"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."           Thomas Mann, 1896

---

The Marriage of Physical and Logical Access: Unifying the Keys to the Kingdom

Contributed by:  SSP Litronic, Inc.

Access Control: Getting Past the Gatekeeper

There is a two-tiered approach to security that all businesses must consider in order to fully protect their assets: physical security, which denotes real property such as buildings and facilities; and information security, which encompasses the data and intellectual property that resides on computer networks. It is vital that any business take both into consideration when implementing an overall security strategy. Whether you’re a small business or a large enterprise, the consequences of a security breach can be drastic. Managing access to resources is one of the most proactive ways to safeguard both physical and intellectual property.

Access control is the mechanism by which a system grants or restricts the right to access facilities (physical access) or computer networks and data (logical access). Many large enterprises have already deployed technology for physical security. Employees with the appropriate clearances or permissions are provided with smart identification (ID) cards that verify their rights and privileges. Once presented, scanned or inserted into readers, these credentials permit access to secure areas of the workplace, which often include parking garages, manufacturing facilities and research and development laboratories. 

Smart Cards: The Foundation for Stronger Authentication

Although businesses have long realized the necessity of smart card-based physical access control, the adoption of smart card-based logical access control has taken place at a slower rate. This trend is somewhat surprising, considering how easy it is for intellectual property to be compromised. There is obvious value in preventing unauthorized persons from entering restricted areas. However, physical access control provides a very limited degree of protection for computer resources, which can include networks, PCs, workstations and laptops.

In today’s digital world, the vast majority of business assets are in electronic form. The data that resides on computer networks is sensitive and proprietary, including everything from financials to product plans. If this data were to be compromised, it could easily result in a company losing its competitive edge, and eventually, customers. Additionally, today’s workforce is not as stable as it once was. A high turnover rate and increased use of outsourcing means that more people than ever are accessing corporate data. For global enterprises with thousands of employees, there is a exponentially higher potential for information security breaches. 

Unfortunately, many enterprises still tend to be very reactionary when it comes to network security. The need for, and value of, network security becomes evident only when there is an actual attempt to compromise information. But this viewpoint is changing, considering recent legislation that is affecting business processes for protecting, retaining and managing data. A worst case scenario exists in heavily regulated industries such as financial services and healthcare, which handle highly sensitive information and bear extra responsibility for maintaining data integrity and privacy. Should information be leaked, the potential liability is enormous.

Considering the ramifications of unauthorized access to data, it is concerning that most enterprises are still only using user names and passwords for logical access control. A specific user name and password is created for each user, and for each application that he or she requires access to. This creates two major problems. First, user names and passwords are the lowest form of authentication that exists. They are easily compromised - often written down and easy to share with others - and therefore do not provide the high level of assurance necessary to protect critical data. Secondly, passwords are a headache for both users and IT staff. Employees have so many passwords that they invariably forget them and have to call the help desk to either remember or reset them. This drains valuable IT time and resources, resulting in lost productivity and higher support costs for the organization.

Increased security risks, combined with the weakness and inefficiency of the user name and password model, are now driving the need for smart card-based logical access control. Defined at its highest level, a smart card is a credit-card sized plastic card that includes an embedded computer chip. The chip can either be a microprocessor with internal memory or a memory chip alone. There are two general categories of smart cards: contact and contactless smart cards. A contact smart card requires insertion into a smart card reader, while a contactless card requires only close proximity to a reader. Smart cards store large amounts of data, carry out on-card functions such as encryption and digital signatures, and interact intelligently with a smart card reader.

Already widely implemented by government agencies, including the Department of Defense, smart cards provide higher assurance via two-factor authentication - it requires something the user knows (a password) and something the user has (the smart card). Smart cards also provide stronger authentication by virtue of being based on Public Key Infrastructure (PKI). PKI is an architecture of trust that supports a certificate-based public key cryptographic system. PKI uses a combination of public and private keys to authenticate identity, and typically includes digital certificates, a certificate issuance authority and a registration authority.

Unifying the Keys to the Kingdom

With smart card-based physical access already in place at many enterprises, the next logical step is to afford the same level of protection for information assets. Physical access control provides a first line of defense, but a multi-layered approach is required for truly proactive security. As such, there is a compelling argument to implement smart cards for logical access. In fact, businesses stand to realize the most benefits in cost savings, ease of use and increased security by “marrying” physical and logical access control onto one platform. Instead of adding technological and management complexities by having separate access control systems for physical facilities and electronic data, it makes the most sense to combine the two for higher assurance, cost savings, efficiency and ease of use.

Since more than one access application can be carried on a single smart card, employees can use one card to access physical and logical resources without carrying multiple credentials. From the doorways to the desktops, one convenient solution provides the secure identity management, strong authentication and access control necessary to safeguard both physical and intellectual assets. The Department of Defense has already realized the importance of this with its Common Access Card (CAC) program. A smart-card based CAC is issued to all military and civilian employees and contractors. These cards are used to digitally sign and encrypt documents, in addition to providing secure access to buildings and computer networks.

The marriage of physical and logical access builds an infrastructure of increased trust. Deploying smart cards to employees, partners and other key individuals is a proactive enterprise approach to higher assurance. User names and passwords should be considered an unacceptable access control mechanism, as they are easily forgotten or compromised. The multi-factor authentication and PKI architecture offered by smart cards vastly decreases the likelihood that unauthorized users will gain access to sensitive data.

When deploying new technology, companies must consider the long-term return on investment. Smart cards provide significant ROI in terms of both cost savings and increased security, especially for global enterprises that have thousands of employees dispersed all over the world. Supporting system components can be networked, allowing separate functional areas in an organization to exchange and coordinate information automatically and in real time around the world. For organizations that already have smart card-based physical access in place, they can simply expand card use to protect network resources and benefit from an easily scalable solution. Legacy systems, including physical access system components, can be leveraged for investment protection while providing increased security for logical access. Enterprises can also reduce their IT support costs with the implementation of smart cards. Although the perceived low cost of user names and passwords my have contributed to their popularity, the real expense occurs on the back end with support and password management costs.

Ease of use is another compelling argument for marrying physical and logical access on a single platform. Users will not have to carry multiple credentials and they will not have to remember multiple passwords or PINs to access applications and data. Instead, they will have one smart card that they can use for everything.

Smart card-based physical and logical access control provides a superior foundation for secure identity management. By unifying the keys to the kingdom, enterprises can protect their assets and employees’ personal information, while addressing regulatory requirements and reducing potential liability. As it stands today, smart cards are the most viable way to bring security out to the edge of the enterprise.

Visit the Authors Web Site