Preparing for integrated physical and logical access control: The common authenticator

The benefits are compelling, but let's face facts: implementing a common authenticator requires much heavy lifting and can take several years. There are various dimensions to the problem, including:

• Smart card personalization and distribution
• Upgrade of physical access control systems
• Emergency access procedures

Join us on Sept. 26th In a live webcast on Wednesday, September 26th at 12:00 noon ET, special guest Mark Diodati will answer your questions about physical/logical security integration points.

Smart card personalization and distribution
The process of making the smart card ready for the user is called personalization. The procedure includes: printing the user's picture, installing applets and PKI (X.509) certificates, and binding the smart card to both the user and the physical access system.

In most cases, a smart card management system (CMS) is a deployment requirement. Important considerations when evaluating a CMS include:

• Platform support. This is necessary for vendor physical access systems, smart card and printer products.
• Remote applet distribution capabilities. Java card applets provide most smart card functionality, and the CMS can deliver new applets after the smart cards have been distributed to the users.
• Key escrow and recovery capabilities. Such features can recreate the user's PKI credentials on a new smart card in the event that the previous card is destroyed or lost.
• Provisioning system integration. Integration provides a single authoritative source of identity information and consistent access rights.
• Administrative delegation and scoping capabilities. These components enable the secure management of smart cards across the organizational hierarchy.

It's easy to see why the distribution of smart cards to an organization's employees is considered "heavy lifting." The process can take months or even years, and the many important details require careful planning. The distribution of smart cards to "virtual" employees, those that rarely visit a campus, requires special attention.

Upgrade of physical access control systems
It's a toss-up as to which activity causes more organizational heartburn: the distribution of smart cards, or the upgrading of the physical access systems across an organization's campuses. Organizations may have a wide spectrum of physical access technologies across their environments, from keys to magnetic stripes to biometric authenticators to contactless tools. As part of the planning process, an organization should inventory its campus-wide physical access system and determine what upgrades are necessary for the implementation of a common authenticator.

For more information Learn how to choose the right smart card. Catch a glimpse of future authentication methods. Get the latest news and expert advice on tokens and smart cards.

While there is wide variability, the typical components of modern physical access systems include readers, controllers, security servers (hosts), and, of course, cards. Even if some of these components are present, the organization may still need to upgrade them. During the gradual migration to a common authenticator, multi-technology readers, or even controllers, may be required to enable the use of various card types. Controllers may also need to be upgraded to work over Ethernet instead of a serial protocol (e.g., RS-232 or RS-485). Such improvements can better support a more modern architecture and an organization's physical-logical convergence goals.

Emergency access procedures
It's a fact of life: users will forget their smart card at home. Without them, they cannot access applications, workstations, buildings, and maybe the parking lot or the bathroom. With proper emergency access measures, such an error should only be a temporary one. The organizational challenge is to implement emergency access procedures that give forgetful, card-less users timely access to resources. The access processes must also do so in a cost-effective manner. Some tricks of the trade include:

• Self-service kiosks in the building entrance where employees can authenticate and get a temporary smart card.
• IT software management tools that temporarily allow the user to authenticate with a password instead of a smart card. Examples include: Windows workstation policy management tools and Web access management products (e.g., CA's SiteMinder).
• Physical access readers with PIN pads that enable the user to temporarily authenticate with an identification number.

Even in the face of the many details mentioned above, planning for a common authenticator appears more daunting than it really is. If the organization defines achievable milestones and exercises vigilance against the temptation of expanding and redefining the objective of the project, implementation is possible.

About the author:
Mark Diodati, CPA, CISA, CISSP, MCP, CISM, has served as vice president of worldwide IAM for CA, as well as senior product manager for RSA Security's smart card, SSO, UNIX security, mobile PKI and file encryption products. He has had extensive experience implementing information security systems for the financial services industry since starting his career at Arthur Andersen & Co. He is a frequent speaker at information security conferences, a contributor to numerous publications, and has been referenced as an authority on IAM in a number of academic and industry research publications.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Security Token and Smart Card Technology,   Enterprise Identity and Access Management,   User Authentication Services,   Two-Factor and Multifactor Authentication Strategies,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Preventing SQL injection attacks: A network admin's perspective Screencast: How to launch an OpenVAS scan Wireless network guidelines for PCI DSS compliance Aligning network security with business priorities Scanning with N-Stalker offers basic Web application security assessment Lifecycle of a network security vulnerability Screencast: BackTrack 4 offers an arsenal of penetration testing tools Network access control technology: Over-hyped or underused? Screencast: Smoothwall offers firewall defense in lean times Screencast: Samurai offers pen-testing nirvana Security Token and Smart Card Technology First Data, RSA push tokenization for payment processing How to log in to multiple servers with federated single sign-on (SSO) Best Authentication Products Are 'strong authentication' methods strong enough for compliance? Risk management must include physical-logical security convergence RSA researcher Ari Juels: RFID tags may be easily hacked Portable security storage device could replace OTP devices Can you combine RFID tag technology with GPS to track stolen goods? Security token and smart card authentication Embedded smart card chips are open to hack attacks Two-Factor and Multifactor Authentication Strategies Security on a budget: How to make the most of authentication tools Best Authentication Products Best Identity and Access Management Products Are 'strong authentication' methods strong enough for compliance? PCI compliance requirement 7: Restrict access PCI compliance requirement 9: Physical access Best practices: How to implement and maintain enterprise user roles Changing times for identity management RSA researcher Ari Juels: RFID tags may be easily hacked Apple iPhone app could boost two-factor RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary authentication server  (SearchSecurity.com) Chameleon Card  (SearchSecurity.com) key chain  (SearchSecurity.com) key fob  (SearchSecurity.com) key string  (SearchSecurity.com) national identity card  (SearchSecurity.com) security token  (SearchSecurity.com) smart card  (SearchSecurity.com) tokenization  (SearchSecurity.com) two-factor authentication  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.