Security Today: Finding Flexible Systems in the Age of Converged Security
June 18, 2020
Considerations for selecting government-grade security solutions
By David Helbock
Read the original article
via Security Today Magazine
While access control is an essential consideration for any business, nowhere is it more necessary to maintain real-time oversight of who is on-premise than in a governmental facility — whether at the federal, state or local level.
Leveraging the proper technology to achieve this goal helps create a space that is safe and secure, but also accessible to authorized individuals. In areas with highly sensitive information, having security measures in place that are cutting-edge, impenetrable, and trusted are of the utmost importance.
Considering that government facilities range from basic office space, often in shared buildings, to law enforcement, intelligence, diplomatic, military, judicial, correctional, and research facilities, physical access control and identity management systems must be flexible, reliable, connected, and secure at all times. In particular, there are a few key requirements to keep in mind when selecting a government-grade access control solution.
Federal Identity, Credential, and Access Management (FICAM)
Since its creation in the fall of 2008, the Identity, Credential, and Access Management (ICAM) program has focused on addressing challenges, pressing issues, and design requirements for digital identity, credential, and access management.
It also focuses on defining and promoting consistency across approaches for implementing ICAM programs as reflected in the FICAM Roadmap & Implementation Guidance (FICAM Roadmap). The FICAM Roadmap was developed to outline a common framework for ICAM within the federal government and to provide supporting implementation guidance for federal agencies as they plan and execute a segment architecture for ICAM management programs. FICAM compliance is mandatory in all government buildings, so it is crucial to choose a solution that abides by these protocols.
Advanced FICAM solutions will address the typical pain points associated with FICAM compliance through ease-of-use and by planning for future upgrades to PIV reader capabilities as standards evolve. End-users should choose a technology partner that is established and has a portfolio of products dedicated to FICAM compliance; however, they should also select a provider that is well-positioned to develop new solutions as the threat landscape continues to evolve.
Trustworthy technology partners will be able to provide a convenient and compliant performance solution that is capable of leveraging existing systems while also being future-proof as new security recommendations are made down the road. Of all the considerations to take into account, FICAM compliance is the most necessary, as it is a federal requirement.
One of the most significant needs for flexibility is a result of the ongoing growth and changes an organization experiences. For example, if an end-user reaches out and wants to add a new building with 38 doors that need to be secured to the system, or if they decide to renovate a wing of an existing facility with drastically increased access protocols, they will want the ability to seamlessly add these functions on to their current platform.
Choosing an access control provider that has a mix of on-premises and cloud-based solutions ensures users have the scalability they need. In addition to the flexibility in the previous example, users can also save money on hardware by virtualizing environments.
For example, if a government agency has 60 systems all running on their own network, users can opt to centrally manage all of these locations. This approach allows users to leverage existing systems while simultaneously eliminating the need for 60 different systems, which is costly to maintain. From licensing to administrative costs, partnering with a provider that has the capability to converge the management of multiple solutions into one is necessary when planning for the future.
Cloud-based access control is one way to accomplish this by granting organizations the ability to effortlessly make changes to their systems when needed. Users can begin by defining their current demands and leverage the cloud to meet such needs, instead of investing in high-expense servers and technologies of traditional systems that may become obsolete or need to be expanded in the future at further expense to the organization. Agencies can work with cloudsmart companies to continually redefine their needs and establish a price that fits their specific use.
According to the 2019 Verizon Data Breach Report, almost 80 percent of all network intrusions detailed in the survey were the result of the exploitation of weak authentication systems (password hacks), the same results of their 2013 study. It is no wonder Bill Gates himself declared the password dead in 2004.
But old habits die hard — especially if they are cheap and easy. When you consider that the average cost to U.S. companies of a data breach is more than $8 million, clinging to these single-factor authentication systems is anything but inexpensive.
Organizations, particularly government agencies, have woken up to the fact that the current cybersecurity situation is broken and are looking for better solutions. Many of those organizations rely on physical security solution providers to deliver secure, reliable physical access control solutions – and many are now turning to those same providers to achieve the same level of security to the virtual world. There are a few essential cybersecurity tools that all government agencies should leverage, many of which are also FICAM requirements.
Implementing Multi-Factor Authentication Protocols
Multi-factor authentication is essential for government security and is also a central component in achieving FICAM compliance. Every major hacking incident in the past decade — from Target to Ukraine’s power grid — has had one thing in common: the lack of multi-factor authentication. Usernames and passwords, even the most secure and frequently changed ones, are still susceptible to being compromised. The very best passwords can, with the right equipment, be cracked in a matter of weeks. With multi-factor authentication, users add an additional element to the log-in process that makes hacking nearly impossible.
Multi-factor authentication can include various elements, from the inclusion of biometrics to the use of one-time passwords. The most common form of multi-factor authentication is two-factor authentication. Two-factor authentication requires something you have and something you know. In 2004, President George W. Bush signed HSPD-11, which began the U.S. government’s road toward mandated two-factor authentication.
From that directive, the government settled on using a smart card with encrypted security certificates — something you have — and a six to eight digit personal identification number (PIN) — something you know — as a requirement for access to all government systems. The smart card also offers a third factor authentication — something you are — such as a biometric template (i.e., fingerprint).
Still, it is important to note that not all multi-factor authentication protocols are created equal. Both native and third-party tools for web access and email, the two most common needs of an employee on their mobile device, are either completely absent or else lack the features needed for an enterprise deployment.
Luckily, as manufacturers have specialized and become more acquainted with the government space, they have developed a series of applications that meet these challenges and conform to FICAM compliance.
For Identiv, that meant developing an entire suite of different applications that provide users with the ability to use two-factor authentication to access websites and to sign, encrypt, and decrypt email (S/MIME).
Physical and Logical Access Control Convergence
Working with a PACS provider to strengthen LACS security issues by converging the two areas can provide several advantages, including the following:
- Physical access control. PACS data can be encoded into a high-frequency portion of the card for organizations, like government agencies, demanding a more secure platform than proximity. This high-frequency contactless interface protects the data exchange between card and reader with a secure, standards-based encryption technique, eliminating the chance of anyone “cloning” the card data.
- Two-factor logical access control. This protocol allows workers to securely log onto desktops, laptops, VPNs, and mobile devices. Some smart cards have a contact element that includes PKI public and private encryption keys and certificates, providing a secure means to log onto computers without having to remember complex passwords, or more likely, write them down.
- Protect data in transit. Digitally sign and encrypt emails.
- Protect data at rest. Encrypt files and hard drives.
- Secure mobile devices. Generate One-time passwords (OTP) for secure login.
- Secure access to web apps. Access Office 365, Google Drive, Salesforce. com, and more.
- Physical ID. Design and print badges as would be done with any badging system.
The convergence of PACS and LACS solutions can significantly enhance the overall security of any organization. Applying advanced, two-factor physical access control concepts and technologies to cyber and network security can help overcome the inherent limitations of single-factor password technology.
As organizations begin this convergence in earnest, these advantages will undoubtedly result in reduced risk, improved risk management, and operational efficiencies, and are considerations all users should make when choosing an access control system.
Ask yourself: “Can my PACS provider also contribute to heightened levels of cybersecurity?” If the answer is no, you should continue your search elsewhere.
The Bottom Line
When choosing an access control system, it is vital to keep these tips in mind to be sure a system meets all compliance regulations and has room to grow as needs evolve.
When in doubt, partnering with a trusted technology provider that has established itself as a government-grade supplier is one way to be sure all of these points are considered. Federal security is unlike security for other vertical markets and requires a specialized and focused understanding of current trends and regulations.