ID management gets physical

 

Connecting state and local government leaders

Integrating physical access control with IT security may be the biggest challenge, but it will have the greatest payoff

Last November, a revised document from an interagency working group laid out the following scenario, illustrating one of the biggest technical challenges for agencies complying with Homeland Security Presidential Directive-12:A government employee receives a smart card that lets him into his building. Eventually, he's assigned to a project in another state and needs access to that facility using the same ID. Then his work takes him to a separate agency where, with proper authorization, his card should allow him through that door, too.But today, that can't happen. And making it happen will be a significant undertaking, one that will require careful planning, wholesale infrastructure upgrades and changes in the way agencies manage security.The Physical Access Interagency Interoperability Working Group has prepared Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems. The document should help agencies integrate what has commonly been the quintessential stovepipe system'building access security'with an overall personal identity verification architecture that bridges physical- and logical-access control within and among disparate agencies.'PIV is going to do a lot for pushing [smart-card] technology forward and getting the physical-access guys to come on board,' said Mike Butler, chief of smart-card programs in the Defense Department's Common Access Card Office.Perhaps the first and most basic challenge facing agencies is the fact that physical-access control systems are islands unto themselves. Physical security usually is handled by a different group'trained in 'guns and badges,' as experts describe it'from the people who handle information technology.Physical-access control systems will have to become network-based if they're to deliver on the promise of HSPD-12.'More and more IT departments are getting involved with these systems,' said Michael Regelski, vice president of engineering at Lenel Systems Inter- national Inc. of Rochester, N.Y.Lenel has worked on physical security for various agencies, including NASA, which Regelski says is furthest along in integrating physical- and logical-access control.But if it comes down to a turf battle, the need to keep bad guys out of a building could trump smart-card access to network resources.'Between the physical and the IT organizations, the ones who have the upper hand in many agencies are the physical, because they have the authority to issue badges today,' said Jeremy Grant, vice president for enterprise solutions for Maximus Inc. of Reston, Va. 'As a result, a lot of agencies are really looking at logical access only as an application that can be supported on the card.'Experts say physical-security staffs don't have a lot of experience with IT and are understandably nervous about putting their systems on a network. When physical-access control systems ride on an IP network, they become vulnerable to hackers, viruses and other security risks.Authsec Inc., a security consulting company in Columbia, Md., has run vulnerability scans on a variety of physical-access control systems, and every one had vulnerabilities.'Vendors don't live in [the network] world and aren't used to worrying about vulnerabilities in their products,' said senior vice president Dallas Bishoff. 'It's not that the risk can't be controlled. The door control panels have operating systems and are susceptible to viruses and need to be patched. But most PACS are not treated as IT procurements and are not subject to certification and accreditation.'In fact, access control cards from one vendor typically work only with that company's readers, which typically only work with the same company's control panels.Moving to IP and the standards developed by the National Institute of Standards and Technology should change that and open physical-access control systems so they can talk to other parts of the security infrastructure, such as an identity management system.'Four or five years from now, physical-security networks that run off the office network will be common,' Butler said. 'Then you can start doing things like make sure a person can't log onto a network unless you know they came through the door.'There will always be situations where, for security reasons, a physical-access control system can't link to an IP network, but those will be exceptions to the rule.Once an agency has a strategy for integrating its physical and IT security operations, there's the matter of actually getting their physical-access control systems to comply with NIST's Federal Information Standard Publication-201. And because there are so many proprietary systems floating around, the job is big.'A lot of the physical-access community hasn't woken up to what HSPD-12 really means and how obsolete a lot of their stuff is going to be,' Grant said.The crux of the problem, put simply, is that many of the card readers and control panels guarding agency doors can't read the information that will be contained in future PIV cards.Under HSPD-12 and FIPS-201, the main identifier on a PIV card will be the Federal Agency Smart Credential Number, which can be up to 32 bits or 25 bytes, based on the encoding technique.'You can't shove that much information through the control panels of a lot of legacy access systems,' Grant said.There has been talk of an interim solution under which systems accept truncated smart-credential data, but it's an imperfect solution that would effectively reduce the amount of unique information required to access a building. What's more, according to Regelski, while truncation might be a passable solution within a facility, it would make cross-facility interoperability harder because it could lead to duplication among shortened ID numbers.Experts agree that virtually all card readers in operation today for physical security have to be replaced. Whether agencies will have to replace the control panels that handle those readers and the back-end systems that operate the entire PACS, will depend on what's currently in place.'You can replace existing readers to accommodate the new card,' Regelski said, 'and as long as the systems can interpret the output'and the majority of them can'you should be able to take the PIV credential and use it on your existing infrastructure.'However, he cautioned, even some legacy back ends can't handle the data requirements of FIPS-201.In addition, Bishoff warned, today's physical-access control systems weren't designed to handle cryptographic keys, nor have they been through FIPS-140-2 testing, which validates cryptographic modules for use in government.Just as in a large-scale IT infrastructure upgrade or consolidation, the extent of a physical-access overhaul will hinge on an agency's ability to document all its components. Security systems are often procured on a site-by-site basis, or even building-by-building, making it difficult to get a handle on what's out there.'Most agencies do not know how many systems they've got, because they were all locally acquired and there's no central inventory,' Bishoff said. 'The most bizarre case we saw was a building with five physical-access control systems. Three of them were within 30 feet of each other, and they were all three independent systems.'And because we're talking about large numbers of readers and possibly control panels at many different buildings, agencies will need a strategy for cutting over to a new system while still allowing unfettered access through the old.'You can't replace all your existing readers in one shot,' Regelski said. 'You need a strategy. It could be multiple cards or new cards with old tokens embedded.''We need to do triage here,' Butler said. 'If we've got some place up in Maine out in the woods where 300 people work and they're using a magnetic stripe system today, and maybe they just upgraded it, why would we waste the taxpayers' money on someplace like that until it really makes sense, business case-wise, to replace a system like that?'Butler said the Office of the Secretary of Defense just got a new security system that doesn't support the contactless smart card described in PIV specifications. But when the department gets its new contactless smart cards, it will still encode the contactless side and employees will carry two cards in the same holder during the transition. DOD also plans to have thousands of employees using a PIV card starting in April.The good news is that despite all the effort that must go into upgrading to meet HSPD-12 mandates, the move to an integrated security infrastructure could save agencies money. Authsec did an analysis for a large agency and found that if the agency had gone with a FIPS-201-type security strategy, it would have saved $32 million in 2005.'FIPS-201 and HSPD-12 create the opportunity for dollar savings,' Bishoff said, 'but it's going to be real expensive to get there.'And it won't happen overnight. Said DOD's Butler, 'We're going to be doing this six years from now.'

HSPD-12 systems and physical access



Physical access control systems integrate with a larger HSPD-12 infrastructure through the identity management system. The IDMS is the core component bridging all other parts of the personal identity verification system. What follows is a PIV II diagram of components required to build a FIPS 201-compliant system. The core components, as defined by GSA, handle card functions, including the IDMS, card management, card printing, registration and PKI certificate authority systems.
Source: General Services Administration

Four or five years from now, physical security networks that run off the office network will be common.'

'Mike Butler, Defense Department

Ron Chapple


































Making exceptions















Preserve the legacy?














Triage needed



Integrating physical access control with IT security may be the biggest challenge, but it will have the greatest payoff









X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.