Multi-layered security

Enterprises have typically focused on securing the network perimeter and relied on static passwords to authenticate users inside the firewall. This is insufficient, given the nature of today’s Advanced Persistent Threats (APTs) and internal risks associated with Bring Your Own Device (BYOD) adoption. Static passwords can be a potential recipe for a security disaster. In this article Julian Lovelock, Vice President of Product Marketing, Identity Assurance HID Global explains that enterprises would benefit from not only employing strong authentication for remote access, but also extending its use to cover the desktop, key applications, servers, and cloud-based systems as part of a multi-layered security strategy.

Unfortunately, choosing an effective strong authentication solution for enterprise data protection has traditionally been difficult. Available solutions have been inadequate either in their security capabilities, the user experience they deliver, or in the cost and complexity to deploy them. Now, we have the opportunity to eliminate these problems using Near Field Communications (NFC)-enabled credentials that can reside on smart cards or smartphones, and can be employed to secure access to everything from doors, to data, to the cloud. Versatile, NFC-based strong authentication solutions can:

  • Support converged secure logical access to the network and cloud-based services and resources, as well as physical access to buildings, offices and other areas;
  • Support mobile security tokens for the most convenient and secure access from smartphones or tablets; and 
  • Deliver multifactor authentication capabilities for the most effective threat protection, as part of a multi-layered security strategy.

The challenges of strong authentication

Multi-factor authentication, also known as strong authentication, combines something the user knows (such as a password) with something the user has (such as mobile and web tokens), and can also be extended to include a third factor in the form of something the user is (which can be ascertained through a biometric or behaviour-metric solution).

Users have grown weary of the inconvenience of hardware OTPs, display cards and other physical devices for two-factor authentication. Additionally, OTPs are useful only for a limited range of applications. The industry is now replacing hardware OTPs with software tokens that can be held on such user devices as mobile phones, tablets, and browser-based tokens. With software OTPs, organizations are able to replace a dedicated security token with the user’s smartphone, enabling the two-factor authentication to grow in popularity and convenience. A phone app generates an OTP, or OTPs are sent to the phone via SMS. However, there are security vulnerabilities with software OTPs that have driven the need for a far more secure strong authentication alternative, such as smart cards based on the Public Key Infrastructure (PKI). The downside to this approach, however, is its high cost and level of complexity to deploy. 

Future mobile opportunities

The benefits of NFC technology are many as it becomes a standard feature of smart phones, tablets and laptops targeted at the enterprise market
NFC-based mobile model will deliver particularly robust security, and will be especially attractive in a BYOD environment

The benefits of NFC technology are many as it becomes a standard feature of smart phones, tablets and laptops targeted at the enterprise market. Users can have a smart card or smartphone that grants access to resources by simply “tapping in” – without the need to enter a password on touch-screen devices, or the need for additional devices to issue and manage. In addition, there are a number of steadily growing NFC-based tap-in use cases that are poised for strong adoption in the enterprise, including tap-in to facilities, VPNs, wireless networks, corporate Intranets, cloud- and web-based applications, and SSO clients, among many other scenarios. These benefits and the wide range of potential applications – along with the fact that manufacturers are enabling more and more phones, tablets and laptops with NFC -- are driving many companies to seriously consider incorporating secure NFC-based physical and logical access into their facilities and IT access strategies.

The mobile model will deliver particularly robust security, and will be especially attractive in a BYOD environment. It will be implemented within a trusted boundary, and use a secure communications channel for transferring identity information between validated phones, their secure elements (SEs), and other secure media and devices. The authentication credential will be stored on the mobile device’s secure element, and a cloud-based identity provisioning model will eliminate the risk of credential copying while making it easier to issue temporary credentials, cancel lost or stolen credentials, and monitor and modify security parameters when required. It will also be possible to combine mobile tokens with cloud app single-sign-on capabilities, blending classic two-factor authentication with streamlined access to multiple cloud apps on a single device that users rarely lose or forget.

The NFC tap-in strong authentication model will not only eliminate the problems of earlier solutions, it will also offer the opportunity to achieve true convergence through a single solution that can be used to access IT resources while also enabling many other applications. These include such physical access control applications as time-and-attendance, secure-print-management, cashless vending, building automation, and biometric templates for additional factors of authentication – all delivered on the same smart card or NFC-enabled phone alongside OTPs, eliminating the need to carry additional tokens or devices. Historically, physical and logical access control functions were mutually exclusive within an organization, and each was managed by different groups. Now, however, the lines between these groups will begin to blur.

As BYOD continues to grow in popularity and many cloud-based applications are accessed from personal devices, enterprises will need to take a layered approach to security
Enterprises would benefit from employing strong authentication for cloud-based systems as part of a multi-layered security strategy

Additional considerations for the cloud

As identity management moves to the cloud and enterprises take advantage of the Software as a Service (SaaS) model, there are other critical elements to consider. For instance, it will be critical to resolve challenges around provisioning and revoking user identities across multiple cloud-based applications, while also enabling secure, hassle-free user login to those applications.

The most effective approach for addressing data moving to the cloud will likely be federated identity management, which allows users to access multiple applications by authenticating to a central portal. It also will be critical to ensure the personal privacy of BYOD users, while protecting the integrity of enterprise data and resources. Several other security issues also emerge. IT departments won’t have the same level of control over BYODs or the potentially untrustworthy personal apps they may carry, and aren’t likely to be loading a standard image onto BYODs with anti-virus and other protective software. Nor is it likely that organizations will be able to retrieve devices when employees leave. We will need to find new and innovative ways to address these and other challenges. Notwithstanding the risks, the use of mobile phones equipped with SEs, or equivalent protected containers, opens opportunities for powerful new authentication models that leverage the phone as a secure portable credential store, enabling use cases ranging from tap-in strong authentication for remote data access, to entering a building or apartment.

Additionally, as BYOD continues to grow in popularity and many cloud-based applications are accessed from personal devices, enterprises will need to take a layered approach to security, recognizing that no single authentication method is going to address the multiple devices and multiple use cases required by today’s mobile enterprise.

A Layered security approach

In addition to multi-factor user authentication as the first layer of security, both inside the firewall and in the cloud, there are four other layers that should be implemented.

The second layer is device authentication. In other words, once it is determined that the user is who he or she says she is, it is important to verify that the person is using a “known” device. For this step, it is important to combine endpoint device identification and profiling with such elements as proxy detection and geo-location.

Migration to NFC-based strong
authentication and true converged
solutions requires an extensible
and adaptable multi-technology
smart card and reader platform

The third layer is ensuring that the user’s browser is part of a secure communication channel. Browser protection can be implemented through simple passive malware detection, but this does not result in the strongest possible endpoint security. It is more effective to use a proactive hardened browser with mutual secure socket layer connection to the application. 

The fourth layer is transaction authentication/pattern-based intelligence, which increases security for particularly sensitive transactions. A transaction authentication layer can include Out-Of-Band (OOB) transaction verification, transaction signing for non-repudiation, transaction monitoring, and behavioural analysis. 

The final layer is application security, which protects applications on mobile devices that are used to deliver sensitive information. The application must be architecturally hardened and capable of executing mutual authentication. Adding this layer makes data theft much more complex and costly for hackers.

Effectively implementing these five security layers requires an integrated versatile authentication platform with real-time threat detection capabilities. Used in online banking and ecommerce for some time, threat detection technology is expected to cross over into the corporate sector as a way to provide an additional layer of security for remote access use cases such as VPNs or Virtual Desktops.

Migrating to new capabilities

Migration to NFC-based strong authentication and true converged solutions requires an extensible and adaptable multi-technology smart card and reader platform. For optimal flexibility and interoperability, this platform should be based on open architecture, and enable both legacy credential and new credential technology to be combined on the same card while also supporting NFC-enabled mobile platforms. To meet security requirements, the platform should use contactless high frequency smart card technology that features mutual authentication and cryptographic protection mechanisms with secret keys, and employs a secure messaging protocol that is delivered on a trust-based communication platform within a secure ecosystem of interoperable products. 

With these capabilities, organizations can ensure the highest level of security, convenience, and interoperability on either cards or phones, along with the adaptability to meet tomorrow’s requirements including a combination of both strong authentication for protecting the data and applications in the cloud, and contactless high-frequency smart card capabilities for diverse physical access control applications. 

With proper planning, organizations can solve the strong authentication challenge while extending their solutions to protect everything from the cloud and desktop to the door. These converged solutions reduce deployment and operational costs by enabling organizations to leverage their existing physical access control credential investment to seamlessly add logical access control for network log-on. The result is a fully interoperable, multi-layered security solution across company networks, systems and facilities.

Share with LinkedIn Share with Twitter Share with Facebook Share with What's App Share with Facebook
Download PDF version Download PDF version

Author profile

Julian Lovelock Vice President, Strategic Innovation, HID Global

In case you missed it

ASSA ABLOY Opening Solutions embraces BIM to smooth specification and installation of door security solutions
ASSA ABLOY Opening Solutions embraces BIM to smooth specification and installation of door security solutions

BIM (building information modeling) provides a process for creating and managing information during the building lifecycle and beyond. BIM is often equated with 3D modeling of construction projects, but the visual component is just part of the value of BIM. Additional data, such as specifications and other documentation, is also part of the process, underlying the visual aspects, helping to drive decision making and providing immediate access to detailed information about all facets of the building process. Incorporating BIM systems For the last six years, ASSA ABLOY Opening Solutions has worked with specification writers and architects in Europe, the Middle East, and Africa (EMEA) to make it easy to incorporate ASSA ABLOY Opening Solutions doors, hardware, and security solutions into BIM systems. Everyone on a project can work together in the interactive and information-rich BIM environment. BIM tools are also used by contractors, distributors, facility owners, and security consultants. BIM software BIM information relating to doors, hardware, and security solutions is available in the cloud  BIM information relating to doors, hardware, and security solutions is available in the cloud with the company’s Openings Studio BIM software. This improves the process of door scheduling and visualisation and enables customers to focus on the design, installation, and management of openings. “If you have up-to-date information inside the BIM model, you can reduce mistakes and misunderstanding in the building industry,” says Marc Ameryckx, ASSA ABLOY Opening Solutions’ BIM Manager for the EMEIA region. “It helps to eliminate mistakes before they happen or as early as possible in the building process. The earlier, the less it costs. We provide data as soon as possible in the process.” (ASSA ABLOY Opening Solutions also has comparable systems available in other regions of the global company.) Centralised data in BIM 3D model Expanding the data available in BIM provides additional value compared to merely providing “BIM objects” that can be incorporated into a BIM 3D model. The combination of BIM modeling and the underlying specifications boosts the quality of the project and its key to success, says Marc Ameryckx. Even after the building is complete, the BIM model is still valuable, providing a repository of “as-built” information that can be used by building managers and security professionals tasked with operating and maintaining the building. For example, if a lock needs to be replaced, retrofitting is simpler because all the information about the lock and existing installation is available in a centralised data file. Revit and ArchiCAD A widely used BIM software is Revit from Autodesk, a program that brings architecture, engineering, and construction disciplines into a unified modeling environment to drive more efficient and cost-effective projects. Another BIM software program is ArchiCAD, developed by the Hungarian company Graphisoft. Openings Studio™ added a plugin for ArchiCAD this year, in addition to Revit. Tailor-made information security solutions We provide tailor-made information security solutions with various hardware on projects with more doors" “We can provide tailor-made information security solutions with various hardware on projects with more doors, adding more flexibility,” says Marc Ameryckx. “Customers do not need to be the experts on the products because we provide expertise as part of our specifications.” For example, how often do building mistakes occur because of a misunderstanding about the electrical needs of a lock and the wrong cabling is installed? The problem is especially expensive if it is discovered only after the walls are complete. Providing complete data about the electrical lock as part of a BIM system avoids the snafu. Another example is the specification of a deadbolt lock on a door that operates with an electric strike. The deadbolt undermines the intended operation of the electric strike and can interfere with escape routes in case of an emergency. The mistake becomes obvious in the BIM environment and can be rectified before consequences impact the real world. Data addition to Opening Suites site ASSA ABLOY Opening Solutions is continuously expanding the data it provides at the Opening Suites site, covering additional functionality and more components including the door, cabling, and electrical connections. Hardware sets are linked to specific doors in the BIM models, including all the details of various components, including article numbers, technical sheets, electrical requirements, all depending on customer expectations. Physical equipment includes QR codes that can be scanned by a smartphone to provide information on the door (A mobile app is in development). More details and more data Experienced BIM consultants work with the Openings Studio software on projects ranging from single doors to large buildings with many doors. Data will be more and more important, and there will be more data inside BIM models Adding more data and detail to the BIM process at the level of each door expands the usefulness of BIM, which has historically been focused on broader issues such as structural work and HVAC. “Openings Studio™ provides all the data to integrate doors and security in the BIM process,” says Marc Ameryckx. The higher level of detail may be a new aspect even for customers who already use BIM software. “Data will be more and more important, and there will be more data inside BIM models,” says Marc Ameryckx. In the future, the use of “digital twins” could expand the capabilities even further; for example, the software could simulate escape routes in case of fire. More data makes more things possible.

Panasonic AI-driven cameras empower an expanding vision of new uses
Panasonic AI-driven cameras empower an expanding vision of new uses

Imagine a world where video cameras are not just watching and reporting for security, but have an even wider positive impact on our lives. Imagine that cameras control street and building lights, as people come and go, that traffic jams are predicted and vehicles are automatically rerouted, and more tills are opened, just before a queue starts to form. Cameras with AI capabilities Cameras in stores can show us how we might look in the latest outfit as we browse. That’s the vision from Panasonic about current and future uses for their cameras that provide artificial intelligence (AI) capabilities at the edge. Panasonic feels that these types of intelligent camera applications are also the basis for automation and introduction of Industry 4.0, in which processes are automated, monitored and controlled by AI-driven systems. 4K network security cameras The company’s i-PRO AI-capable camera line can install and run up to three AI-driven video analytic applications Panasonic’s 4K network security cameras have built-in AI capabilities suitable for this next generation of intelligent applications in business and society. The company’s i-PRO AI-capable camera line can install and run up to three AI-driven video analytic applications. The AI engine is directly embedded into the camera, thus reducing costs and Panasonic’s image quality ensures the accuracy of the analytics outcome. FacePRO facial recognition technology Panasonic began advancing AI technology on the server side with FacePRO, the in-house facial recognition application, which uses AI deep learning capabilities. Moving ahead, they transitioned their knowledge of AI from the server side to the edge, introducing i-PRO security cameras with built-in AI capabilities last summer, alongside their own in-house analytics. Moreover, in line with the Panasonic approach to focus more on collaboration with specialist AI software developers, a partnership with Italian software company, A.I. Tech followed in September, with a range of intelligent applications, partially based on deep learning. Additional collaborations are already in place with more than 10 other developers, across the European Union, working on more future applications. i-PRO AI-capable security cameras Open systems are an important part of Panasonic’s current approach. The company’s i-PRO AI-capable cameras are an open platform and designed for third-party application development, therefore, applications can be built or tailored to the needs of an individual customer. Panasonic use to be a company that developed everything in-house, including all the analytics and applications. “However, now we have turned around our strategy by making our i-PRO security cameras open to integrate applications and analytics from third-party companies,” says Gerard Figols, Head of Security Solutions at Panasonic Business Europe. Flexible and adapting to specific customer needs This new approach allows the company to be more flexible and adaptable to customers’ needs. “At the same time, we can be quicker and much more tailored to the market trend,” said Gerard Figols. He adds, “For example, in the retail space, enabling retailers to enhance the customer experience, in smart cities for traffic monitoring and smart parking, and by event organisers and transport hubs to monitor and ensure safety.” Edge-based analytics offer multiple benefits over server-based systems Edge-based analytics Edge-based analytics offer multiple benefits over server-based systems. On one hand, there are monetary benefits - a cost reduction results from the decreased amount of more powerful hardware required on the server side to process the data, on top of reduction in the infrastructure costs, as not all the full video stream needs to be sent for analysis, we can work solely with the metadata. On the other hand, there are also advantages of flexibility, as well as reliability. Each camera can have its own individual analytic setup and in case of any issue on the communication or server side, the camera can keep running the analysis at the edge, thereby making sure the CCTV system is still fully operational. Most importantly, systems can keep the same high level of accuracy. Explosion of AI camera applications We can compare the explosion of AI camera applications to the way we experienced it for smartphone applications" “We can compare the explosion of AI camera applications to the way we experienced it for smartphone applications,” said Gerard Figols, adding “However, it doesn’t mean the hardware is not important anymore, as I believe it’s more important than ever. Working with poor picture quality or if the hardware is not reliable, and works 24/7, software cannot run or deliver the outcome it has been designed for.” As hardware specialists, Figols believes that Panasonic seeks to focus on what they do best - Building long-lasting, open network cameras, which are capable of capturing the highest quality images that are required for the latest AI applications, while software developers can concentrate on bringing specialist applications to the market. Same as for smartphones, AI applications will proliferate based on market demand and succeed or fail, based on the value that they deliver. Facial recognition, privacy protection and cross line technologies Panasonic has been in the forefront in developing essential AI applications for CCTV, such as facial recognition, privacy protection and cross line. However, with the market developing so rapidly and the potential applications of AI-driven camera systems being so varied and widespread, Panasonic quickly realised that the future of their network cameras was going to be in open systems, which allow specialist developers and their customers to use their sector expertise to develop their own applications for specific vertical market applications, while using i-PRO hardware. Metadata for detection and recognition Regarding privacy, consider that the use of AI in cameras is about generating metadata for the detection and recognition of patterns, rather than identifying individual identities. “However, there are legitimate privacy concerns, but I firmly believe that attitudes will change quickly when people see the incredible benefits that this technology can deliver,” said Gerard Figols, adding “I hope that we will be able to redefine our view of cameras and AI, not just as insurance, but as life advancing and enhancing.” i-PRO AI Privacy Guard One of the AI applications that Panasonic developed was i-PRO AI Privacy Guard Seeking to understand and appreciate privacy concerns, one of the AI applications that Panasonic developed was i-PRO AI Privacy Guard that generates data without capturing individual identities, following European privacy regulations that are among the strictest in the world. Gerard Fogils said, “The combination of artificial intelligence and the latest generation open camera technology will change the world’s perceptions from Big Brother to Big Benefits. New applications will emerge as the existing generation of cameras is updated to the new open and intelligent next generation devices, and the existing role of the security camera will also continue.” Future scope of AI and cameras He adds, “Not just relying on the security cameras for evidence when things have gone wrong, end users will increasingly be able to use AI and the cameras with much higher accuracy to prevent false alarms and in a proactive way to prevent incidents." Gerard Figols concludes, “That could be monitoring and alerting when health and safety guidelines are being breached or spotting and flagging patterns of suspicious behaviour before incidents occur.”

Key-centric access management system: providing the highest possible levels of security
Key-centric access management system: providing the highest possible levels of security

In daily work and life, various locks have always played the role of protecting asset safety. In different usage scenarios, the most appropriate lock must be selected to maximise benefits. In the past applications, the difficulties encountered by managers are as follows. Unlocking authority is difficult to control, unclear access records, emergency unlocking, and troublesome upgrade and installation. Through the following points, how the key-centric access management system solves such problems. Access management system The key-centric access management system, also known as intelligent passive electronic lock system, which is based on three elements: electronic keys, electronic cylinders and management software, can provide powerful and traceable access control. Each smart key is unique and cannot be copied, and in the event of loss or theft, these keys can be quickly disabled. Each smart key is unique and cannot be copied, and in the event of loss or theft, these keys can be disabledIn the process of using traditional mechanical locks, it is not difficult to find that it is quite complex to realise the access control of unlocking. The difficulty is that the keys can be copied at will, the use records are not clear, and the credibility of employees cannot be guaranteed... etc. For managers, this is a safety issue that cannot be ignored. Mechanical lock system And through the key-centric access management system, we can accurately assign access authority for each user, and set different access authority for locks in different areas. For example, we can set the XX user to have access to the archive room (A) from 10:00 on May 1, 2021 to 17:00 on June 1, 2021, within this time range. Outside this time range, there will be no unlock authority. The flexibility of the traditional mechanical lock system is insufficient. There is no clear record to determine who entered the area. It is usually a simple paper record that records the unlocking records of the employees. The authenticity and validity of the system need to be examined. In the key-centric access management system, when an employee unlocks the lock, the unlock record will be synchronised to the management terminal. Remote authorised unlocking With the key-centric access management system, remote authorised unlocking can be realised Through secondary records, managers can easily track employees and supervise employees' visits to each area. In daily work, there are often emergencies that require temporary visits to certain specific areas. If you encounter a situation where the distance is extremely long, and you don’t have the key to that area, you can imagine how bad this is. The process of fetching the keys back and forth is time-consuming and laborious. With the key-centric access management system, remote authorised unlocking can be realised. You can apply for the unlocking authority through the mobile APP, or you can temporarily issue the unlocking authority for the area on the management terminal, which saves time and effort. When faced with the failure of ordinary mechanical locks to meet management needs, some managers can already think of upgrading their management system, that is, the intelligent access control system. Passive electronic locks But before making this decision, the manager will inevitably consider the various costs brought about by the upgrade, including installation costs (cable cost), learning costs, and maintenance costs. Since most of the universal intelligent access control systems on the market require wiring and power supply, the cost of transformation and upgrading is quite high for managers who have such a huge amount of engineering. The key-centric access management system is the ‘gospel’ for managers. Since passive electronic locks and ordinary mechanical locks have the same size, they can be directly retrofitted to existing hardware, and they can be replaced step by step simply and easily. At present, the key-centric access management system is being known and applied by more and more managers and enterprises. Application industries include, such as power utilities, water utilities, public security, telecommunication industry, transportation, etc.