Melding physical and logical access tougher as devices proliferate
03 December, 2012
Convergence of physical and logical access credentials on to one card has often been compared to Bigfoot or unicorns. It’s talked about a lot but rarely seen.
This had been starting to change in recent years as U.S. government agencies and a number of large corporations launched converged solutions. But the need to enable mobile devices to access corporate resources has added complexity to convergence.
Bring your own device–or BYOD as it’s more commonly known–is disrupting to corporate IT departments. The problem is the level of work required to secure multiple devices with different operating systems. The alternative is allowing only organization-issued devices, but this can be expensive and risks employee backlash if they don’t like the device chosen.
Using the mobile device as an identity credential and to access secure systems is a growing trend. The first draft of FIPS 201-2 didn’t have a solution for using PIV with mobile devices. The outcry caused major revisions and lead to the proposal that derived credentials be used to secure mobile devices and their access to email and networks.
Mobile security is a concern for organizations and users. Employers want to secure access at the lowest possible cost. Employees want to be able to use the device of their choosing without having their employer look over their shoulder or restrict access.
The concern today focused on use of the device to access secure information. But in the next five years the mobile may replace the plastic ID card as the employee credential, says Allen Storey, product director at Intercede. “Everything is going to migrate to the mobile device,” he says.
It’s likely that the first converged systems that use the mobile device will take advantage of the smart card and be a type of derived credential, such as those proposed in the FIPS 201-2 draft, Storey explains. This type of system would have a smart card spawn a credential–typically a lower assurance version–to a mobile device to sign and encrypt email or access networks.
There are a couple of ways this could be done. The easiest would be to use an NFC-enabled handset to read the contactless portion of the smart card credential to spawn the lesser credential. The other way is to use a mobile device manager that would take the request from a smart card that’s plugged into a computer and then load the lesser credential on to the mobile device over the air.
There are other possible solutions too. The future workplace may not have employees carrying laptops or ID credentials, says Dave Mahdi, a product manager at Entrust. Instead they’ll be carrying tablets with mobile phones. Activate an app on the mobile, tap it against the tablet, enter a PIN and gain access. Some executives or officials who require access to high-security data may still use smart cards, he says.
Using the mobile as an identity credential could reap cost savings for corporations. Enrollment stations, card printers and cards would no longer be necessary and the mobile could be provisioned over the air, says Mike Byrnes, also a product manager at Entrust. “These phones would be better security than other hardware options–far better than user name and passwords and hardware tokens,” he adds.
In the meantime many corporation are already placing digital certificates on devices using mobile device managers, says Mahdi. Some are also using one-time passcode applications and text message applications for an additional layer of security to access virtual private networks or other systems. “They’re using those certificates to make sure information in transit is secure,” he adds.
Obstacles to mobile convergence
One barrier to using the mobile as a converged credential is the same that has stood in the way of converged credentials for years, Byrnes says. Logical access and physical access are typically two different organizations and don’t play well together. “These are siloed groups that have different budgets and different goals,” he says. Another is the lack of availability of NFC and the restrictions of accessing it. Derived credentials would be simple to use if an end user could tap their NFC-enabled handset on a contactless card to spawn the new credential. “NFC plays a crucial role and is central to this,” Storey says.
In the U.S., mobile operators and handset manufacturers control the secure element and thus the ability to access the NFC capability. Agreements need to be put in place so consumers and their chosen application providers can enable data to be stored on the secure element. Until these agreements are in place, using NFC in an enterprise environment will be severely restricted.
There are also concerns about viruses and malware when it comes to the mobile, Mahdi says. “A smart cards has its own operating system and it’s not online so there’s no risk of something running in the background or your card becoming a zombie,” he explains.
The mobile device is another story. It’s online and more vulnerable to attack.
Policies need to be put in place to make sure the employee knows what may happen in case a mobile device is infected, says David Adams, senior director of product marketing at HID Global. If a phone was infected with malware or corrupted, an employee would have to allow the phone to be wiped.
There’s also the idea of containerization for mobile devices, Adams says. All work related applications would be stored in a secure encrypted area and personal applications in another. The two wouldn’t mingle.
BYOD and security convergence are coming. While policy and technical issues have to be figured out, these are not urban legends like unicorns or Bigfoot.