It all started in the aftermath of 9/11, in August 2004....
...when then President G.W. Bush signed the Homeland Security Presidential Directive (HSPD) 12, Policy for a Common Identification Standard for Federal Employees and Contractors. HSPD 12 was meant to eliminate the wide variations in the quality and security of identification used to gain access to secure facilities with the potential for terrorist attacks. The initiative intended to enhance security, increase government efficiency, reduce identity fraud and protect personal privacy by establishing a mandatory standard for secure and reliable forms of identification.
The National Institute for Standards and Technology (NIST) proceeded to develop the Federal Information Processing Standard (FIPS) 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, released in March of 2006. The FIPS 201 standard specifies the architecture and technical requirements for the common ID card issued to federal employees and contractors. It describes the requirements for the system to verify personal identities, including personal identity proofing, registration and issuance, as well as the detailed specifications that will ensure interoperability among PIV systems of federal departments and agencies.
With the FIPS 201 standard in place, federal agencies started to issue PIV credentials to their employees. With millions of cards entering circulation, NIST issued Special Publication 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems. Issued in November 2008, SP 800-116 describes a strategy for agencies to enable their physical access control systems (PACS) to leverage PIV credentials and select appropriate authentication mechanisms to manage physical access to federal government facilities and assets.
The time soon came to consider how to apply PIV technology to federal government contractors. So in May 2009 the Federal CIO Council issued Personal Identity Verification Interoperability for Non-Federal Issuers. The CIO Council document describes how non-federal organizations can issue cards that are not only interoperable with the federal PIV systems, but are also issued in a manner that allows the federal government to trust the cards. These cards that are intended for use by contractors to the federal government are called PIV-I which stands for PIV Interoperable.
HID Global is one of a few vendors who have been accredited to issue PIV-I credentials. The HID Global PIV-I Service issues certified PIV-I smart cards with printed cardholder information and certificates that comply with government security regulations. In accordance with government mandates and standards, the PIV-I Service requires that contractors, and their employees, complete a series of simple steps to register and obtain PIV-I credentials.
Finally, in 2011 the president's Cyberspace Policy Review again highlighted the importance of identity management in protecting the nation's infrastructure through OMB memorandum M-11-11, which instructs agencies to develop and issue an implementation policy, requiring the use of PIV credentials as the common means of identification for access to that agency's facilities, networks and information systems. The memorandum also includes the requirement that existing systems must be upgraded to use PIV credentials as of the beginning of FY2012.
We are definitely entering a new era in secure physical access to federal government facilities. Instead of simple flash cards which were easy to counterfeit, employees and contractors will now be able to obtain secure access by using their PIV or PIV-I credential at card readers which will electronically check and verify its validity!
We all hear that they are insecure...
...but we continue to use them nonetheless -- the good old password or static credential (compared to a dynamic changing credential such as a One-Time-Password or full PKI authentication).
I want to draw your attention though to the fact that previously we have spoken about the vulnerability of passwords, where we speculated and tried to convince people that they were insecure. Since then, the world has changed significantly in the following ways:
1. The highly publicized attack of Anonymous group to HBGary. What is interesting in the analysis of the attack from ARSTechnica is that, although the attack was a combination of several techniques like SQLInjection, Rainbow tables, Social Engineering, etc., the main cause was the same old problem: Simple passwords (each was just six lower case letters and two numbers) and the same passwords used for different systems such as email, Twitter accounts, and LinkedIn, were also used for the administration of Google Apps email.
2. Through the increased activity of exploits to websites that protect their user accounts with passwords, and the publication of those passwords from groups such as Anonymous and Lulzsec, it is finally possible to scientifically analyze how inept we are in effectively using passwords, especially different passwords for different sites. One such analysis by Joseph Bonneau of HBGary rootkit.com and gawker.com regarding passwords show that nearly 30% of users with the same email address use the same password.
3. The continuous exploitation and the sheer number of leaked passwords mean that the quantitative analysis of the passwords used makes it proportionally easier for the attacker to have a progressively more educated ‘guess’ for a random account password to attack.
This really means that now, more than ever, one should move away from using passwords and static credentials and embrace the use of APT resistant OTP tokens (see my blog entry ‘Not all OTP tokens are the same’) or adopt PKI-based authentication now that it can be implemented in an easily deployable appliance.
Brazilian soccer ("futebol" to the locals) is more than just a game;
it’s a national past time. And with Brazil hosting the 2014 World Cup soccer championships, the country is investing in several infrastructure projects, including access control across various facilities, institutions and businesses that could be impacted by the games. So, as an HID employee with Banco do Nordeste do Brasil (BNB) as one of my accounts, I often have had the good fortune to be able to discuss two of my favorite interests, soccer and security.
Facing the fact that their older Proximity access control system was no longer meeting their needs, Banco do Nordeste do Brasil, a state financial entity, recently completed a project to upgrade their security. This upgrade was also fueled by the bank’s close location to the World Cup games that will take place at Castelão Stadium in Fortaleza.
Following best practices, BNB implemented a layered security approach to address their needs: the bank installed HID iCLASS contactless smart readers at several dozen access points, and they installed HID biometric fingerprint readers at certain key access points. They also took advantage of HID’s Corporate 1000 Program in order to utilize a custom card format, therefore adding yet an additional layer of security to the overall system.
iCLASS reader and educational campaign to employees about the newly installed system
To address the influx of visitors to the bank nearest the soccer stadium, access control for all entrance points will also be adapted to the new traffic conditions resulting from the games, and gates and automatic turnstiles will be installed for greater security.
I recently had the opportunity to be one of the speakers at ISC Brasil, along with Mr. Cláudio Luiz Freire Lima, Corporate Security Manager for Banco do Nordeste and we have worked with the bank to create a case study to share more details with those interested in these types of deployments. My favorite quote from the case study comes from BNB's Mr. José Boileau, Executive Manager of Corporate Security, where he commented "There have been no installation or availability problems recorded and also we have not had problems with the performance of the products. It is a robust solution."
This statement sums up the success of the deployment and I am happy with the relationship of trust HID Global has built with Banco do Nordeste. I am also looking forward to continuing to support BNB as there are a number of interesting potential projects with the bank looking ahead. Possible future plans include a logical access solution for secure computer log-on and the implementation of a centralized access control system for 200 branch locations across 13 states and in the Federal District.
Goodbye for now, or as we say in Brazil, "Tchau."
Back in the 2000's, security professionals were told...
..."You better learn about IT networking, or you're going to be left behind." As it turns out, the warning was a good one. In the current market, companies without expertise in TCP/IP, domain controllers, SQL, XML, APIs, middleware and such, risk being bested by others that "get it."
Today, security professionals are facing another "learn it, or be left behind" choice. No longer can one get away with saying simply, "The reader reads the card and passes the card number to the controller." The technology, regulations, applications and security environment have evolved. We're reaching an inflection point where the most capable and effective security professionals need to be able to speak intelligently about topics such as encryption, PKI, mutual authentication, identity management, credential management, provisioning, digital certificates, certificate authorities, federated trust bridges, NFC and more.
So, many security professionals face a choice:
• To decide not to decide, in other words, to ignore the newer technologies, hoping they will go away (but then to struggle to see through murky waters in a few years);
• To make a conscious decision to remain the same and find and defend a niche. For instance, there were locksmiths in the 80's and 90's that chose not to learn about electronic systems, and some of them today continue to fill a market need; or,
• To choose to embrace the changes and commit to transform the skill set and business offering to address the shifting market needs. My guess is, if you're reading this blog post, you're in this latter group, and that you're already absorbing new knowledge from every conference, white paper and podcast you can find.
Personally, I find it absolutely fascinating to apply advanced technology in a never-ending battle against the bad guys. The challenges and pace of change have never been greater, and I consider myself fortunate to work at a company that has the resources to lead the charge in many areas.
And since this is my first blog post as an HID Global employee, I'll provide a bit of info on my background and a preview of topics about which I'll blog. Before joining HID recently, I worked in the market segment where physical access control systems intersect with network security products and credential & identity management systems. My background has given me the opportunity to see multiple market sectors from multiple perspectives. And it led to my fascination with the radical changes occurring in our industry. So, some of my blog posts will delve into technology, convergence and change management.
I'll also post on the topic of security marketing. One of the upcoming posts will be on the often-requested topic of, how to use Twitter to market security products.
"Community" is what social tools like blogs are all about. So I encourage you to comment in the space below. Or click the "Share This" link to email this post or tweet a link to it, or click the orange icon to subscribe to this feed. You might also bookmark. Thanks for reading. I look forward to our dialog.
D. Scott Howell is Director, Marketing Communications - Americas for HID Global.
Follow his tweets, click here.