Multi-layered security

Enterprises have typically focused on securing the network perimeter and relied on static passwords to authenticate users inside the firewall. This is insufficient, given the nature of today’s Advanced Persistent Threats (APTs) and internal risks associated with Bring Your Own Device (BYOD) adoption. Static passwords can be a potential recipe for a security disaster. In this article Julian Lovelock, Vice President of Product Marketing, Identity Assurance HID Global explains that enterprises would benefit from not only employing strong authentication for remote access, but also extending its use to cover the desktop, key applications, servers, and cloud-based systems as part of a multi-layered security strategy.

Unfortunately, choosing an effective strong authentication solution for enterprise data protection has traditionally been difficult. Available solutions have been inadequate either in their security capabilities, the user experience they deliver, or in the cost and complexity to deploy them. Now, we have the opportunity to eliminate these problems using Near Field Communications (NFC)-enabled credentials that can reside on smart cards or smartphones, and can be employed to secure access to everything from doors, to data, to the cloud. Versatile, NFC-based strong authentication solutions can:

  • Support converged secure logical access to the network and cloud-based services and resources, as well as physical access to buildings, offices and other areas;
  • Support mobile security tokens for the most convenient and secure access from smartphones or tablets; and 
  • Deliver multifactor authentication capabilities for the most effective threat protection, as part of a multi-layered security strategy.

The challenges of strong authentication

Multi-factor authentication, also known as strong authentication, combines something the user knows (such as a password) with something the user has (such as mobile and web tokens), and can also be extended to include a third factor in the form of something the user is (which can be ascertained through a biometric or behaviour-metric solution).

Users have grown weary of the inconvenience of hardware OTPs, display cards and other physical devices for two-factor authentication. Additionally, OTPs are useful only for a limited range of applications. The industry is now replacing hardware OTPs with software tokens that can be held on such user devices as mobile phones, tablets, and browser-based tokens. With software OTPs, organizations are able to replace a dedicated security token with the user’s smartphone, enabling the two-factor authentication to grow in popularity and convenience. A phone app generates an OTP, or OTPs are sent to the phone via SMS. However, there are security vulnerabilities with software OTPs that have driven the need for a far more secure strong authentication alternative, such as smart cards based on the Public Key Infrastructure (PKI). The downside to this approach, however, is its high cost and level of complexity to deploy. 

Future mobile opportunities

The benefits of NFC technology are many as it becomes a standard feature of smart phones, tablets and laptops targeted at the enterprise market
NFC-based mobile model will deliver particularly robust security, and will be especially attractive in a BYOD environment

The benefits of NFC technology are many as it becomes a standard feature of smart phones, tablets and laptops targeted at the enterprise market. Users can have a smart card or smartphone that grants access to resources by simply “tapping in” – without the need to enter a password on touch-screen devices, or the need for additional devices to issue and manage. In addition, there are a number of steadily growing NFC-based tap-in use cases that are poised for strong adoption in the enterprise, including tap-in to facilities, VPNs, wireless networks, corporate Intranets, cloud- and web-based applications, and SSO clients, among many other scenarios. These benefits and the wide range of potential applications – along with the fact that manufacturers are enabling more and more phones, tablets and laptops with NFC -- are driving many companies to seriously consider incorporating secure NFC-based physical and logical access into their facilities and IT access strategies.

The mobile model will deliver particularly robust security, and will be especially attractive in a BYOD environment. It will be implemented within a trusted boundary, and use a secure communications channel for transferring identity information between validated phones, their secure elements (SEs), and other secure media and devices. The authentication credential will be stored on the mobile device’s secure element, and a cloud-based identity provisioning model will eliminate the risk of credential copying while making it easier to issue temporary credentials, cancel lost or stolen credentials, and monitor and modify security parameters when required. It will also be possible to combine mobile tokens with cloud app single-sign-on capabilities, blending classic two-factor authentication with streamlined access to multiple cloud apps on a single device that users rarely lose or forget.

The NFC tap-in strong authentication model will not only eliminate the problems of earlier solutions, it will also offer the opportunity to achieve true convergence through a single solution that can be used to access IT resources while also enabling many other applications. These include such physical access control applications as time-and-attendance, secure-print-management, cashless vending, building automation, and biometric templates for additional factors of authentication – all delivered on the same smart card or NFC-enabled phone alongside OTPs, eliminating the need to carry additional tokens or devices. Historically, physical and logical access control functions were mutually exclusive within an organization, and each was managed by different groups. Now, however, the lines between these groups will begin to blur.

As BYOD continues to grow in popularity and many cloud-based applications are accessed from personal devices, enterprises will need to take a layered approach to security
Enterprises would benefit from employing strong authentication for cloud-based systems as part of a multi-layered security strategy

Additional considerations for the cloud

As identity management moves to the cloud and enterprises take advantage of the Software as a Service (SaaS) model, there are other critical elements to consider. For instance, it will be critical to resolve challenges around provisioning and revoking user identities across multiple cloud-based applications, while also enabling secure, hassle-free user login to those applications.

The most effective approach for addressing data moving to the cloud will likely be federated identity management, which allows users to access multiple applications by authenticating to a central portal. It also will be critical to ensure the personal privacy of BYOD users, while protecting the integrity of enterprise data and resources. Several other security issues also emerge. IT departments won’t have the same level of control over BYODs or the potentially untrustworthy personal apps they may carry, and aren’t likely to be loading a standard image onto BYODs with anti-virus and other protective software. Nor is it likely that organizations will be able to retrieve devices when employees leave. We will need to find new and innovative ways to address these and other challenges. Notwithstanding the risks, the use of mobile phones equipped with SEs, or equivalent protected containers, opens opportunities for powerful new authentication models that leverage the phone as a secure portable credential store, enabling use cases ranging from tap-in strong authentication for remote data access, to entering a building or apartment.

Additionally, as BYOD continues to grow in popularity and many cloud-based applications are accessed from personal devices, enterprises will need to take a layered approach to security, recognizing that no single authentication method is going to address the multiple devices and multiple use cases required by today’s mobile enterprise.

A Layered security approach

In addition to multi-factor user authentication as the first layer of security, both inside the firewall and in the cloud, there are four other layers that should be implemented.

The second layer is device authentication. In other words, once it is determined that the user is who he or she says she is, it is important to verify that the person is using a “known” device. For this step, it is important to combine endpoint device identification and profiling with such elements as proxy detection and geo-location.

Migration to NFC-based strong
authentication and true converged
solutions requires an extensible
and adaptable multi-technology
smart card and reader platform

The third layer is ensuring that the user’s browser is part of a secure communication channel. Browser protection can be implemented through simple passive malware detection, but this does not result in the strongest possible endpoint security. It is more effective to use a proactive hardened browser with mutual secure socket layer connection to the application. 

The fourth layer is transaction authentication/pattern-based intelligence, which increases security for particularly sensitive transactions. A transaction authentication layer can include Out-Of-Band (OOB) transaction verification, transaction signing for non-repudiation, transaction monitoring, and behavioural analysis. 

The final layer is application security, which protects applications on mobile devices that are used to deliver sensitive information. The application must be architecturally hardened and capable of executing mutual authentication. Adding this layer makes data theft much more complex and costly for hackers.

Effectively implementing these five security layers requires an integrated versatile authentication platform with real-time threat detection capabilities. Used in online banking and ecommerce for some time, threat detection technology is expected to cross over into the corporate sector as a way to provide an additional layer of security for remote access use cases such as VPNs or Virtual Desktops.

Migrating to new capabilities

Migration to NFC-based strong authentication and true converged solutions requires an extensible and adaptable multi-technology smart card and reader platform. For optimal flexibility and interoperability, this platform should be based on open architecture, and enable both legacy credential and new credential technology to be combined on the same card while also supporting NFC-enabled mobile platforms. To meet security requirements, the platform should use contactless high frequency smart card technology that features mutual authentication and cryptographic protection mechanisms with secret keys, and employs a secure messaging protocol that is delivered on a trust-based communication platform within a secure ecosystem of interoperable products. 

With these capabilities, organizations can ensure the highest level of security, convenience, and interoperability on either cards or phones, along with the adaptability to meet tomorrow’s requirements including a combination of both strong authentication for protecting the data and applications in the cloud, and contactless high-frequency smart card capabilities for diverse physical access control applications. 

With proper planning, organizations can solve the strong authentication challenge while extending their solutions to protect everything from the cloud and desktop to the door. These converged solutions reduce deployment and operational costs by enabling organizations to leverage their existing physical access control credential investment to seamlessly add logical access control for network log-on. The result is a fully interoperable, multi-layered security solution across company networks, systems and facilities.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

Author profile

Julian Lovelock Vice President, Strategic Innovation, HID Global

In case you missed it

What’s the next big thing in video image quality?
What’s the next big thing in video image quality?

Superior image quality has been the “holy grail” of the video surveillance business for several years. A transition to 4K images and a race to ever-higher pixel counts have dominated product development conversations for a while now. However, it’s now possible that the tide has turned. These days, data is sometimes more important than image quality, and increasing use of smaller-format mobile devices has helped to make image quality variations moot. As the industry changes, we asked this week’s Expert Panel Roundtable: What’s the next big thing in video image quality (beyond 4K and megapixel)?

How do agricultural security systems measure up against livestock theft?
How do agricultural security systems measure up against livestock theft?

“Some embark on farmyard heists whilst others are devoted to back-bedroom chicken sanctuaries,” a quote taken from Channel 4’s new documentary ‘How to Steal Pigs and Influence People’. Whilst many think this is part of the positive vegan uprising, The National Pig Association have expressed grave concern of the glamorisation and condoning of livestock theft from farms. Wesley Omar, who was featured in the documentary, was found guilty of theft after he broke into a farm and stole a pig stating "he was saving it from slaughter." Due to this ‘humane reasoning,’ he received a 12 month community order and completed 100 hours of unpaid work. However, the farmer in question incurred huge losses as he could not reclaim the pig due to potential contamination and had a cost of £6,000 to upgrade his security. The cost of rural crime Opportunistic thieves have now turned into organised criminals According to NFU Mutual, the cost of rural crime has risen by 12% since 2017, and the Home Office statistics stated that 26% of rural businesses experienced at least one crime incident in 2018. However, the face of rural crime is changing, with M.O.’s shifting. What once were opportunistic thieves have now turned into organised criminals stealing heavy machinery and livestock. One example saw around 200 sheep stolen in the last three months within the Wiltshire area alone. Due to the volume of these incidents, police speculated only skilled sheep rustlers could conduct this crime so efficiently and undisturbed. The result of this crime has cost the agricultural industry £3m in 2019 alone. However, theft isn’t the only emerging rural crime trend hitting these farmers. Fly tipping on private land has risen considerably over the past few years with figures constantly rising. Once again, like the face of rural theft, criminals are evolving. The Environment Agency has stated that organised gangs are making high profits through ‘waste removal’, undercutting legitimate waste management sites through fly tipping. This crime is affecting 67% of farms and landowners as criminals try to evade landfill taxes. But what happens when you’re the victim of this crime? According to Countryside Alliance, it is the only rural offence where landowners are legally responsible for the disposal of said waste, costing them around £47m each year. So, how can farmers and agricultural landowners protect their premises and assets from both animal rights activists and organised criminals? A scheme has been introduced within specific areas in order to curb the increasing rates of rural crime across England and Wales. Dedicated police teams have been created to provide protection and support to rural areas, with specialist knowledge in dealing with cases. Agricultural physical security How does the farming industry's physical security measure up against these criminals? With this in mind, how does the farming industry's physical security measure up against these criminals? How can they prevent these targeted attacks on their livelihoods? One area that should be considered is a line of defence that deters, detects and delays these intruders - rather than allowing them onto the land - whilst waiting for police to respond. Security measures nowadays are able to delay intrusions, being the difference between criminals getting away and getting caught. A physical fencing system with anti-cut and anti-climb features would offer the first line of defence to farmers and landowners by restricting access onto their fields. Alongside effective high security fencing systems, used to prevent livestock trailers entering farmers fields, entry points need to be reviewed and addressed on whether they are effectively deterring criminals. Many successful livestock thefts are due to organised criminals and their vehicles being able to access fields undetected. Improving the security of field perimeters and entry points is the first step in protecting a farmer's livelihood against criminals. In turn, having a single entry point in and out of fields and premises is also an effective deterrent. Properties with various exit plans are more likely to be targeted as criminals have a higher percentage of escaping. Access point security Security measures such as CCTV cameras or motion sensor lighting have quick installation times In order to increase security at field access points, blocking off the gateways to these fields would act as an extra deterrent to those looking to steal livestock and fly-tip. With perimeter and access point security comes additional physical security measures that could help prevent the theft of livestock. Security measures such as CCTV cameras or motion sensor lighting have quick installation times that help detect an intruder rather than deter and delay like perimeter security. With rural crime on the rise, livestock theft and other criminal activity is becoming a common occurrence for farmers and agricultural landowners. Rural crime is not only having detrimental effects on the individuals but also communities across the UK. Many other industries such as the commercial industry and sports sectors utilise effective physical security within their premises in order to protect their assets. And so we are asking; why is the agricultural industry any different?

Face recognition: Privacy concerns and social benefits
Face recognition: Privacy concerns and social benefits

News reports and opinion columns about face recognition are appearing everyday. To some of us, the term sounds overly intrusive. It even makes people shrink back into their seats or shake their head in disgust, picturing a present-day dystopia. Yet to others, face recognition presents technology-enabled realistic opportunities to fight, and win, the battle against crime. What are the facts about face recognition? Which side is right? Well, there is no definitive answer because, as with all powerful tools, it all depends on who uses it. Face recognition can, in fact, be used in an immoral or controversial manner. But, it can also be immensely beneficial in providing a safe and secure atmosphere for those in its presence.  Concerns of facial recognition With the increased facial recognition applications, people’s concerns over the technology continuously appear throughout news channels and social media. Some of the concerns include: Privacy: Alex Perry of Mashable sums up his and most other peoples’ privacy concerns with face recognition technology when he wrote, “The first and most obvious reason why people are unhappy about facial recognition is that it's unpleasant by nature. Increasing government surveillance has been a hot-button issue for many, many years, and tech like Amazon's Rekognition software is only making the dystopian future feel even more real”. Accuracy: People are worried about the possibilities of inaccurate face detection, which could result in wrongful identification or criminalisation. Awareness: Face recognition software allows the user to upload a picture of anyone, regardless of whether that person knows of it. An article posted on The Conversation states, “There is a lack of detailed and specific information as to how facial recognition is actually used. This means that we are not given the opportunity to consent to the recording, analysing and storing of our images in databases. By denying us the opportunity to consent, we are denied choice and control over the use of our own images” Debunking concerns  The concerns with privacy, accuracy, and awareness are all legitimate and valid concerns. However, let us look at the facts and examine the reasons why face recognition, like any other technology, can be responsibly used: Privacy concerns: Unlike the fictional dystopian future where every action, even in one’s own home, is monitored by a centralised authority, the reality is that face recognition technology only helps the security guard monitoring public locations where security cameras are installed. There is fundamentally no difference between a human security guard at the door and an AI-based software in terms of recognising people on watchlist and not recognising those who are not. The only difference is that the AI-based face recognition software can do so at a higher speed and without fatigue. Face recognition software only recognises faces that the user has put in the system, which is not every person on the planet, nor could it ever be. Accuracy concerns: It is true that first-generation face recognition systems have a large margin for error according to studies in 2014. However, as of 2020, the best face recognition systems are now around 99.8% accurate. New AI models are continuously being trained with larger, more relevant, more diverse and less biased datasets. The error margin found in face recognition software today is comparable to that of a person, and it will continue to decrease as we better understand the limitations, train increasingly better AI and deploy AI in more suitable settings. Awareness concerns: While not entirely comforting, the fact is that we are often being watched one way or another on a security camera. Informa showed that in 2014, 245 million cameras were active worldwide, this number jumped to 656 million in 2018 and is projected to nearly double in 2021. Security camera systems, like security guards, are local business and government’s precaution measures to minimise incidents such as shoplifting, car thefts, vandalism and violence. In other words, visitors to locations with security systems have tacitly agreed to the monitoring in exchange for using the service provided by those locations in safety, and visitors are indeed aware of the existence of security cameras. Face recognition software is only another layer of security, and anyone who is not a security threat is unlikely to be registered in the system without explicit consent. The benefits In August 2019, the NYPD used face recognition software to catch a rapist within 24 hours after the incident occurred. In April 2019, the Sichuan Provincial Public Security Department in China, found a 13-year-old girl using face recognition technology. The girl had gone missing in 2009, persuading many people that she would never be found again. Face recognition presents technology-enabled realistic opportunities to fight, and win, the battle against crimeIn the UK, the face recognition system helps Welsh police forces with the detection and prevention of crime. "For police it can help facilitate the identification process and it can reduce it to minutes and seconds," says Alexeis Garcia-Perez, a researcher on cybersecurity management at Coventry University. "They can identify someone in a short amount of time and in doing that they can minimise false arrests and other issues that the public will not see in a very positive way". In fact, nearly 60% Americans polled in 2019 accept the use of face recognition by law enforcement to enhance public safety. Forbes magazine states that “When people know they are being watched, they are less likely to commit crimes so the possibility of facial recognition technology being used could deter crime”. Saving time  One thing that all AI functions have been proven to achieve better results than manual security is speed. NBC News writes, “Nearly instantaneously, the program gives a list of potential matches loaded with information that can help him confirm the identity of the people he’s stopped - and whether they have any outstanding warrants. Previously, he’d have to let the person go or bring them in to be fingerprinted”. Facial recognition can also be immensely beneficial in providing a safe and secure atmosphere for those in its presence With AI, instead of spending hours or days to sift through terabytes of video data, the security staff can locate a suspect within seconds. This time-saving benefit is essential to the overall security of any institution, for in most security threat situations, time is of the utmost importance. Another way in which the technology saves time is its ability to enable employees (but not visitors) to open doors to their office in real time with no badge, alleviating the bottleneck of forgotten badge, keycode or password. Saving money A truly high-performance AI software helps save money in many ways. First, if the face recognition software works with your pre-existing camera system, there is no need to replace cameras, hence saving cost on infrastructure. Second, AI alleviates much of the required manual security monitoring 24/7, as the technology will detect people of interest and automatically and timely alert the authorities. Third, by enhancing access authentication, employees save time and can maximise productivity in more important processes. The takeaway AI-enabled face recognition technology has a lot of benefits if used correctly. Can it be abused? Yes, like all tools that mankind has made from antiquity. Should it be deployed? The evidence indicates that the many benefits of this complex feature outweigh the small chance for abuse of power. It is not only a step in the right direction for the security industry but also for the overall impact on daily lives. It helps to make the world a safer place.