By Tam Hulusi Senior Vice President, Strategic Innovation and Intellectual Property-HID Global
Founded in 1991, HID Global is the supplier of choice for OEMs, system integrators, and application developers serving a variety of markets, including physical and logical access control, card personalization, eGovernment, cashless payment and industry. Headquartered in California, HID Global has a workforce of 2,000 employees worldwide.
Companies are increasingly allowing employees to choose to keep their mobile devices as they change employment. Known as Bring Your Own Device (BYOD), this phenomenon is growing in popularity, at the same pace as the capabilities of smartphones. We can use our phones not only to access computers, networks and associated information assets, but also to open doors and enter secured areas. Deploying these applications in a BYOD environment requires security assessment, proper planning and the right technology and provisioning infrastructure.
Mobile access control simply involves replacing the plastic card with card emulation software and replicating existing card-based access-control principles. The access decisions are made between the card reader and a central hardware panel (or server) that stores the access rules wired to a central access authority.
Today’s smartphones generate a One Time Password (OTP) for secure access to another mobile device or desktop. Smartphones carry credentials for purchasing items at, say, the company cafeteria, secure printing equipment etc. For mobile access control to seamlessly and securely coexist with existing access control systems and traditional plastic access cards the data should communicate from a smartphone to an access-control card reader.
This is accomplished with Near Field Communications (NFC)-enabled handsets and/or suitable NFC-enabled add-on devices such as a microSD card, which ensures that a non-NFC-enabled device can be securely upgraded.
Second, there must be an ecosystem of readers, and other hardware that can read digital keys and respond with the appropriate action.
Third parties are also creating NFC-enabled hardware solutions including biometric devices, attendance terminals, and electric vehicle charging stations, among others.
Finally, there must be a way to create and manage the digital keys and digital cards used on smartphones. This requires a new way to represent identity information which requires it to operate within a trusted boundary in the access control managed network.
The technology used to confer trust to a BYOD requires the use of the phone’s secure element, which is usually an embedded circuit or a plug-in module version, often called the subscriber identity module (SIM).
By creating an ecosystem of trusted endpoints, BYOD smartphones can be effectively managed in a control access system so that identity provisioning/de-provisioning and all other transactions .Combined with the proven reliability of smartphone technology, this framework creates an extremely secure mobile identity environment using which organizations can issue digital cards and keys to mobile devices no matter where they are located or connected. NFC-enabled smartphones need to communicate with a Trusted Service Manager (TSM), which will then interface either directly to the mobile network operator (MNO) or to its TSM so that a key can be delivered to the smartphone’s SIM card.
Digital cards and keys can also be shared with authorized users via NFC "tap-n-give" provisioning, depending on the organization’s security policies.
The secure mobile provisioning model eliminates the traditional risk of plastic card copying and makes it easier to issue temporary credentials, revoke or cancel credentials in case of theft.
As both physical and logical access control applications move to BYOD smartphones, there are several issues to address. First, to preserve personal privacy while protecting the enterprise all applications and other ID credentials must be containerized between personal and enterprise use. Another challenge is how to enable other apps for use with digital keys and cards byenabling them to support PIN entry to “unlock” key usage for authentication or signing. Additionally, middleware API must be standardized so that ID credential functionality can be exposed to the application.
It may be necessary to support derived credentials, such as those derived from personal identity verification (PIV) cards for federal workers, for instance. The combination of containerization and derived credentials will also create the need for hierarchical lifecycle management whereby, for example, the loss of a mobile device will revoke all credentials, while PIV card revocation will automatically revoke only “work” mobile ID credentials. It is the management of this aspect of mobile IDs that is probably the most challenging element of the BYOD model.
The co-existence of physical and logical access control on a BYOD smartphone creates the need for adequate cloud storage security so these devices can be used for network and application log on.
There are four possible approaches. The first is to use an open access model on the public internet, in which username and password are managed by software as a service (SaaS) providers however this offers the weakest data protection.The second is to use a VPN, and have remote users first authenticate to the VPN before entering username and password.
The third option is native strong authentication, which is inconvenient because each application requires its own, specific security solution. The fourth – and best – option is federated identity management, in which the user authenticates to a central portal to access multiple applications. This approach supports many different authentication methods, it does not require that anything be installed on end user devices, and it supports compliance requirements by providing a centralized audit record of any applications that were accessed.
This stands up well to Advanced Persistent Threats (APTs), both internal and external. Whatever approach is chosen, there will likely be other policy and adoption issues to iron out whether it is on the part of corporations who want BYOD owners to relinquish certain rights in order to use their phones for physical and logical access, or owners who want to opt out of certain capabilities because of perceived privacy fears.
BYOD offers tremendous advantages, especially as employees’ smartphones become vehicles for carrying a growing variety of a company’s physical and logical access keys, tokens and credentials. The coming generation of mobile access control solutions will deliver improved convenience and management flexibility while ensuring highly secure transactions between smartphones, computer and networking resources, the physical access control system, and new cloud-based and over-the-air identity delivery infrastructure.