable to intentional attack, financial obfuscation, and natural disasters. These three events represent larger trends and have focused our industry's attention. Of course, the benefits of using identity-based systems promise to be much more than an improved ability to prevent and deal with bad things, but also the ability to perform everyday tasks with more convenience, economy and control.

When Will It Happen?

How long will it take for identity management and access control to be neatly packaged? That depends on where you work and on your taste for experimentation.

The U.S. government is moving toward convergence with uncharacteristic speed and determination. In 2004, Homeland Security Presidential Directive number 12 (HSPD-12) kicked things off by declaring that all federal employees and contractors must use a single, secure credential for access to sensitive physical and IT resources. Momentum continued to build last year when the National Institute of Standards and Technology issued FIPS 201 and related documents outlining a fairly comprehensive roadmap toward convergence. The next major milestone is looming on October 27, when all federal agencies are supposed to start issuing interoperable identity cards to all employees.

FIPS 201 will likely become the world's largest identity management system: tens of millions of individual identities—all of them vetted, enrolled, mapped to local privileges, and squeezed into disparate access control systems.

Over in the commercial sector, the convergence schedule isn't as clearly defined, so progress is still a bit patchy. Some industries, such as contractors with strong, daily ties to the federal government, will have to move quickly, while others can take a more deliberate pace. Since a lot of the initial benefits of identity-based access control have to do with improved auditing and oversight, those industries most concerned with compliance are likely to act first.

There are already cross-enterprise identity management initiatives under way in both the financial services and pharmaceutical industries. These identity-based initiatives initially focus on securing IT communications, but they may soon play important roles in access control as well.

Convergence in other industries will likely wait until the technologies are more mature. Even though the tools are mostly in place for companies to integrate identity management and access control today, doing so still requires a bit of experimentation. Governments and compliance industries will be the guinea pigs in this wave of adoption. The rest of us will learn from their mistakes and follow along. If the idea of the U.S. government innovating and incubating an important field destined to revolutionize the mainstream seems a bit far-fetched to you, remember the last bit of technology that followed this path: the Internet.

The table below shows my prediction of the timelines for the merging of identity management and access control by industry sector.

Sector

The serious work begins

Mainstream adoption by

Government

2005

2008

Compliance Industries: Finance, pharmaceuticals, healthcare, government contracting

2006

2009

Mainstream Industries

2007

2009

How Can We Accomplish It?

The rough outlines of how this convergence will take place are clearly visible.

• Use open standards and protocols.

• New security vendors should focus on building a specific module really well—make the world's best anomalous behavior video detector or audit log reporting tool—and not on making the next end-to-end solution.

• Take the security algorithms seriously. The economics of hacking into a fully converged system are considerably more attractive to attackers than defeating a single-use system like a traditional prox card. Strong cryptography is now a necessity for everything.

• Make your information security and physical security staff talk to one another. To paraphrase an old help-desk expression, convergence begins between the keyboard and the chair.

The rest of the How question is left as an exercise to the reader.

Linking together identity management and access control will be important work for many of the readers of this publication, and I expect a meaningful body of best practices to emerge over the next few months.

In the meantime, if you'd like help navigating around the new buzzwords, my company has started a quick glossary on the topic of identity management and access control convergence at www.corestreet.com/glossary. It's very much a work in progress, so if you're one of the experts so unfairly maligned in the first paragraph of this article, please contribute by sending us additions and revisions. After all, I have to learn the jargon somehow.

Phil Libin is president of CoreStreet, which licenses secure identity-based technology to physical access control providers. Over the past 15 years Mr. Libin has developed secure Internet-enabled systems for a number of industries, including healthcare and travel. In 1995, he became senior engineer at Art Technology Group (ATG), where he participated in the creation of several Java technologies that would become Web and Internet software standards, such as application servers and dynamic Web pages.