The marriage of physical and logical access: unifying the keys to the kingdom.
Access control is the mechanism by which a system grants or restricts the right to access facilities (physical access) or computer networks and data (logical access). Many large enterprises have already deployed technology for physical security. Employees with the appropriate clearances or permissions are provided with smart identification (ID) cards that verify their rights and privileges. Once presented, scanned or inserted into readers, these credentials permit access to secure areas of the workplace, which often include parking garages, manufacturing facilities, and research and development laboratories.
Smart Cards: The Foundation for Stronger Authentication
Although businesses have long realized the necessity of smart card-based physical access control, the adoption of smart card-based logical access control is occurring at a slower rate. This trend is somewhat surprising, considering it is much easier to compromise intellectual property. There is obvious value in preventing unauthorized persons from entering restricted areas. However, physical access control provides a very limited degree of protection for computer resources, which can include networks, PCs, workstations and laptops.
In today's digital world, the majority of business assets are in electronic form. The data that resides on computer networks is sensitive and proprietary, and includes everything from financial information to product plans. If this data were to become compromised, a company could lose its competitive edge, and even its customers. Additionally, today's workforce is not as stable as it once was. A high turnover rate and increased use of outsourcing means that more people have access to corporate data. For global enterprises with thousands of employees, there is an exponentially higher potential for information security breaches.
Unfortunately, many enterprises still remain reactionary when it comes to network security. The need for, and value of, network security becomes evident only when there is an actual attempt to compromise information. But this viewpoint is changing, and recent legislation is affecting business processes for protecting, retaining and managing data. A worst-case scenario exists in heavily regulated industries such as financial services and healthcare, which handle highly sensitive information and bear extra responsibility for maintaining data integrity and privacy. Should information be leaked, the potential liability is enormous.
Considering the ramifications of unauthorized access to data, it is unsettling that many enterprises still use only user names and passwords for logical access control. A specific user name and password is created for each user, and for each application that he or she requires access to. This creates two major problems. First, user names and passwords are the lowest form of authentication that exists. They are easily compromised (often written down and easy to share with others) and therefore do not provide the high level of assurance necessary to protect critical data. Secondly, passwords are a headache for both users and IT staff. Employees often have so many passwords that they invariably forget them and have to call the help desk to either retrieve or reset them. This costs the IT department valuable time and resources, resulting in lower productivity and higher support costs for the organization.
Increased security risks, combined with the weakness and inefficiency of the user name and password model, are now driving the need for smart card-based logical access control. Defined at its highest level, a smart card is a credit-card sized plastic card that includes an embedded computer chip. The chip can either be a microprocessor with internal memory or a memory chip alone. There are two general categories of smart cards: contact and contact-less smart cards. A contact smart card requires insertion into a smart card reader, while a contact-less card requires only close proximity to a reader. Smart cards can store large amounts of data, carry out on-card functions such as eneryption and digital signatures, and interact intelligently with a smart card reader.
Already widely implemented by both commercial organizations (such as top-tier financial institutions) and government agencies (such as the State Department and the Department of Defense), smart cards provide higher security via two-factor authentication. This requires something the user knows (a password) and something the user has (the smart card). Smart cards also provide stronger authentication since they are based on Public Key Infrastructure (PKI) technology. The evolution of enterprise credential management now dramatically reduces the heavy administrative burden often associated with the initial deployments of PKI, when registration authority models were more complicated. PKI is an architecture of trust that supports a certificate-based public key cryptographic system. PKI uses a combination of public and private keys to authenticate identity, and typically includes digital certificates, a certificate issuance authority and a registration capability.
Unifying the Keys to the Kingdom
With smart card-based physical access already in place at many enterprises, the next logical step is to provide the same level of protection for digital assets. Physical access control provides a first line of defense, but a multi-layered approach is required for truly proactive security. As such, there is a compelling argument to implement smart cards for logical access. In fact, businesses are beginning to realize the benefits in cost savings, ease of use and increased security by "marrying" physical and logical access control onto a single platform. Instead of adding technological and management complexities by having separate access control systems for physical facilities and electronic data, it makes more sense to combine the two solutions and gain higher assurance, cost savings, efficiency and ease of use.
Since multiple access applications can be performed on a single smart card, employees can use one card to access both physical and logical resources without carrying multiple credentials. From the doorways to the desktops, one convenient solution provides the secure identity management, strong authentication and access control necessary to safeguard both physical and intellectual assets. The Department of Defense has already realized the importance of this with its Common Access Card (CAC) program. A smart card-based CAC is issued to all military and civilian employees and contractors. These cards are used to digitally sign and encrypt documents, in addition to providing secure access to buildings and computer networks.
The marriage of physical and logical access into a single solution builds an infrastructure of increased trust. Deploying smart cards to employees, partners and other key individuals is a proactive enterprise approach to higher assurance. Except for information that requires little or no protection, user names and passwords will one day be considered an unacceptable access control mechanism, as they are easily forgotten or compromised. The multi-factor authentication and PKI architecture offered by smart cards vastly decreases the likelihood that unauthorized users will gain access to sensitive data. Today's credential management solutions help manage heterogeneous environments that combine all of the normal access management models such as passwords, software certificates and hard physical tokens, allowing migration by department or groups from one model to another and even to still another.
Contrary to common assumptions, smart cards provide significant ROI in terms of both cost savings and increased security, especially for global enterprises with thousands of employees dispersed worldwide. Supporting system components can be networked, allowing separate functional areas in an organization to exchange and coordinate information automatically and in real time around the world. For organizations that already have smart card-based physical access in place, they can simply expand card use to protect network resources and benefit from an easily scalable solution. Legacy systems, including physical access system components, can be leveraged for investment protection while providing increased security for logical access. Enterprises can also reduce their IT support costs with the implementation of smart cards. Although the perceived low cost of user names and passwords my have contributed to their popularity, the real expense occurs on the back end with support and password management costs.
Ease of use is another compelling argument for marrying physical and logical access onto a single platform. Users will not have to carry multiple credentials, nor will they need to remember multiple passwords or PINs to access applications and data. Instead, they will have one smart card that can used for everything.
Many companies consider integrating physical and logical security to be a technical effort. They overlook the old computer saw about how automating a broken process will result in problems being produced more quickly. This same logic applies to the integration of physical and logical security, as it exists in the organizational and reporting structures of nearly all companies. This structure is typically described as two silos, each reporting up through different management structures. While this is not ideal, the organizational chasm can be bridged by having physical security participate in the integration of security along three important lines of activity:
* Conducting formal vulnerability and risk assessments
* Developing enforceable polices and helping to enforce them
* Providing oversight for change processes that are conducted by IT on the IT systems
The combination of integrating security organizationally and the use of smart cards will keep most every company out of harm's way. The smart card will reduce the likelihood of your company experiencing a loss. It will also increase the likelihood that if you do experience a loss, you will have the ability to track down and recreate the incident. Addressing physical and logical security integration and smart card implementation is also the foundation for avoiding legal liability.
In conclusion, smart card-based physical and logical access control provides a superior foundation for secure identity management. By unifying the keys to the kingdom, enterprises can protect their assets and employees' personal information, while addressing regulatory requirements and reducing potential liability. Today, smart cards are the most viable way to expand security to the edge of the enterprise.
Moses De Los Santos is vice president of Business Development, Commercial Sales Group, at SSP-Litronic (Irvine, CA)
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Disaster Recovery & Backup/Restore|
|Author:||De Los Santos, Moses|
|Publication:||Computer Technology Review|
|Date:||Jun 1, 2004|
|Previous Article:||High availability WAN Clusters.|
|Next Article:||SAS/SATA plugfest.|