December 2010

NClement's picture

When I look back at the CARTES & Identification show in Paris this month...

...I can say that one of the main takeaways was definitely that the smart card industry is picking up following several economically challenging years. According to the Brussels-based vendor trade group Eurosmart, more than 5.3 billion smart cards were shipped worldwide during 2010. And this figure is on the rise, with Eurosmart predicting a 13-percent increase in 2011.

This momentum was reflected in the show attendance reported by CARTES & IDentification 2010, where more than 430 exhibitors, almost 19,000 visitors, more than 1,250 congress delegates, and over 140 countries were present this year. But the numbers from the show tell only half the story; the buzz at this year’s conference surrounded Near Field Communication (NFC) technology, security of data and information exchange and trust.

As a key technology in enabling virtual credentials, NFC is redefining the market for major players in the industry, and HID Global is at the forefront of innovation in the field. NFC technology requires that we think differently about topics such as creation and management of secure identities, access control solutions, and the crucial role performed by individual components such as NFC-equipped mobile phones. And how HID Global is addressing this technology was one of the topics highlighted during a CARTES conference keynote session delivered by Daniel Bailin, director of program management and strategic innovation at HID Global.

During his keynote, Daniel discussed HID’s Trusted Identity Platform (TIP) strategy for migrating to virtual credentials and addressing these issues. Simply put, TIP is a central, secure vault that serves known endpoints, such as credentials, readers, laptops, and NFC-equipped mobile phones, in a bounded system, whereby all the attached devices are known and therefore trusted to exchange information securely. These endpoints, or identity nodes, can be securely provisioned anywhere, at any time.

 

<br /> <a href="//www.hidglobal.com.br/%3Ca%20href%3D"http://polldaddy.com/poll/4306759/">http://polldaddy.com/poll/4306759/">Will NFC technology achieve its breakthrough in 2011?</a><span style="font-size:9px;"><a href="//www.hidglobal.com.br/%3Ca%20href%3D"http://polldaddy.com/features-surveys/">http://polldaddy.com/features-surveys/">online survey</a></span><br />

Last week I highlighted a couple of important access control best practices to consider as the year comes to a close.

These focused on selecting the appropriate card and reader technology based on your desired level of security, along with critical role that key management plays in maximizing the security of your access cards. There are a number of additional best practices that can help you in taking a well-rounded approach to assessing and optimizing your organizations security. Some of these include:

Protect the communications: The individual components of an access control system need to talk to each other to communicate card messages, audit data, cardholder privilege changes and much more. It is critical to protect both the communications medium - be it hard wired or wireless, and the actual data.

Use security screws: Always utilize security screws that require special tools to remove a reader and other security components. If the correct tool is not available, then it makes it nearly impossible for an intruder to remove the reader without causing damage to the screws. This noticeable damage may be may alert the administrator to an intrusion attempt.

Prevention using antipassback: Another best practice is to program the access control host software to refuse granting access to a cardholder that is already inside the facility, which will prevent a duplicate, fraudulent card from entering the facility.

Use additional factors of authentication: Multiple factors of authentication consisting of something you have (a card), something you know (a password), and something you are (a biometric) increases the probability that the card user is who they say they are. A relatively inexpensive second factor is a password that can be added using card readers with built-in keypads.

Mind the cards: A perpetrator may fraudulently obtain cards to access a building by using lost cards and/or purchasing cards through the gray market or even legitimate resellers. Proprietary card formats offered by an OEM or using one that is exclusive to a particular facility is an effective best practice.

Detection - the second line of defense: Purchase readers with a tamper detect mechanism that provides a signal when the reader has been removed from the wall. Almost every panel manufacturer provides the ability to monitor this alarm signal and report when a reader is tampered with.

I discuss these best practices and more in the recent Access Control - Best Practices whitepaper. Download it today for a comprehensive review of these guidelines and how they can help your organization effectively balance cost, convenience and security when deploying an access control system. I hope these tips help you in preparing for a safe and productive New Year!

With a new year approaching, I’d like to take a moment to remind security directors....

...that now is a great time to review your security policies and access control system installations to make sure they are meeting the current needs of your facility. In fact, conducting an annual access control system review is the first step in creating a systematic process for assessing the security of your organization…and it is the principle best practice that provides a framework for all the others.

Once a yearly review process is in place, a fundamental concept to embrace in adopting best practices is that an effective security system uses layered security. A good analogy of this concept would be one where a home protected by a burglar alarm might use both glass break detectors and motion sensors to detect when an intruder enters the house.

Then there are a handful of specific best practices to consider, with two of the most important guidelines being around 1) choices in reader and card technologies; and 2) key management.

Choosing the right reader and card technology

Since there are a wide variety of card and reader technologies being offered by today’s manufacturers, it is important to make sure that both the correct card and reader technology are chosen to match the desired level of security. For example, magstripe offers the least amount of security, whereas contactless smart cards, when properly deployed, provide the highest levels of security.

Key Management

Key management deals with the secure generation, distribution, storage, and life-cycle management of cryptographic keys. This important subject deserves an entire blog post itself, but here are a few of the basic key management rules of thumb.

Whenever there is a choice, choose a manufacturer that allows you to utilize your own cryptographic authentication key that is different than the manufacturer’s other customers. This is exactly the point of HID’s Elite Key program. Although it may be easier not to have the responsibility of managing and safeguarding your own keys, you will be immune from a key compromise that occurs in someone else’s readers from the same manufacturer.

Conversely, do not choose a manufacturer that stores the same key in all of its credentials. Extraction of the key from a single card compromises all of the cards in use. Select a manufacturer that uses ‘diversified’ keys, which means that each card uses a different key that is cryptographically derived from a master key. Ideally this diversification would use a publicly scrutinized algorithm such as DES or AES. For example, HID’s iCLASS key diversification is based on DES.

And these are just a few best practices to look for. Stay tuned for more guidelines on how an organization can effectively balance cost, convenience and security when deploying an access control system.

scallinan's picture

Security, a term we are all familiar with, is defined by Wikipedia as ‘…the degree of protection against danger, damage, loss, and criminal activity’.

In the evaluation of Wikipedia’s definition of security, businesses should look comprehensively at information technology and the concept of intelligence within an organization’s business environment. Within any organization, there is a specific area where a business’ intelligence is often openly displayed, in a format easily discoverable and retainable in physical form. This area is a company’s print environment. Print information can contain incredible amounts of confidential information regarding finances, personal data, investor relations and other sensitive information that can put a company in a very vulnerable position. Add to this the increasing use of multi-function printers/devices (MFPs) and the security issue is compounded.

MFPs provide the ability to locally copy, scan, fax and email directly from the device to entities outside of a company’s network. Without ever “printing” from a workstation on the network, confidential information can easily be scanned or copied at the MFP and immediately emailed anywhere in the world. This breach of security is an issue in today’s business print environment.

Fortunately, technologies DO exist today to provide a more safe and secure print environment. Secure printing and device authentication requires users to verify who they are prior to the release of their printed jobs. Once the user approaches the print device and authenticates, the job is released and printed. Authentication can be accomplished through a number of processes including the presentation of a proximity badge to a (installed) reader on the print device. Jobs not claimed for printing can be deleted within a company-defined period of time. Authentication also can control the MPF’s device-based functions of copying, scanning, faxing and emailing, and MPF device-based functions can also be accessible to only certain users and/or by device. It may be a corporate policy to authorize only certain users for the email function on an MFP, for example.

The benefits of a secure print environment actually exceed certain vertical regulatory compliance like HIPPA (HealthCare) and Sarbanes-Oxley (Finance). Corporate “Green” initiatives can also be met with a reduction in print by eliminating (i.e. managing) the print output of unclaimed jobs, reducing print-device consumable usage.

The starting place for evaluating any risk in your print environment begins with understanding your print environment. What devices exist? How are they currently used? What risk factors exist in our print environment and across our network?
The more you know, the better you can view the potential security risks that possibly exist within your organization. Then you can implement the action plans necessary to secure (and manage) your print operations.

jconnor's picture

Attention security professionals: the world of physical security technologies is officially turning some major corners.

The hockey stick of change is in full ascension and it is now time for all of our industry professionals to embrace some new ideas about the technologies and players of what will be at the core of the next generation of security solutions, the credential.

I recently had the opportunity to attend the HID Security Roundtable that brings together both consultants and integrators to have a real and raw dialog and debate about what is most important to the physical security industry. This is my third conference and it has given me some perspective from which to draw some conclusions.

The first of which is that not all change is gradual. In fact, change at this point will take a hockey stick turn upward and it may be accelerated at certain times in the lifecycle of an industry. This is most assuredly one of those times, as HID announces its intention to acquire ActivIdentity, a leader in logical security technologies. Clearly this is an indication that credentialing as the physical security industry has known it is about to change, and for the better.

Secondly, companies such as HID will need the assistance of the physical security consultants, integrators and practitioners to smoothly and rapidly move into providing converged solutions and blended solution technologies, as only these groups can provide accurate and performance based intelligence regarding the business rules, workflow, practical application and deployment of these products into the current ecosystems.

Thirdly, with or without the help of the current physical security industry leadership, HID will move their products and services strategically, and I believe successfully, into a leadership position in this new blue ocean opportunity, one that will redefine the traditional market boundaries. Our community has a real obligation to help redefine our markets for these emerging solutions or risk being marginalized.

In summary I believe my perspectives to be true for some very simple reasons: HID and its management has a vision and seems to know who they are as a company. They are able to articulate a strategy and a tactical plan to execute on their vision. This is at the core of what this roundtable has been formed to address, both for them and for the deployment community.

As Holly Sacks, the SVP of Marking and Strategy at HID stated, “It’s not as much about what we are doing right, as it is what we are doing wrong that we want to hear and address.” As proof of this, we reviewed the key comments and issues brought to the table last year and were able to confirm that this is a company which is listening and acting. How refreshing.

I would like to thank the Executive Team hosts at HID, Paul Kluttz VP, Installing Channel Team, Rick Mohr Director, National Accounts and Consultant Relations, and the entire supporting cast for letting us behind the curtain and for sharing your vision with us. This was far and away the most professionally run, informative and productive conference I have attended in 2010.