19 December, 2012
TREND #1: Users are seeking a more “frictionless” security experience, with solutions that are built on open standards to ensure interoperability, adaptability and credential portability to mobile devices.
The term “frictionless” is used to describe security solutions that don’t slow users down. Rather than make users carry separate cards, keys and tokens, the coming generation of frictionless solutions will embed these and other credentials inside Near Field Communications-enabled smart phones and other mobile devices. As an example, while strong authentication will remain a primary pillar of an organization’s security strategy, the need for improved cost and convenience will drive the development of solutions that don’t require users to carry a dedicated security token. Similarly, users will value being able to open doors with their smart phones, rather than having to carry an ID card.
To support this trend, credentials will be embedded into NFC-enabled phones, and identity management will move to the cloud in a way that facilitates frictionless user login – often from personal devices using the Bring Your Own Device, or BYOD, deployment model – for both Software as a Service and various internal enterprise applications. Using BYOD smart phones for frictionless access control applications requires planning and a rigorous security assessment, along with an infrastructure that supports cloud-based provisioning of digital keys and credentials.
Cloud security becomes critical. Today, much of the discussion is focused on securing the platform, but as enterprises continue to move applications into the cloud and take advantage of the SaaS model, it will be critical to resolve challenges around provisioning and revoking user identities across multiple cloud-based applications, while also enabling secure, frictionless user login to those applications.
Frictionless access control solutions will also need to support open standards to foster the availability of interoperable products and future-proof the access control infrastructure, ensuring that investments in today’s technologies can be leveraged in the future.
TREND #2: Mobile access control adoption will accelerate and evolve to change the industry.
During 2012, the industry laid the foundation for mobile access control deployment on NFC-enabled mobile devices. To fuel broad adoption, the landscape must include widely available NFC-enabled handsets with secure elements, supporting all primary operating systems.
All keys and cryptographic operations must be protected inside the smart phone’s secure element – usually an embedded tamper-proof integrated circuit, or a plug-in module version called a SIM – to ensure that there is a secure communications channel for transferring information within a trusted boundary between NFC-enabled phones, their secure elements, and other secure media and devices. The landscape also must include readers, locks and other hardware that can read digital keys carried on these handsets, as well as an ecosystem of mobile network operators, Trusted Service Managers and other providers who can deliver and manage mobile credentials.
The timing and development of this ecosystem will have an impact on how quickly NFC is adopted for any application, from mobile payment to transport ticketing to access control.
The most simplistic mobile access control model is card emulation. But as we move forward, there is the potential to dramatically change the industry, taking advantage of the smart phone’s on-board intelligence to complete most of the tasks now performed by the access control system. Consider this: approximately 5% of all doors in a facility today have some sort of electronic access control, and the remaining doors are either secured by a mechanical lock and key, or are unsecured.
If we let NFC-enabled smart phones serve both as the key and the rules engine that makes the access control decision, we can secure far more doors electronically. We simply install “dumb” electronic locks, and enable the smart phone to make the decision to grant or deny access, according to policy. For each door that is electronically secure today, we could see more than five times that number being secured in the future using this mobile access control model.
TREND #3: Mobile access control solutions will still co-exist with cards.
One of the greatest benefits of mobile access control is that all identity information the user requires for opening office doors and logging onto enterprise computers is safely embedded in a phone, rather than on a plastic card that can be copied or stolen and without requiring the user to remember passwords – or write them on Post-it notes attached to their computer screen. Despite these and other benefits, it is unlikely that NFC-enabled smart phones will completely replace physical smart cards in the coming years.
Instead, mobile access credentials inside NFC-enabled smart phones will co-exist with cards and badges so that organizations can implement a choice of smart cards, mobile devices or both within their physical access control system. Many organizations will still want their employees to carry traditional cards because they are used as a means of photo identification. It will be important for users to plan ahead to support both types of credentials in their PACS.
TREND #4: Access control continues to converge – both on cards and on NFC-enabled mobile devices.
Users increasingly want a single credential for entering the building, logging onto the network, accessing applications and other systems and gaining remote access to secure networks without needing a one-time password token or key fob. It’s more convenient and greatly improves security by enabling strong authentication throughout the IT infrastructure, rather than just at the perimeter.
It also reduces deployment and operational costs, by enabling organizations to leverage their existing credential investment to add logical access control for network logon and create an interoperable, multi-layered security solution across company networks, systems and facilities. Converged solutions also help organizations meet regulatory requirements, enforce consistent policies and drive consistent audit logs throughout the enterprise while cutting costs by consolidating tasks.
Mobile access control solutions are good convergence platforms. NFC adoption will increase interest in extending contactless card technology beyond building access to include authenticating identity in the IT domain. Physical and IT security teams will begin working together more closely.
Phones apps will generate One Time Password soft tokens or receive them via SMS and a variety of other access control keys and credentials will be sent over the air to the phone using a cloud-based provisioning model that eliminates credential copying and is designed to make it easier to issue temporary credentials, cancel lost or stolen credentials and monitor and modify security parameters when required.
This trend also improves the economic model for biometrics, by turning the smart phone into a portable database for template storage that simplifies system start-up, supports unlimited user populations spanning multiple sites and eliminates redundant wiring requirements for template management. But the trend will also drive the need for adequate cloud-based security data so smart phones can be used for network and application logon. The most effective approach for addressing data moving to the cloud will likely be federated identity management, which enables users to access multiple applications by authenticating to a central portal.
TREND #5: Card technology will continue to migrate from prox to magstripe to smarter smart cards with additional, multi-layered security.
Card technology continues to evolve from prox cards to magstripe cards and on to smart cards. Today’s gold standard for access control applications is contactless smart cards that are based on open standards, featuring a universal card edge, also known as a card command interface, which improves interoperability with a broad ecosystem of products within a trusted boundary.
The latest cards improve security, privacy and portability to mobile credentials, and users are increasingly enhancing their cards and badges with more and more layers of additional visual and digital security. Visual elements include higher-resolution images, holographic card over-laminates and permanent and unalterable, laser-engraved personalization attributes.
Cards also increasingly incorporate expanded digital storage capacity so they can include biometric and other multi-factor authentication information to enhance identity validation. Printing technology also continues to advance in support of these trends, simplifying how cards are produced and distributed while making them more secure.
Additionally, smart cards are moving into new market segments. For instance, the U.S. is exploring solutions that implement the EMV global credit and debit payment standard based on chip card technology. Migrating to smart cards offers stronger security, and the benefit of combining multiple applications and both physical and logical access control into a single solution that, optionally, can reside on NFC-enabled smart phones
Although migration does involve change, the combination of multi-technology cards and readers plus field-programmable cards and systems minimizes disruption to the day-to-day workflow. Employees and the organization can benefit from a more secure and user-friendly environment that provides the scalable foundation for future capabilities and applications.
TREND #6: Mobile access control is accelerating identity management’s move to the cloud, supported by new managed services.
Companies have already begun outsourcing their traditional badging projects to cloud-based service providers that have the scale and resources to handle large-volume orders with tight deadlines that would otherwise be difficult for an individual credential issuer or integrator to accommodate on its own. And now, with the advent of mobile access control, the scope of services is growing to include deploying and managing mobile credentials carried on users’ NFC-enabled smart phones.
Organizations will provision mobile access control credentials in one of two ways. The first is via the same type of Internet portal used to provision traditional plastic credentials – the mobile device will be connected to the network via a USB or Wi-Fi enabled link. The second approach is over-the-air via a mobile network operator, similar to how smart phone users download apps and songs.
Common access control trusted service managers will interface to the mobile network operator, its TSM, and the NFC smart phones that receive the encrypted keys and credentials for storage in the phone’s secure element, SIM or microSD. New applications will also be pushed to the phone, so that multi-factor authentication becomes a contextual, real-time managed service.
TREND #7: Secure issuance advancements are simplifying how cards are produced and distributed, while also making them more secure.
Printing technology will continue to evolve in support of today’s access control trends, simplifying how cards are produced and distributed while making them more secure. Advancements in issuance solutions including printers, card materials and software are making it easier to meet the highest security requirements by incorporating critical visual and logical technologies for multi-layered validation and by using multi-layered management procedures that further improve security while enhancing issuance system efficiency.
Additionally, businesses of all sizes will continue to have a range of printer/encoder cost and performance options to meet their specific needs. Small businesses will focus on a printer/encoder’s ease of use, since few of these organizations have extensive IT resources.
Mid-size organizations will typically need intuitive solutions that are not only easy to use but also scalable, so they can meet evolving requirements. And large organizations will focus on high card throughput to support growing requirements for staff, contractors and visitors, as well as the ability to deploy a wide variety of risk-appropriate solutions.
Regardless of company size, organizations will have a number of features to consider, depending on their application requirement and typical user profile. A growing range of options will be available, from monochrome direct-to-card solutions that combine quality, reliability and ease of use, to high definition print retransfer technology for contactless or contact smart cards, and on to high-throughput solutions that optimize performance and productivity.
TREND #8: Trusted NFC tags will change how we secure assets and protect consumers.
As the “Internet of things” becomes more of a reality, a new NFC tracking, auditing and origination services will emerge for conferring trust onto documents, protecting consumers from counterfeit goods and enabling other applications that involve interactions with things.
Holders of government certificates, legal agreements, warranties and other important documents have traditionally protected them from fraud by having them physically signed or notarized by a person acting in a trusted role. However, these documents, themselves, have been at risk of forgery and duplication. There also has been no easy way to authenticate the value or ownership of physical items including luxury products, or the warranty status of purchased equipment.
Now, authentication tags can be attached to a document with an electronically signed and cryptographically secure digital certificate of authenticity from the owner or trusted certification entity. Impossible to clone or duplicate, these NFC tags can be embedded in a product or incorporated in tamper-resistant stickers that can be attached to products and equipment.
Identity certificates that have been electronically signed and cryptographically secured can be provisioned to the tags using a cloud-based service, and users can verify authenticity with complete confidence at any time in the product or document’s lifetime. With NFC-enabled smart phones, this authentication process can be performed anywhere, at any time, using a smart phone application.
TREND #9: FIPS-201 technology is fueling robust personal identification security and moving beyond federal agencies and contractors to commercial applications.
In 2004, the Federal government issued a directive mandating the use of a standard credential by all federal employees and contractors who need to gain physical access to federally controlled facilities and logical access to federally controlled information systems. A major goal of Homeland Security Presidential Directive 12 was to achieve trusted interoperability throughout the federal government by, among other things, having a highly secure identity card that supported strong authentication mechanisms.
More details about the card were provided in 2005 when the National Institute of Standards and Technology released FIPS 201. During 2012, it became possible for organizations to achieve FIPS 201 compliance for their PACS by simply augmenting the existing door controller and panel functionality with modules that contain all the PKI validation functions executed at the time of access. It is expected that PKI at the door will become more common as FIPS 201 evolves and there are more and more products available on the market to support it.
The PIV card is already having a significant impact not only on federal agencies, but also on their contractors and even commercial businesses and other state and municipal government organizations, as well. Two additional credentials have also been defined – the PIV-interoperable (PIV-I) card for government contractors and the Commercial Identity Verification (CIV) card for commercials.
The CIV credential is the commercial equivalent of PIV-I and enables non-government organizations to take advantage of the hundreds of millions of dollars that have been invested in the FIPS 201 program. CIV technology brings a proven strong authentication method while delivering cost savings and the flexibility to choose from a long list of compatible and interoperable products. There also will be significant opportunities to deploy PKI at the door at lower cost with CIV cards. The cards will be particularly attractive for airport security. Airport management will be able to create a single access control system that supports both airport employees using CIV cards and federal TSA employees using PIV cards.
TREND #10: Visitor management technology is increasingly being integrated with access control systems.
Visitor management systems add substantial value in improved security and operational efficiency while enhancing the professionalism of organizations that previously used paper-based solutions. Visitor management will increasingly be integrated with access control systems to provide complete security solutions that protect employees and temporary visitors from intruders and unwanted guests.
Integration of visitor management with access control systems enables lobby attendants to easily and safely provides temporary proximity credentials to guests through the visitor management system, rather than the access control system. The information entered into the visitor management system during check-in is seamlessly passed to the access control system to that a proximity card for the visitor can be activated.
When the visitor leaves and is checked out by the visitor lobby system, the card is automatically deactivated, and the expiration date and time are automatically passed to the access system, ensuring that a lost or stolen card can no longer be used. Integrating visitor management with access control also eliminates the problems of having a supply of live cards at the reception desk for those who have forgotten their employee badges. The visitor system also has a record of all visitors who have been provided an access card, so there is a complete audit trail, including information about the dates and times when cards were active.