Articles by Julian Lovelock
Organisations are moving to align their physical and digital security initiatives, especially in today’s more connected world Organisations must address growing security threats using fewer resources in an increasingly challenging regulatory environment. They are looking to ensure data security while also protecting their facilities’ physical security. At the same time, their users are demanding more choices of smart cards, smartphones, wearables, and other mobile devices that can do much more than simply open doors in an increasingly connected world. Cobbling together disparate solutions creates vulnerability gaps and can be expensive and difficult to manage. For these and other reasons, many organisations are moving to align their physical and digital security initiatives, especially in today’s more connected world tied to the Internet of Things (IoT). They are adopting new ways of thinking about trust in smart environments and evolving how they use trusted identities across their operations. In the process, they are discovering better ways to establish, create, use and manage secure credentials using hybrid on-premises and cloud solutions both for access control and to tie people, assets and processes to the Internet of Trusted Things (IoTT). Simpler and more efficient approaches Cloud-based solutions such as Microsoft Azure are already widely used for IT access management and there is now growing interest in harnessing the cloud to manage trusted identities used for physical access management as well. Today’s solutions span the full identity lifecycle, from badge printing or mobile credential issuance all the way through to the management and application of access rights. These solutions tie everything together and automate other manual workflows to provide an end-to-end physical identity and access management solution These integrated solutions will be joined by new cloud models for delivering network-based, service-focused badge printing and encoding that eliminates the need for stand-alone card printers attached to dedicated PC workstations and delivers the security of end-to-end encryption. Such solutions will transform the operational management of ID badge printing, reduce costs, eliminate capex outlay, simplify system maintenance and improve security as compared to on-premises solutions. Reducing vulnerabilities and simplifying compliance In parallel with the move to the cloud, there is also a growing awareness of the interdependencies of technologies and platforms that are used to optimise business agility, manage costs and improve the user experience in today’s increasingly mobile environment, or to extend the reach, flexibility and security of digital commerce and relationship management. These interdependent technologies require an organisation-wide approach to identity management that connects multiple platforms, systems and devices for multi-factor authentication. This approach increases security, reduces vulnerabilities and simplifies compliance. To achieve this vision, unified identity cloud-based physical and IT access management solutions can create a far more seamless experience for users while simplifying procurement, deployment and maintenance. These solutions tie everything together and automate other manual workflows to provide an end-to-end physical identity and access management solution that integrates with access control systems, logical identity and other applications so organisations can manage all types of physical identities and their details. Encompassing identity management lifecycle This approach incorporates trusted credential and other advanced security technologies and encompasses the entire identity management lifecycle. The result: organisations achieve a single, comprehensive security view and more coordinated way to protect privacy, while also lowering total cost of ownership, extending strong authentication from the desktop to the door and supporting a multitude of advanced use cases. This unified approach is especially effective for government agencies and other regulated industries such as banking, healthcare, and transportation. It improves the organisation’s overall security posture while consolidating physical and IT security into a single solution. The user experience is improved by having a single credential for opening doors and accessing IT systems, networks and data and the organisation can more easily comply with federal security requirements while extending public key infrastructure (PKI) strong authentication throughout their operations. Unified identity cloud-based physical and IT access management solutions can create a far more seamless experience for users This unified approach also enables using strong cryptographic credentials in a range of additional applications, including digitally signing emails or documents, decrypting emails or files, full disk encryption and boot protection to secure laptops, among others. This approach also makes it easier to monitor and manage users’ access rights as their roles change within an organisation, ensuring they only have access to what they need in a current role. Incorporation of biometrics In banking, unified platforms provide a holistic, mobile-relevant, multi-channel solution for managing customer identities across all channels, improving the user experience without increasing cost or complexity. The incorporation of biometrics further improves the user experience with higher levels of trust and makes it easier to combat fraud while complying with “know your customer” and other regulatory mandates. Unified platforms for healthcare enable administrators to consolidate identity and access management across the continuum from hospital to home, simplifying operations ranging from opening hospital doors and accessing healthcare records to e-prescribing while simplifying compliance and improving how healthcare professionals interact with patients and log their activities. Institutions can leverage e-prescribing architectures for other valuable capabilities such as authenticating to VPNs and enabling remote access using credentials, key fobs, mobile smartphones and other smart devices and one-time password (OTP) tokens. Path to converged solutions The move to unified platforms offers new ways to establish, create, manage and use trusted identities and combine on-premises systems and the cloud to simplify identity and access management using common, flexible and adaptable platforms. Organisations that adopt these platforms can more easily secure access to everything from the facility’s doors to its computers, data, applications, and cloud-based services and can also tie their smart buildings to the IoT. As they deploy these unified platforms, they will be embarking on a path to truly converged solutions that will ultimately consist of a single security policy, one credential and one audit log, delivered through a fully interoperable, multi-layered security infrastructure. Between now and then, they will be able to preserve their investments while continuing to grow, evolve and continually improve their security capabilities in the face of ever-changing threats.
Enterprises have typically focused on securing the network perimeter and relied on static passwords to authenticate users inside the firewall. This is insufficient, given the nature of today’s Advanced Persistent Threats (APTs) and internal risks associated with Bring Your Own Device (BYOD) adoption. Static passwords can be a potential recipe for a security disaster. In this article Julian Lovelock, Vice President of Product Marketing, Identity Assurance HID Global explains that enterprises would benefit from not only employing strong authentication for remote access, but also extending its use to cover the desktop, key applications, servers, and cloud-based systems as part of a multi-layered security strategy. Unfortunately, choosing an effective strong authentication solution for enterprise data protection has traditionally been difficult. Available solutions have been inadequate either in their security capabilities, the user experience they deliver, or in the cost and complexity to deploy them. Now, we have the opportunity to eliminate these problems using Near Field Communications (NFC)-enabled credentials that can reside on smart cards or smartphones, and can be employed to secure access to everything from doors, to data, to the cloud. Versatile, NFC-based strong authentication solutions can: Support converged secure logical access to the network and cloud-based services and resources, as well as physical access to buildings, offices and other areas; Support mobile security tokens for the most convenient and secure access from smartphones or tablets; and Deliver multifactor authentication capabilities for the most effective threat protection, as part of a multi-layered security strategy. The challenges of strong authentication Multi-factor authentication, also known as strong authentication, combines something the user knows (such as a password) with something the user has (such as mobile and web tokens), and can also be extended to include a third factor in the form of something the user is (which can be ascertained through a biometric or behaviour-metric solution). Users have grown weary of the inconvenience of hardware OTPs, display cards and other physical devices for two-factor authentication. Additionally, OTPs are useful only for a limited range of applications. The industry is now replacing hardware OTPs with software tokens that can be held on such user devices as mobile phones, tablets, and browser-based tokens. With software OTPs, organizations are able to replace a dedicated security token with the user’s smartphone, enabling the two-factor authentication to grow in popularity and convenience. A phone app generates an OTP, or OTPs are sent to the phone via SMS. However, there are security vulnerabilities with software OTPs that have driven the need for a far more secure strong authentication alternative, such as smart cards based on the Public Key Infrastructure (PKI). The downside to this approach, however, is its high cost and level of complexity to deploy. Future mobile opportunities NFC-based mobile model will deliver particularly robust security, and will be especially attractive in a BYOD environment The benefits of NFC technology are many as it becomes a standard feature of smart phones, tablets and laptops targeted at the enterprise market. Users can have a smart card or smartphone that grants access to resources by simply “tapping in” – without the need to enter a password on touch-screen devices, or the need for additional devices to issue and manage. In addition, there are a number of steadily growing NFC-based tap-in use cases that are poised for strong adoption in the enterprise, including tap-in to facilities, VPNs, wireless networks, corporate Intranets, cloud- and web-based applications, and SSO clients, among many other scenarios. These benefits and the wide range of potential applications – along with the fact that manufacturers are enabling more and more phones, tablets and laptops with NFC -- are driving many companies to seriously consider incorporating secure NFC-based physical and logical access into their facilities and IT access strategies. The mobile model will deliver particularly robust security, and will be especially attractive in a BYOD environment. It will be implemented within a trusted boundary, and use a secure communications channel for transferring identity information between validated phones, their secure elements (SEs), and other secure media and devices. The authentication credential will be stored on the mobile device’s secure element, and a cloud-based identity provisioning model will eliminate the risk of credential copying while making it easier to issue temporary credentials, cancel lost or stolen credentials, and monitor and modify security parameters when required. It will also be possible to combine mobile tokens with cloud app single-sign-on capabilities, blending classic two-factor authentication with streamlined access to multiple cloud apps on a single device that users rarely lose or forget. The NFC tap-in strong authentication model will not only eliminate the problems of earlier solutions, it will also offer the opportunity to achieve true convergence through a single solution that can be used to access IT resources while also enabling many other applications. These include such physical access control applications as time-and-attendance, secure-print-management, cashless vending, building automation, and biometric templates for additional factors of authentication – all delivered on the same smart card or NFC-enabled phone alongside OTPs, eliminating the need to carry additional tokens or devices. Historically, physical and logical access control functions were mutually exclusive within an organization, and each was managed by different groups. Now, however, the lines between these groups will begin to blur. Enterprises would benefit from employing strong authentication for cloud-based systems as part of a multi-layered security strategy Additional considerations for the cloud As identity management moves to the cloud and enterprises take advantage of the Software as a Service (SaaS) model, there are other critical elements to consider. For instance, it will be critical to resolve challenges around provisioning and revoking user identities across multiple cloud-based applications, while also enabling secure, hassle-free user login to those applications. The most effective approach for addressing data moving to the cloud will likely be federated identity management, which allows users to access multiple applications by authenticating to a central portal. It also will be critical to ensure the personal privacy of BYOD users, while protecting the integrity of enterprise data and resources. Several other security issues also emerge. IT departments won’t have the same level of control over BYODs or the potentially untrustworthy personal apps they may carry, and aren’t likely to be loading a standard image onto BYODs with anti-virus and other protective software. Nor is it likely that organizations will be able to retrieve devices when employees leave. We will need to find new and innovative ways to address these and other challenges. Notwithstanding the risks, the use of mobile phones equipped with SEs, or equivalent protected containers, opens opportunities for powerful new authentication models that leverage the phone as a secure portable credential store, enabling use cases ranging from tap-in strong authentication for remote data access, to entering a building or apartment. Additionally, as BYOD continues to grow in popularity and many cloud-based applications are accessed from personal devices, enterprises will need to take a layered approach to security, recognizing that no single authentication method is going to address the multiple devices and multiple use cases required by today’s mobile enterprise. A Layered security approach In addition to multi-factor user authentication as the first layer of security, both inside the firewall and in the cloud, there are four other layers that should be implemented. The second layer is device authentication. In other words, once it is determined that the user is who he or she says she is, it is important to verify that the person is using a “known” device. For this step, it is important to combine endpoint device identification and profiling with such elements as proxy detection and geo-location. Migration to NFC-based strongauthentication and true converged solutions requires an extensible and adaptable multi-technology smart card and reader platform The third layer is ensuring that the user’s browser is part of a secure communication channel. Browser protection can be implemented through simple passive malware detection, but this does not result in the strongest possible endpoint security. It is more effective to use a proactive hardened browser with mutual secure socket layer connection to the application. The fourth layer is transaction authentication/pattern-based intelligence, which increases security for particularly sensitive transactions. A transaction authentication layer can include Out-Of-Band (OOB) transaction verification, transaction signing for non-repudiation, transaction monitoring, and behavioural analysis. The final layer is application security, which protects applications on mobile devices that are used to deliver sensitive information. The application must be architecturally hardened and capable of executing mutual authentication. Adding this layer makes data theft much more complex and costly for hackers. Effectively implementing these five security layers requires an integrated versatile authentication platform with real-time threat detection capabilities. Used in online banking and ecommerce for some time, threat detection technology is expected to cross over into the corporate sector as a way to provide an additional layer of security for remote access use cases such as VPNs or Virtual Desktops. Migrating to new capabilities Migration to NFC-based strong authentication and true converged solutions requires an extensible and adaptable multi-technology smart card and reader platform. For optimal flexibility and interoperability, this platform should be based on open architecture, and enable both legacy credential and new credential technology to be combined on the same card while also supporting NFC-enabled mobile platforms. To meet security requirements, the platform should use contactless high frequency smart card technology that features mutual authentication and cryptographic protection mechanisms with secret keys, and employs a secure messaging protocol that is delivered on a trust-based communication platform within a secure ecosystem of interoperable products. With these capabilities, organizations can ensure the highest level of security, convenience, and interoperability on either cards or phones, along with the adaptability to meet tomorrow’s requirements including a combination of both strong authentication for protecting the data and applications in the cloud, and contactless high-frequency smart card capabilities for diverse physical access control applications. With proper planning, organizations can solve the strong authentication challenge while extending their solutions to protect everything from the cloud and desktop to the door. These converged solutions reduce deployment and operational costs by enabling organizations to leverage their existing physical access control credential investment to seamlessly add logical access control for network log-on. The result is a fully interoperable, multi-layered security solution across company networks, systems and facilities.
HID Global, a provider of trusted identity solutions, introduces Quantum Secure SAFE Enterprise, an off-the-shelf addition to its SAFE Physical Identity and Access Management (PIAM) offering that brings together everything organisations need to streamline and centralise management of the entire lifecycle for employee, contractor and visitor identities. “SAFE Enterprise transforms the security function, enabling collaboration across different departments and teams to address identity management and compliance challenges through a single, centralised platform,” said Julian Lovelock, Vice President of Quantum Secure - Identity & Access Management Solutions (IAMS) with HID Global. “It bundles our core products into the industry’s most comprehensive PIAM solution, while also giving organisations the flexibility to meet identity management needs today and in the future.” Consistent identity management SAFE Enterprise enables organisations to manage all of their identity types at a lower cost and without having to purchase separate, stand-alone products. As a centralized platform, it facilitates identity management across the entire lifecycle through on-boarding, badging, access rights management and off-boarding, while also providing compliance and actionable intelligence. The policy-driven software ensures that consistent identity management processes are applied throughout the enterprise regardless of existing infrastructure and new acquisitions. All identities can be properly vetted and authorised based on role, location and other organisational policies so people have the right access to the right areas and for the right length of time to reduce risks. Special configuration packages The new solution consists of four modules and add-ins. Each delivers compliance reporting and auditing functionality and is available in special configuration packages for applications in healthcare, aviation, finance, government, and sports and events. The modules include: Badge Manager: Provides a platform to use external identity sources to pre-load identity information, capture badging prerequisites and print badges for employees and contractors. Advanced Access Manager: Streamlines central management of the physical access lifecycle for an organization’s employees and contractors. Visitor Manager: Securely and quickly manages the entire visitor lifecycle from easy pre-registration to welcoming visitor invitations through rapid check-in and check-out. Security Reporter and Operations Analytics: Enables organisations to understand and coordinate all on-boarding, badging, and access and visitor management activities. The first of many planned add-ins to be offered for SAFE Enterprise is predictive analytics, which transforms security data into critical knowledge and actionable insights called Indicators of Compromise (IOCs) that help organisations take preventive actions against possible threats.
Amid rising concerns about security threats at stadiums and arenas where sports and entertainment events take place, HID Global, a global provider of trusted identity solutions, announced that its Quantum Secure SAFE Sports and Events Access Manager has earned the National Center for Spectator Sports Safety and Security (NCS4) ‘Lab Tested’ designation, awarded to products that undergo the rigours of operational testing in a sports environment. Reducing risks by tracking visitors and contractors The NCS4 designation gives event security managers greater confidence that the product has been validated as effective, helping to increase safety and security at events with large crowds. The SAFE Sports and Events Access Manager solution from HID Global tracks visitors and contractors to reduce risk, accelerate investigations and give better transparency of who is coming and going from a venue. The SAFE Sports and Events Access Manager solution tracks visitors and contractors to reduce risk, accelerate investigations and give better transparency of who is coming and going from a venue “The National Center for Spectator Sports Safety and Security assembled a team of subject matter experts from the sports security domain to evaluate the SAFE Sports and Events Access Manager,” said Daniel Ward, Director of Training and Integrated Systems, National Center for Spectator Sports Safety and Security (NCS4) at the University of Southern Mississippi. “The team evaluated the technology based on stated capabilities, as well as the its ability to integrate and operate in sporting venues. The SAFE Sports and Events Access Manager solution performed at or above the levels considered by the evaluators to fully meet each requirement.” Addressing threats and safety risks Established in 2006, the National Center for Spectator Sports Safety and Security has become a recognised academic leader in addressing potential threats and risks to the safety and security at sporting events. NCS4 works with recognised and respected safety and security experts from professional sports leagues, marathons, high schools and universities. “Event venues are increasingly looking for solutions to their physical access management challenges,” said Julian Lovelock, Vice President of the Quantum Secure segment within HID Global’s IAM Solutions business. “By meeting industry standards for securing stadiums and arenas with trusted identity solutions such as SAFE Software, we are expanding the options for protecting people at events.”
Reducing the cost of video surveillance system deployment and operationDownload
RFID and smartphone readers in physical access controlDownload
Access control & intelligent vehicle screeningDownload