The logic behind physical-access controls
Unified security systems help manage threats, whether it's a hacker in China or a shady visitor at the front gate<@VM>RFP Checklist: | Physical-access systems
- By David Essex
- Jul 23, 2007
In the real world ' as opposed to Hollywood ' terrorist acts are more often low-tech than high-tech. Terrorists use box cutters and car bombs more often than laser-guided missiles.
Likewise, organizations have become increasingly aware that malicious hackers dialing in from half a world away could actually be a lesser threat than the guy who sneaks through the ancient card-reader lock on the door of a remote outpost.
Recent thefts from government offices of laptop PCs containing sensitive data offer ample evidence that physical-access systems ' long the domain of security specialists working with older technologies ' are as important to information technology departments as network security measures. (See chart, Page 36.)
For several years, there has been a serious effort to merge the two. This convergence of physical and IT, or logical, security is the philosophy behind Homeland Security Presidential Security Directive 12, the federal government's effort to issue personal identity verification, or PIV, smart cards to every employee and contractor. The cards specified in Federal Information Processing Standard 201 will be required for access to both physical assets ' typically, buildings ' and IT assets.
Convergence of the physical and IT security realms brings unprecedented advantages, and proponents highlight likely scenarios. For example, with a secured network that ties IT network security to the physical-access devices on doorways, administrators can make sure that a terminated employee will no longer be able to enter buildings. Every door lock and guard desk will know not to accept their credential. 'When you take someone out of the system, you want to take them out of the system everywhere,' said Sal D'Agostino, executive vice president at CoreStreet, a Cambridge, Mass.-based company that makes smart-card authentication hardware linking the two domains.
Digital systems will also benefit from information captured at physical access points. For example, an employee using a badge to enter the main office can't possibly be logging in to the network 500 miles away. The two events together might mean a cyberintruder.
Convergence also unites physical and IT security administration. That includes not only the employees but also the network directories, databases and monitoring tools for daily oversight. People charged with staffing or monitoring facilities ' guards at federal buildings in Washington, for example ' can have some decision-making taken off their shoulders, freeing them for other tasks and lowering the risk of security errors.
D'Agostino said CoreStreet's offerings help answer at least 95 percent of the questions likely to arise. One example: What local resources should be accessible to a person who shows a valid PIV card? 'We can pre-generate these responses,' he said. 'We don't need a secure connection to the database.'
What's more, a well-designed converged architecture provides performance improvements if it has the optimal division of centralized and distributed data processing. D'Agostino said centralizing too much on a single identity repository can burden the network and database with one-to-many hits, and distributing the intelligence allows more one-to-one transmissions. 'In some cases, you never need to touch the door with anything,' D'Agostino said. 'It just needs to see a valid message signed by a trusted source.' To achieve this, read/write PIV cards will carry a personal identification number, biometric and photo, and a digital signature signed by a trusted source, which will enable them to update remote systems.
But centrally managed databases can be effective even in less-automated local setups. It's the approach FIPS-201-approved integrator BearingPoint used when it implemented the Transportation Worker Identification Credential program at 28 sites overseen by the Transportation Security Administration. Some sites have what's called swivel-chair integration, with guards at desks looking up authentication information on the central database, said Gordon Hannah, a BearingPoint managing director who worked on TWIC.
He added that local authorities will still handle visitor control and policy, for which they might be granted the power to issue credentials that work only at that location. In contrast, 12 deepwater ports in Florida have a single system that automates transmission of centrally issued credentials in addition to suspension and revocation, he said.Card tricks
Vendors say the federal government relies primarily on proximity cards, many of them made by HID Global. But FIPS-201 requires faster-transmitting, larger-memory smart cards and readers that follow International Organization for Standardization specification 14443. It also requires backward compatibility with the proximity card specification. Thus, so-called dual-technology card readers are a promising technology.
'The question is, do you go for cards first, or readers first,' said Mark Diodati, an analyst at Burton Group. He also recommended that agencies strongly consider card management systems, which provide the workflow tools to handle the upfront
vetting required by HSPD-12.
Physical-access control systems are the workhorses of physical security with command-and-control hubs for electronic door locks and readers, closet panels that accept the remote devices' usually proprietary relays, and a central server to manage them. The newer systems can handle other hardware, such as surveillance cameras and alarms.
But many physical-access control readers can't transmit enough bits to encode the new, 40-digit ID number required in federal specifications. 'You can make that new card work with the legacy systems, but there are risks,' Hannah said.
There is a push to upgrade some access-control hardware to IP to link them to logical systems, but the move is tricky. Card readers and panels must continue to operate during power outages ' a weakness of IP networks. But Lenel Systems International, a maker of physical-access software, has focused much of its recent development on IP. One example: a new controller panel, the LNL-2200, an Ethernet card that can handle reader transmissions from two doors and be strung along in groups of 32.
Lenel product manager Erik Larsen said the closet is the best place to install IP. 'There is a big push right now for IP-based readers,' he said. 'We don't see much value in it. The reason is the reader is on the nonsecured side' ' that is, outside the door.
Another issue is that physical-access control systems have no standards for cross-vendor interoperability. Most of the standardization problems are being tackled by the Physical Access Interagency Interoperability Working Group of the Government Smart Card Interagency Advisory Board.
Mike Butler, program manager of the General Services Administration's Managed Service Office and, until recently, chairman of IAB, who now works on GSA's HSPD-12 effort, said another ISO standard, 24727, for multiapplication smart cards, holds promise for access control. But, he said, ISO standards aren't a panacea. 'You can call it an ISO standard, but it doesn't mean anyone has to follow it.' A GSA-approved test lab also aids standardization, but he said it only tests if card data is in the proper format. 'It brings everybody up to a certain level. It still doesn't guarantee anything.'
Many manufacturers of IT network infrastructure are seeking convergence through partnering with physical-access vendors. Novell, for example, recently got together with Honeywell to link their identity-assurance and physical-access software.
Another promising standard, Service Provisioning Markup Language 2.0, ratified by the Organization for the Advancement of Structured Information Standards in April 2006, has as its goal to tie provisioning 'setting employees up with the resources for their jobs and removing them when they leave 'card-management and physical-access systems together in the proper hierarchy. 'Physical-access systems are just beginning to [become] more open and interoperable,' he said, adding that such systems would benefit from IT directory standards, such as Lightweight Directory Assistance Protocol.
One final option: shared-services providers such as the one EDS will build for GSA to handle HSPD-12 vetting and enrollment for agencies that don't want to do it themselves.Physical-access systems
CMS = card management system
|Vendor ||Product ||Major Features |
|ActivID Card Management System ||CMS; customizable workflows, tamper-evident auditing, distributed batch of |
service-bureau issuance, PKI registration/credentialing, Java cards
|AMAG Technology |
|Symmetry Homeland |
Symmetry M2150 8DBC Controller
|PACS; alarm, opt. video, monitoring, visitor management, badging, graphical maps, Windows single- or multiple-server configuration, unlimited clients/readers/cardholders |
Control panel; eight doors/16 readers/250,000 cardholders, serial, dialup, and TCP/IP connections, 32 controllers per system, optional video monitoring
|Card-Connected Access Control |
|Wireless/card-connected access points; user rights and audit data propagated on card, wall-mounted readers, door locksets available from third-party partners |
Wireless/wired handheld card reader; off-line operation, activity logs, multiple databases, CoreStreet server software, available with CoreStreet shared-service providers
|Hirsch Electronics |
|DIGI*TRAC Controllers |
|Control panel; serial, TCP/IP, and dialup, up to 64 outputs, ScramblePad or PC remote programming, alarm monitoring, modular, multisite scalability |
Card reader/access control box; dual-technology personal identification number/bar code/biometric/smart-card entry, heavy-duty construction
|Honeywell Integrated Security |
|N-1000 Series Controllers |
Pro-Watch Security Management Software Suite
|Control panel; up to four doors, 31 controllers/25,000 cards per system, distributed database for optional offline operation, serial, dialup, and TCP/IP connections |
PACS; Central and remote Windows servers, replicated cardholder database, distributed card activation/deactivation and status updating, HR interface, video support
| OneSign Physical/Logical ||Convergence appliance; consolidated authentication repository, failover, instant physical/logical user lockout, centralized monitoring/reporting Lenel, S2, Tyco integration |
|Lenel Systems International |
|IdentityDefender Suite |
Lenel Open Card Reader
|Identity management system; end-to-end PKI-based workflow, Web-based |
enrollment, card production and issuance, support for physical and logical security
Multitechnology reader; 125KHz and 13.26MHz proximity, 13.26MHz vicinity, optional
General Services Administration-approved PIV cards, modular keypad
|S2 Security |
|S2 Netbox Access Control ||Convergence appliance; dual reader/keypad, alarm, optional video, photo ID support, |
multiple card technologies, scheduled portal unlock, enrollment, access histories
|SCM Microsystems |
|Physical Access Control Terminals (PACT) ||Contact/contactless card reader; federal smart-card standards (PAIIWG, NIST, |
GSC-IS 2.1, etc), 3DES authentication, optional PIN pad, biometric reader, indoor or outdoor use
|Software House (Tyco Fire & Safety) |
|C*Cure 9000 Event |
|Client/server software for centrally monitoring security systems (alarms, video |
cameras, etc.); badging modules, graphical maps, push installation, .NET integration
|AuthentX System ||Card issuance/authentication/revocation system; decentralized card |
enrollment/issuance, optional centralized card production, GSA spec, optional
GSC-IS = Government Smart Card Interoperability Specification
OCSP = Online Certificate Status Protocol
PAIIWG = Physical Access Interagency Interoperability Working Group's Physical
Access Control System ' Smart Card Technical Guidance
PACS = physical-access control system
PKI = public-key infrastructure security technology for issuing digital certificatesDavid Essex is a freelance technology writer based in Antrim, N.H.
Experts in government and the information technology industry all sounded the same theme when asked what to put in a request for proposals for a physical-access system that can live in the brave new world of convergence with logical security: Plan well. That oft-repeated advice can sound trite and obvious with other IT projects, but it might be the most important step. Upgrading or replacing older physical systems risks wasting resources if you don't have a specific vision of the smart cards, readers, biometrics, back-end infrastructure and network security scheme ' including digital certificates ' that will be in place five years from now.
Any plan will be heavily location-conscious. Some buildings may take highest priority for the newest, two-factor access systems; others might safely continue with transitional legacy and converged bridge technology such as new card readers and control panels; and still others can stick with older proximity cards. Some wings within buildings may need no door devices at all.
But don't get too comfortable. Agencies must have all employees using Federal Information Processing Standard 201 PIV cards by October 2008.
Accordingly, consider the following approaches:
- If using a systems integrator ' almost a necessity, given the complexity of the architecture ' make sure it is on the FIPS-201 approved list.
- Don't be mesmerized by technology and think it alone will solve most problems. FIPS-201 is really about process. You'll do better asking a vendor or integrator how they envision the connection to the issuing authority and whether the lag time for getting status data will meet your security needs. High-value sites might require daily ' rather than weekly ' updates if card volume is high, and you can't risk a single loophole.
- Don't take card reader quality for granted. Look for International Organization for Standards 9001 quality control and adequate mean time between failures, and make sure the ones planned for outdoor locations are sufficiently waterproof and ruggedized, especially those with biometric features.
- Examine maintenance guarantees and prices to ensure turnaround times meet your security requirements.
- If considering a card management system, make sure it interfaces with the card-provisioning system you plan to buy.