The logic behind physical-access controls

 

Connecting state and local government leaders

New access-control systems take into account the increasing importance of combining physical and logical security.

XXXSPLITXXX-Experts in government and the information technology industry all sounded the same theme when asked what to put in a request for proposals for a physical-access system that can live in the brave new world of convergence with logical security: Plan well. That oft-repeated advice can sound trite and obvious with other IT projects, but it might be the most important step. Upgrading or replacing older physical systems risks wasting resources if you don't have a specific vision of the smart cards, readers, biometrics, back-end infrastructure and network security scheme ' including digital certificates ' that will be in place five years from now.Any plan will be heavily location-conscious. Some buildings may take highest priority for the newest, two-factor access systems; others might safely continue with transitional legacy and converged bridge technology such as new card readers and control panels; and still others can stick with older proximity cards. Some wings within buildings may need no door devices at all.But don't get too comfortable. Agencies must have all employees using Federal Information Processing Standard 201 PIV cards by October 2008.Accordingly, consider the following approaches:

In the real world ' as opposed to Hollywood ' terrorist acts are more often low-tech than high-tech. Terrorists use box cutters and car bombs more often than laser-guided missiles.

Likewise, organizations have become increasingly aware that malicious hackers dialing in from half a world away could actually be a lesser threat than the guy who sneaks through the ancient card-reader lock on the door of a remote outpost.

Recent thefts from government offices of laptop PCs containing sensitive data offer ample evidence that physical-access systems ' long the domain of security specialists working with older technologies ' are as important to information technology departments as network security measures. (See chart, Page 36.)

For several years, there has been a serious effort to merge the two. This convergence of physical and IT, or logical, security is the philosophy behind Homeland Security Presidential Security Directive 12, the federal government's effort to issue personal identity verification, or PIV, smart cards to every employee and contractor. The cards specified in Federal Information Processing Standard 201 will be required for access to both physical assets ' typically, buildings ' and IT assets.

Convergence of the physical and IT security realms brings unprecedented advantages, and proponents highlight likely scenarios. For example, with a secured network that ties IT network security to the physical-access devices on doorways, administrators can make sure that a terminated employee will no longer be able to enter buildings. Every door lock and guard desk will know not to accept their credential. 'When you take someone out of the system, you want to take them out of the system everywhere,' said Sal D'Agostino, executive vice president at CoreStreet, a Cambridge, Mass.-based company that makes smart-card authentication hardware linking the two domains.

Digital systems will also benefit from information captured at physical access points. For example, an employee using a badge to enter the main office can't possibly be logging in to the network 500 miles away. The two events together might mean a cyberintruder.

Convergence also unites physical and IT security administration. That includes not only the employees but also the network directories, databases and monitoring tools for daily oversight. People charged with staffing or monitoring facilities ' guards at federal buildings in Washington, for example ' can have some decision-making taken off their shoulders, freeing them for other tasks and lowering the risk of security errors.

D'Agostino said CoreStreet's offerings help answer at least 95 percent of the questions likely to arise. One example: What local resources should be accessible to a person who shows a valid PIV card? 'We can pre-generate these responses,' he said. 'We don't need a secure connection to the database.'

What's more, a well-designed converged architecture provides performance improvements if it has the optimal division of centralized and distributed data processing. D'Agostino said centralizing too much on a single identity repository can burden the network and database with one-to-many hits, and distributing the intelligence allows more one-to-one transmissions. 'In some cases, you never need to touch the door with anything,' D'Agostino said. 'It just needs to see a valid message signed by a trusted source.' To achieve this, read/write PIV cards will carry a personal identification number, biometric and photo, and a digital signature signed by a trusted source, which will enable them to update remote systems.

But centrally managed databases can be effective even in less-automated local setups. It's the approach FIPS-201-approved integrator BearingPoint used when it implemented the Transportation Worker Identification Credential program at 28 sites overseen by the Transportation Security Administration. Some sites have what's called swivel-chair integration, with guards at desks looking up authentication information on the central database, said Gordon Hannah, a BearingPoint managing director who worked on TWIC.

He added that local authorities will still handle visitor control and policy, for which they might be granted the power to issue credentials that work only at that location. In contrast, 12 deepwater ports in Florida have a single system that automates transmission of centrally issued credentials in addition to suspension and revocation, he said.

Card tricks

Vendors say the federal government relies primarily on proximity cards, many of them made by HID Global. But FIPS-201 requires faster-transmitting, larger-memory smart cards and readers that follow International Organization for Standardization specification 14443. It also requires backward compatibility with the proximity card specification. Thus, so-called dual-technology card readers are a promising technology.

'The question is, do you go for cards first, or readers first,' said Mark Diodati, an analyst at Burton Group. He also recommended that agencies strongly consider card management systems, which provide the workflow tools to handle the upfront
vetting required by HSPD-12.

Physical-access control systems are the workhorses of physical security with command-and-control hubs for electronic door locks and readers, closet panels that accept the remote devices' usually proprietary relays, and a central server to manage them. The newer systems can handle other hardware, such as surveillance cameras and alarms.

But many physical-access control readers can't transmit enough bits to encode the new, 40-digit ID number required in federal specifications. 'You can make that new card work with the legacy systems, but there are risks,' Hannah said.

There is a push to upgrade some access-control hardware to IP to link them to logical systems, but the move is tricky. Card readers and panels must continue to operate during power outages ' a weakness of IP networks. But Lenel Systems International, a maker of physical-access software, has focused much of its recent development on IP. One example: a new controller panel, the LNL-2200, an Ethernet card that can handle reader transmissions from two doors and be strung along in groups of 32.

Lenel product manager Erik Larsen said the closet is the best place to install IP. 'There is a big push right now for IP-based readers,' he said. 'We don't see much value in it. The reason is the reader is on the nonsecured side' ' that is, outside the door.

Another issue is that physical-access control systems have no standards for cross-vendor interoperability. Most of the standardization problems are being tackled by the Physical Access Interagency Interoperability Working Group of the Government Smart Card Interagency Advisory Board.

Mike Butler, program manager of the General Services Administration's Managed Service Office and, until recently, chairman of IAB, who now works on GSA's HSPD-12 effort, said another ISO standard, 24727, for multiapplication smart cards, holds promise for access control. But, he said, ISO standards aren't a panacea. 'You can call it an ISO standard, but it doesn't mean anyone has to follow it.' A GSA-approved test lab also aids standardization, but he said it only tests if card data is in the proper format. 'It brings everybody up to a certain level. It still doesn't guarantee anything.'

Many manufacturers of IT network infrastructure are seeking convergence through partnering with physical-access vendors. Novell, for example, recently got together with Honeywell to link their identity-assurance and physical-access software.

Another promising standard, Service Provisioning Markup Language 2.0, ratified by the Organization for the Advancement of Structured Information Standards in April 2006, has as its goal to tie provisioning 'setting employees up with the resources for their jobs and removing them when they leave 'card-management and physical-access systems together in the proper hierarchy. 'Physical-access systems are just beginning to [become] more open and interoperable,' he said, adding that such systems would benefit from IT directory standards, such as Lightweight Directory Assistance Protocol.

One final option: shared-services providers such as the one EDS will build for GSA to handle HSPD-12 vetting and enrollment for agencies that don't want to do it themselves.


Physical-access systems














Vendor Product Major Features
ActivIdentity

(800) 529-9499

www.actividentity.com
ActivID Card Management System CMS; customizable workflows, tamper-evident auditing, distributed batch of
service-bureau issuance, PKI registration/credentialing, Java cards
AMAG Technology

(800) 889-9138

www.amag.com
Symmetry Homeland


Symmetry M2150 8DBC Controller
t

PACS; alarm, opt. video, monitoring, visitor management, badging, graphical maps, Windows single- or multiple-server configuration, unlimited clients/readers/cardholders


Control panel; eight doors/16 readers/250,000 cardholders, serial, dialup, and TCP/IP connections, 32 controllers per system, optional video monitoring

CoreStreet

(617) 661-3554

www.corestreet.com
Card-Connected Access Control


PIVMAN System

Wireless/card-connected access points; user rights and audit data propagated on card, wall-mounted readers, door locksets available from third-party partners


Wireless/wired handheld card reader; off-line operation, activity logs, multiple databases, CoreStreet server software, available with CoreStreet shared-service providers

Hirsch Electronics

(888) 809-8880

www.hirschelectronics.com
DIGI*TRAC Controllers


ScrambleSmart

Control panel; serial, TCP/IP, and dialup, up to 64 outputs, ScramblePad or PC remote programming, alarm monitoring, modular, multisite scalability


Card reader/access control box; dual-technology personal identification number/bar code/biometric/smart-card entry, heavy-duty construction

Honeywell Integrated Security

(414) 766-1700

www.honeywellintegrated.com
N-1000 Series Controllers


Pro-Watch Security Management Software Suite

Control panel; up to four doors, 31 controllers/25,000 cards per system, distributed database for optional offline operation, serial, dialup, and TCP/IP connections


PACS; Central and remote Windows servers, replicated cardholder database, distributed card activation/deactivation and status updating, HR interface, video support

Imprivata

(877) 663-7446

www.imprivata.com
OneSign Physical/Logical Convergence appliance; consolidated authentication repository, failover, instant physical/logical user lockout, centralized monitoring/reporting Lenel, S2, Tyco integration
Lenel Systems International

(585) 248-9720

www.lenel.com
IdentityDefender Suite


Lenel Open Card Reader

Identity management system; end-to-end PKI-based workflow, Web-based
enrollment, card production and issuance, support for physical and logical security


Multitechnology reader; 125KHz and 13.26MHz proximity, 13.26MHz vicinity, optional
General Services Administration-approved PIV cards, modular keypad

S2 Security

(781) 237-0800

www.s2sys.com
S2 Netbox Access Control Convergence appliance; dual reader/keypad, alarm, optional video, photo ID support,
multiple card technologies, scheduled portal unlock, enrollment, access histories
SCM Microsystems

(510) 360-2300

www.scmmicro.com
Physical Access Control Terminals (PACT) Contact/contactless card reader; federal smart-card standards (PAIIWG, NIST,
GSC-IS 2.1, etc), 3DES authentication, optional PIN pad, biometric reader, indoor or outdoor use
Software House (Tyco Fire & Safety)

(800) 507-6268

www..tycofireandsecurity.com
C*Cure 9000 Event
Management System
Client/server software for centrally monitoring security systems (alarms, video
cameras, etc.); badging modules, graphical maps, push installation, .NET integration
XTec

(305) 265-1565

www.xtec.com
AuthentX System Card issuance/authentication/revocation system; decentralized card
enrollment/issuance, optional centralized card production, GSA spec, optional
biometric scanners


CMS = card management system

GSC-IS = Government Smart Card Interoperability Specification

OCSP = Online Certificate Status Protocol

PAIIWG = Physical Access Interagency Interoperability Working Group's Physical
Access Control System ' Smart Card Technical Guidance

PACS = physical-access control system

PKI = public-key infrastructure security technology for issuing digital certificates


David Essex is a freelance technology writer based in Antrim, N.H.








  • If using a systems integrator ' almost a necessity, given the complexity of the architecture ' make sure it is on the FIPS-201 approved list.

  • Don't be mesmerized by technology and think it alone will solve most problems. FIPS-201 is really about process. You'll do better asking a vendor or integrator how they envision the connection to the issuing authority and whether the lag time for getting status data will meet your security needs. High-value sites might require daily ' rather than weekly ' updates if card volume is high, and you can't risk a single loophole.

  • Don't take card reader quality for granted. Look for International Organization for Standards 9001 quality control and adequate mean time between failures, and make sure the ones planned for outdoor locations are sufficiently waterproof and ruggedized, especially those with biometric features.

  • Examine maintenance guarantees and prices to ensure turnaround times meet your security requirements.

  • If considering a card management system, make sure it interfaces with the card-provisioning system you plan to buy.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.