Preparing for integrated physical and logical access control: The common authenticator

The benefits are compelling, but let's face facts: implementing a common authenticator requires much heavy lifting and can take several years. There are various dimensions to the problem, including:

• Smart card personalization and distribution
• Upgrade of physical access control systems
• Emergency access procedures

Join us on Sept. 26th In a live webcast on Wednesday, September 26th at 12:00 noon ET, special guest Mark Diodati will answer your questions about physical/logical security integration points.

Smart card personalization and distribution
The process of making the smart card ready for the user is called personalization. The procedure includes: printing the user's picture, installing applets and PKI (X.509) certificates, and binding the smart card to both the user and the physical access system.

In most cases, a smart card management system (CMS) is a deployment requirement. Important considerations when evaluating a CMS include:

• Platform support. This is necessary for vendor physical access systems, smart card and printer products.
• Remote applet distribution capabilities. Java card applets provide most smart card functionality, and the CMS can deliver new applets after the smart cards have been distributed to the users.
• Key escrow and recovery capabilities. Such features can recreate the user's PKI credentials on a new smart card in the event that the previous card is destroyed or lost.
• Provisioning system integration. Integration provides a single authoritative source of identity information and consistent access rights.
• Administrative delegation and scoping capabilities. These components enable the secure management of smart cards across the organizational hierarchy.

It's easy to see why the distribution of smart cards to an organization's employees is considered "heavy lifting." The process can take months or even years, and the many important details require careful planning. The distribution of smart cards to "virtual" employees, those that rarely visit a campus, requires special attention.

Upgrade of physical access control systems
It's a toss-up as to which activity causes more organizational heartburn: the distribution of smart cards, or the upgrading of the physical access systems across an organization's campuses. Organizations may have a wide spectrum of physical access technologies across their environments, from keys to magnetic stripes to biometric authenticators to contactless tools. As part of the planning process, an organization should inventory its campus-wide physical access system and determine what upgrades are necessary for the implementation of a common authenticator.

For more information Learn how to choose the right smart card. Catch a glimpse of future authentication methods. Get the latest news and expert advice on tokens and smart cards.

While there is wide variability, the typical components of modern physical access systems include readers, controllers, security servers (hosts), and, of course, cards. Even if some of these components are present, the organization may still need to upgrade them. During the gradual migration to a common authenticator, multi-technology readers, or even controllers, may be required to enable the use of various card types. Controllers may also need to be upgraded to work over Ethernet instead of a serial protocol (e.g., RS-232 or RS-485). Such improvements can better support a more modern architecture and an organization's physical-logical convergence goals.

Emergency access procedures
It's a fact of life: users will forget their smart card at home. Without them, they cannot access applications, workstations, buildings, and maybe the parking lot or the bathroom. With proper emergency access measures, such an error should only be a temporary one. The organizational challenge is to implement emergency access procedures that give forgetful, card-less users timely access to resources. The access processes must also do so in a cost-effective manner. Some tricks of the trade include:

• Self-service kiosks in the building entrance where employees can authenticate and get a temporary smart card.
• IT software management tools that temporarily allow the user to authenticate with a password instead of a smart card. Examples include: Windows workstation policy management tools and Web access management products (e.g., CA's SiteMinder).
• Physical access readers with PIN pads that enable the user to temporarily authenticate with an identification number.

Even in the face of the many details mentioned above, planning for a common authenticator appears more daunting than it really is. If the organization defines achievable milestones and exercises vigilance against the temptation of expanding and redefining the objective of the project, implementation is possible.

About the author:
Mark Diodati, CPA, CISA, CISSP, MCP, CISM, has served as vice president of worldwide IAM for CA, as well as senior product manager for RSA Security's smart card, SSO, UNIX security, mobile PKI and file encryption products. He has had extensive experience implementing information security systems for the financial services industry since starting his career at Arthur Andersen & Co. He is a frequent speaker at information security conferences, a contributor to numerous publications, and has been referenced as an authority on IAM in a number of academic and industry research publications.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Enterprise role management: Trends and best practices Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities Screencast: Recovering lost data with WinHex How to build security into a virtualized server environment How to install and configure Nessus How to run a Nessus system scan Nessus: Vulnerability scanning in the enterprise Screencast: An introduction to the Open Source Security Testing Methodology Manual (OSSTMM) Understanding multifactor authentication features in IAM suites Network intrusion prevention systems: Should enterprises deploy now? Tokens and Smart Cards Product review: Secure Computing SafeWord 2008 Video: Changes ahead for MIT Kerberos Consortium Kerberos: Authentication with some drawbacks What are the dangers of using radio frequency identification (RFID) tags? How to prevent hack attacks against smart card systems. Smart card deployment: How to know if it's smart for your enterprise Can tokenization of credit card numbers satisfy PCI requirements? Is there a way to bridge physical and logical security without using smart cards or biometrics? Are one-time password tokens susceptible to man-in-the-middle attacks? What are the PCI DSS compliance benefits of tokenization? Two-Factor and Multifactor Authentication Strategy Trends in enterprise identity and access management Address Authentication and Transaction Validation Protocols to Stem Identity Theft Understanding multifactor authentication features in IAM suites SaaS Offering Handles SSO Identity Management Suites Enable Integration, Interoperability Product review: Secure Computing SafeWord 2008 Keystroke recognition aids online authentication at credit union Fraudsters exploiting multiple financial services channels Video: Changes ahead for MIT Kerberos Consortium Kerberos security evolves for B2B, mobile tech RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary authentication server  (SearchSecurity.com) Chameleon Card  (SearchSecurity.com) key chain  (SearchSecurity.com) key fob  (SearchSecurity.com) key string  (SearchSecurity.com) national identity card  (SearchSecurity.com) security token  (SearchSecurity.com) smart card  (SearchSecurity.com) tokenization  (SearchSecurity.com) two-factor authentication  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.