Regarding ID Summer 2016 by AVISIAN

46 A SURVEY OF ID TECHNOLOGY - SUMMER 2016 - ISSUE 46

REDEFINING

LOGICAL

ACCESS

“ I’m starting a new job, finishing my degree and I have a true passion for the arts. I’m proud of my work and the cards in my wallet represent my life.”

— Robert H. Marketing Director Corporate Technologies

Every person in your program has multiple identities, and securing and protecting those identities is no small task. Datacard® ID solutions empower enterprises to protect what’s most important to them in an increasingly connected world with trusted, long-lasting, secure ID cards.

Visit Datacard.com/ReID to learn more by downloading your free ID Solutions Guide.

DATACARD GROUP IS NOW ENTRUST DATACARD

ANCHORING YOUR CUSTOMERS AGAINST THE CREDENTIAL TIDES.

DON’T LET YOUR CUSTOMERS DRIFT AWAY SecureKey empowers consumers to access online services they want and need using their familiar and trusted online banking user ID and password. For online services, SecureKey is convenient for consumers and alleviates risk by eliminating the use of passwords and personal information to log in. The average consumer has more than 130 user IDs and passwords … don’t be one of them.

Learn more at www.securekey.com

Securing people in today’s digital world begins with protecting their identities and personal data. Gemalto contributes to more than 100 government programs worldwide including 30 ePassport and 25 national eID initiatives.

GEMALTO.COM

IN AN INCREASINGLY CONNECTED SOCIETY GEMALTO IS THE LEADER IN MAKING DIGITAL INTERACTIONS SECURE AND EASY. LEARN MORE AT GEMALTO.COM

Securing the identity and bringing trust to millions of citizens worldwide

CONTENTS

18 Cover Story: Redefining logical access for the modern enterprise In the good ole’ days, logical access was simple. An employee logged on to a PC first thing in the morning to gain access to the device and the local network. It is not so simple anymore. Our working definition of logical access – perhaps even the term itself – must change with the times. Today, it defines a complex provisioning process that manages access to both on-premise and cloud-based apps and data. Is your definition of logical access up to date?

34 In new construction, opportunities abound for physical access control Constructing a new building enables many opportunities, particularly when it comes to physical access control systems. Instead of relying on old school keys, locks and legacy PACs, new construction presents a proverbial clean slate, opening the door to wireless entry, biometric access points and cloud-based security.

48 Goodbye FIPS 201 product testing, hello system certification

‘Shark Tank’ winner focuses on mobile keys for physical security

Federated identity knocks down siloes in clinical drug research

Testing and certification can be touchy subjects to those providing physical access control systems to U.S. agencies. While often time consuming and expensive, these steps are also necessary to force products to adhere to government-issued specs. For its Approved Products List, the GSA has abandoned individual component testing instead ensuring components work together as part of a larger system.

Projects aim to protect the globe’s most vulnerable citizens via digital ID

Summer 2016

ABOUT

EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com

IDENTITY AT A CROSSROADS

ASSOCIATE EDITOR Andrew Hudson, andrew@AVISIAN.com

ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

CONTRIBUTING EDITORS Liset Cruz, Autumn Cafiero Giusti, Gina Jordan ART DIRECTOR Ryan Kline ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions. avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2016 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.com

Summer 2016

OLD AND NEW SCHOOLS MUST CONVERGE

A decade ago many thought individuals would be walking around with smart cards that they would insert into their computers to authenticate for access to networks and secure all manner of transactions. How quaint. When you think about it, even the term we used to describe it – logical access – has become quaint. A decade ago, logical access was how organizations defined getting employees onto secure networks and email. This was first done by typing a user name and password to access the machine and later extended to email and internal networks. Later, one-time passcode tokens were issued and in some instances smart cards. Everything has changed. Today, we are embarking on a tokenless world where consumers make purchases, citizens obtain government services and employees authenticate to secure networks with the touch of a finger on their mobile device. The online identity world – for both consumers and the enterprise – is changing, and both the old and new schools need to work together to build a system that is secure and easy to use. There are two distinct camps in these discussions: The old school says tokens are awesome and can enable access to facilities and computers The new school says tokens are fine, but it’s more then just letting people in the front door; there needs to be continuous authentication of multiple attributes to control where they can go and what they can do Logical access has expanded exponentially, but the old school still views it as opening the front door – both physically and virtually. This antiquated definition of logical access is now just the first mile in a marathon. If we only secure the virtual front door, the machine or the corporate network, we are suggesting that the corporation’s key resources are only held within. But the most valuable data is often stored in the cloud so access needs to be enabled and provisioned there. The new school still cares how an employee gets in the front door, but it goes well beyond. Still, lessons learned from the old school would be valuable to those trying to control access once within a network or application. The new school can also teach the old that there is more to look at than a single token and there are a variety of attributes that can be used to determine secure access. In a perfect world there would be a blending of the two worlds to create the ultimate access solution. Let us see.

CONTENTS

ess control Physical acc uction in new constr

Axing PVC from high-security documents

4 Identity at a crossroads Old and new schools must converge 6 ID Shorts News and posts from the web 18 Redefining logical access Knowing employees, authenticating users and provisioning access across networks and in the cloud 20

Redefining authentication in the enterprise

Feds redefining logical access for contractors

Legal identity for all Projects aim to protect the globe’s most vulnerable citizens via digital ID

Physical access control in new construction Starting from scratch opens doors for cloud-based access, wireless locksets and more

SIA standardizes architectural symbols for PACS in new construction

EMV infrastructure could id patients for health care services New report outlines scenarios for converging payments and identity

22 Single sign-on delivers both convenience and security SSO manages 100s of username and password combos in one secure login process

Canada explores trusted online identities

26 ‘Significant update’ on deck for NIST’s digital auth rules Revisions to the ‘levels of assurance’ to take place on GitHub

Feds scrap Connect.Gov GSA to build central identity hub as 18F takes over project Security Industry Association takes on health care security space

Axing PVC from high-security documents Issuers finding advanced card materials worth the added investment

Your user ID and password has been stolen...In the meantime...

GSA changes FIPS 201 approved products list Focus moves from component testing to system interoperability 49

Will GSA’s new approval process push PIV-I in the enterprise?

Pentagon getting rid of Common Access Card?

FIDO makes pitch for Government adoption U.S. and UK already taking steps toward incorporating the specs

Federated identity knocks down siloes in clinical drug research

Alabama tackling income tax fraud with electronic ids

Summer 2016

ID SHORTS

HIGHLIGHTS FROM SECUREIDNEWS.COM

SMART CARDS COULD CUT MEDICARE FRAUD BY 20% The use of smart cards for patient identification could curb more than 20% of Medicare fraud cases, according to a report from the Government Accountability Office. The GAO reviewed 739 health care fraud cases that were resolved in 2010 to try and find out how these schemes were conducted and if

Summer 2016

smart cards would have prevented the fraud. Analysis found that the use of smart cards could have stopped 165 of the cases or about 22%. These cases included schemes that involved the lack of verification of the beneficiary or provider at the point of care. Smart card use would not have affected the majority of cases because either beneficiaries or providers were complicit

in the schemes. For example, the use of cards would not have affected cases in which the provider misrepresented the service – as in billing for services not medically necessary. The Secure ID coalition has been pushing for a smart card to replace the paper card used by Medicare recipients and still says it can help stop the bleeding. A 2015 GAO report found that of the $125 billion in improper payments distributed across the government in 2014, nearly half – $60 billion – came from one federal program: Medicare. “If we follow the data, it becomes clear that something has to change in terms of how we authenticate Medicare transactions, protect beneficiary information and safeguard taxpayer dollars,” says Kelli Emerick, executive director at the Secure ID Coalition. Also, since the GAO only looked at information from cases that were prosecuted in 2010 it may not be a representative sample. “Since most Medicare fraud occurs entirely under the government’s radar, the data reviewed represent only a fraction of the thousands upon thousands of cases of Medicare fraud that occur annually,” Emerick says. “Therefore,

ID SHORTS

CALENDAR

SEPTEMBER

2016

OCTOBER

while the report is an important step forward in acknowledging the pervasiveness of fraud in the Medicare system, it almost certainly dramatically understates the impact of a smart card in reducing Medicare fraud.” A Medicare smart card would stop fraud in a wide variety of cases. The GAO report list six different types of fraud schemes that would be prevented by smart card authentication at the point of care: Billing for services that were never actually provided Misusing a provider’s identification information to bill fraudulently Misusing a beneficiary’s identification information to bill fraudulently Billing more than once for the same service (known as duplicate billing) by altering a small portion of the claim Providing services to ineligible individuals Falsifying a substantial part of the records to indicate that beneficiaries or providers were present at the point of care Bills have, in the past, been submitted in the U.S. House of Representatives and U.S. Senate proposing a smart card pilot program for Medicare recipients.

ASIS International September 12 – 15 Orange County Convention Center Orlando, Fla.

Global Identity Summit September 19-21 Tampa Convention Center Tampa, Fla.

Security of Things Conference October 18 – 19 Hilton Rosemont Chicago O’Hare Hotel Chicago, Ill.

Securing New Ground October 19-20 The Grand Hyatt New York City

NOVEMBER

ISC East November 16 – 17 Javits Center North New York City

SECUGEN, XTEC PARTNER

TRUSTECH (formerly Cartes) November 29 – December 1 Palais des Festivals French Riviera Cannes, France

Gartner Identity & Access Management Summit November 29 – December 1 Caesars Palace Las Vegas, Nev.

SecuGen and XTec have partnered to offer a fingerprint scanner and smart card reader for PIV and PIV-I systems. The Hamster Pro Duo/SC is SecuGen’s smallest fingerprint and card reader combination to date. In combination with XTec AuthentXware Full Lifecycle Management, it supports all

Summer 2016

ID SHORTS

EVEN STRONG PASSWORDS CAN BE LOST IN BREACHES OR PHISHING ATTACKS. FIDO ENABLES STRONG CRYPTOGRAPHIC OPERATIONS IN PLACE OF PASSWORD EXCHANGE

post-issuance activities on PIV and PIV-I credentials. XTec AuthentXware enables PIV and PIV-I post-issuance and lifecycle maintenance activities such as card unlock, PIN change, certificate updates and card activation all from the desktop. By reducing the footprint of the hardware with the Hamster Pro Duo/SC, agencies can offer the ability to update expiring certificates on their identity cards enterprise-wide, reducing the risk of unnecessary card printing and improving business operations and efficiency. The first rollout of the smaller footprint for full card lifecycle management includes over 500 units for the Department of Homeland Security.

Summer 2016

WEB CONSORTIUM USING FIDO API’S FOR AUTHENTICATION The World Wide Web Consortium (W3C) is launching a new Web Authentication standards effort to offer a more secure and flexible alternative to passwordbased logins on the Web. For many, passwords are annoying and offer weak protection for their interactions. Even strong passwords can be lost in data breaches or targeted for replay in phishing attacks. W3C’s new Web Authentication work, based upon the member submission of FIDO 2.0 Web APIs from the FIDO Alliance, will enable

the use of strong cryptographic operations in place of password exchange. The Web Authentication effort will complement prior W3C work on a Web Cryptography API, currently in Candidate Recommendation status, and on-going work on Web Application Security specifications. The WebCrypto API provides a Javascript API to a standard suite of cryptographic operations across browsers. Work in WebAppSec includes improvements to the HTTPS experience and updates to Content Security Policy (CSP), enabling application authors to set policy for what active content is permitted to run on their sites, protecting them against injection of unwanted or malicious code.

ID SHORTS

KANTARA CHANGING ENTITY TYPE

GOOGLE RELEASES STUDY ON SECURITY KEYS

The Kantara Initiative announced that it has changed its entity type by filing Articles of Conversion. As of January 2016, Kantara Initiative is now an autonomous entity seeking IRS non-profit 501(c)(6) recognition. The organization, founded in 2009, was formerly a program of IEEE Industry Standards and Technology Organization (IEEE-ISTO). Kantara Initiative leadership decided to become an independent corporation because of the size and activity levels the organization has reached, the industry recognition it has attained and its need to have more operational flexibility. Its programs and activities will continue to operate as before under the new framework.

One of the biggest obstacles when it comes to securing identities online is ease of use. When it comes to deploying multifactor authentication solutions, making sure people keep using the technology is a challenge. Google released a two-year study on the use of FIDO U2F-based Security Keys manufactured by Yubico. The devices were rolled out to 50,000 Google employees to harden security, improve user satisfaction, and cut support costs. The study compares other two-factor authentication schemes tested by Google and showed the Security Key has been easy to implement, deploy and use. It also preserves privacy and secures against attackers.

Highlights from the report include: Quicker to authenticate: Users reduced the time to authenticate with a Security Key by two-thirds, opposed to an OTP via SMS. No authentication failures: In Googleâ&#x20AC;&#x2122;s rollout, authentication failures fell to zero, meaning thousands of hours saved in help desk costs for password recovery. Privacy enhancing: The Security Keys met Googleâ&#x20AC;&#x2122;s requirements that mandated no user tracking, no identifiable user information on the token as well as protection against password reuse, phishing and man-in-the-middle attacks. Other technologies reviewed in the Google research include OTPs, mobile phones, smart cards, TLS client certificates and national ID cards.

MULTI-FACTOR AUTHENTICATION WAS ROLLED OUT TO 50,000 GOOGLE EMPLOYEES TO HARDEN SECURITY, IMPROVE USER SATISFACTION, AND CUT SUPPORT COSTS

Summer 2016

ID SHORTS

ADDING BEHAVIORAL BIOMETRICS TO ADAPTIVE AUTHENTICATION There’s a vision of a future where employees and customers don’t even have to enter a password, or if they do it can be a simple one like “password123.” Using adaptive authentication, systems take multiple attributes – IP address, geolocation of mobile device, time of accessing data, etc. – and then make a decision on whether or not to enable access. Adding a layer that would measure individual’s keystrokes or mouse movements can make adaptive authentication even more powerful, says Stephen Cox, chief security architect at SecureAuth. These behavioral biometrics can also address the problem of ensuring that the authorized individual is still the one accessing information post login. SecureAuth added behavioral biometrics to its flagship access control system, giving customers another tool to make sure only those authorized can access information, says Stephen Cox, chief security architect at the

Summer 2016

company. The keystroke and gesture biometrics record a user’s behavior in the background, and then can be used to determine access and also be checked at various point during a session to validate an identity. “Then if something looks fishy we can ask to step up the authentication or kill the session,” Cox adds. Step-up authentication options include text message, phone call or use of a mobile app. Enrollment in the system happens in the background during 10 login sessions, but it can also be set up to do continuous learning, Cox says. After that the system has enough information to create a profile and make decisions. For keystrokes the system measures the timing of the pressing and depressing of keys as well as flight time between keys. Gesture biometrics with the mouse measures acceleration and deceleration of the movement as well as if you click right on a button or circle it first.

The system also works on mobile devices using the accelerometer and gyroscope on the mobile devices as well as the keyboard and other movements, Cox explains. “We have 98% accuracy even with four digit PINs,” he adds. Financial services companies have been using these

ADDING A LAYER THAT MEASURES AN INDIVIDUAL’S KEYSTROKES OR MOUSE MOVEMENTS CAN MAKE ADAPTIVE AUTHENTICATION EVEN MORE POWERFUL types of gesture biometrics for customers but SecureAuth is looking to bring it to the enterprise for employee access, Cox says. Along with using behavioral biometric technology to determine risk, SecureAuth IdP also uses device recognition, IP reputation, directory lookup, geo-location and geo-velocity.

ID SHORTS

‘SHARK TANK’ WINNER LAUNCHES MOBILE KEYS FOR RESIDENTIAL DOOR ACCESS Before starting UniKey in 2010, Phil Dumas had thought a lot about mobile access control. The idea to use the handset as a key came to him in the mid-2000s when he was hacking GSM SIM chips into cars for access and working on fingerprint-enabled door locks. But 10-years ago fingerprint readers weren’t what they are now. They could be difficult to use and often didn’t work well, Dumas says. Individuals also had to be present for enrollment so registering someone remotely wasn’t really possible. “I thought about moving the biometric identifier into the phone,” he explains. This was 2005. Smart phones didn’t exist and the iPhone was still a couple years away. Dumas kept thinking about the idea and was working in another field when he got wind that Apple would add support for Bluetooth Low Energy to the iPhone. This was the technology needed to create the entry experience he was looking for, and he founded Unikey in early 2010. To get funding for the company, Dumas appeared on ABC’s television

show, “Shark Tank,” in 2012 to pitch investors. He received offers from all five “sharks” – a rare feat on the popular program – and ended netting $500,000 for a 40% stake from investors Mark Cuban and Kevin O’Leary. The idea around UniKey was to make the user experience as easy as possible while using the mobile device as the access token, Dumas says. “If you have to pull out your phone, open an app or enter a password it’s not easier than the traditional key, thus it’s a poor user experience,” he adds. The general idea is to make opening a locked door easier than pulling out a key, he explains. The UniKey system enables a user to have the app running on their phone using Bluetooth Low Energy. When they get in range of the door it recognizes the user and opens when they either touch a button on the door lock or the doorknob. Keys can also be sent and provisioned to other users. UniKey is not the only system out there to use Bluetooth for physical access, but other systems require the user

to pull out there phone and launch an app. Instead of manufacturing locksets, UniKey is working with manufacturers and startups alike by licensing its technology. Dumas is working with Kwikset, Weiser and ERA and looking to work with others. “We have solved the really difficult smart lock problems with Bluetooth LE, mobile, cloud and the user experience,” he explains. “With our system lock companies can leapfrog years of development and provide a system that has already been proven, scaled and secure.” Thus far the company has been focused on the residential market and had success globally. Next it will focus on the commercial market, specifically hospitality and small and medium sized businesses. “We want to provide a great user experience for building access control in a cost effective platform,” Dumas says. “We’re bringing a disruptive cost profile and easy implementation where enterprise system are highly complex and highly expensive.”

Summer 2016

ID SHORTS

GEMALTO TAPPED FOR JORDAN NATIONAL ID Gemalto was selected by Jordan’s Ministry of Information, Communication and Technology for the country’s new citizen ID program. Gemalto will supply the Ministry of Interior – through OFFTEC – with its Sealys polycarbonate contactless eID cards along with a comprehensive suite of Coesys enrollment, card personalization and issuance

solutions. Gemalto will deliver the eID cards as well as automatic fingerprint identification systems that is designed to reinforce national security, strengthen immigration controls and minimize the risk of fraud in the August 2016 election. The enrollment system will be deployed in 100 civil status and passport offices, enabling Ministry of Interior staff to capture the personal and biometric data of citizens for duplication-free entry onto the National Registry. Gemalto systems

will also be employed to personalize and issue smart cards at 25 dedicated centers. The citizen’s details are both laser engraved in the card and stored within its embedded microprocessor to enable officials to verify beyond doubt the identity of the holder. The new eIDs combine state-of-the-art digital and graphical security features and offer the Jordanian government the ability to add new card use cases after issuance. As a result, it can leverage on initial investment and develop new secure eGov services and applications that improve service standards and reduce administrative costs.

CENTRIFY ADVOCATES ‘MFA EVERYWHERE’ Centrify announced Multi-Factor Authentication Everywhere, a new initiative aimed at securing enterprise identities against the most prevalent source of cyber attacks – compromised credentials. Centrify’s solution is designed to supports all types of enterprise users – employees, contractors, outsourced IT, partners and customers – across a range of enterprise resources – including cloud and on-premises apps, VPNs, network devices, and cloud and on-premises servers. With the prevalence of breaches based on stolen or brute-forced password attacks, many businesses have implemented multi-factor authentication to provide an extra layer of security. The Centrify Identity Platform is a platform designed to provide flexible options for authentication factors. Whether it’s system administrators executing privileged commands on servers or end users accessing cloud, mobile, or on-premises apps, Centrify can bolster security with additional factors including push notification, voice call, text message, soft token OTP, mobile biometrics, OATH-compliant tokens and smart cards.

Summer 2016

ID SHORTS

IF THEY CAN’T BE VERIFIED ONLINE BECAUSE THEY’RE ‘THIN FILE’ OR HAVEN’T GOT DIGITAL SKILLS, THEY CAN’T JUST FALL OUT OF THE SYSTEM. WE ALLOW THEM TO COME IN, BE VETTED AND GO HOME WITH A NEW DIGITAL ID

UK-BASED TIMPSON LAUNCHES BRICK AND MORTAR IDENTITY STORE In the UK, High Street is where the pharmacy, dry cleaner and shoe repair shops are located, the U.S. equivalent of Main Street. A staple on High Streets across the country is Timpson, a shoe repair chain that also does watch repairs, dry cleaning and key cutting. The services Timpson offer cannot take place in the virtual world, people need to come in drop off their shoes or laundry and then comeback and pick them up. It’s the very opposite of an online business, but that isn’t stopping Timpson from making an online play. Timpson has launched ArkHive, a brick and mortar store that one day will offer online identities. For now, consumers can come into the ArkHive store and open an account to store scanned and verified versions of their driver license passports and other documents. From

the account and app the consumer can choose to share that information with others. The ArkHive account is free, including storage of verified documents. Eventually, the company hopes that consumers will be able to use the ArkHive account to carry out other transactions online, such as proving your identity to open a new bank account. ArkHive is offering employee screening services, passport application assistance and assistance with database checks. The shop also enables individuals to have photos taken for other credentials such as passports. For businesses, ArkHive is offering landlord tenant background checks, antimoney laundering checks and employment pre-screening. While some of these services might seem rudimentary, ArkHive knows that changes are coming to digital identity in the UK with the Verify project and

they are preparing for it, according to the website Internet of Me. “Verify is a fantastic idea, but not everybody is going to be able to get through that process online, so we started thinking about where those individuals might go,” says Will Lankston, ArkHive’s head of retail. “If they can’t be verified online because they’re ‘thin file’ or haven’t got digital skills, they can’t just fall out of the system. They still need to be able to access these services. So we thought, why don’t we verify these people in person? Allow them to come into a place on the High Street and have their identity verified and be sent home with a new digital ID or be supported in store to access those services online.” Last November the first ArkHive shop opened in Henley-on-Thames, next door to a branch of Timpson. If there is enough interest, the plan is to open more shops or offer ArkHive facilities within the Group’s other stores.

Summer 2016

ID SHORTS

GEMALTO UNVEILS ID VERIFICATION FOR BANKS, MOBILE OPERATORS

YOUR EAR MAY BE THE NEXT BIG THING IN BIOMETRICS The shape and size of the outside of individual ears is unique and been posited as a biometric identifier before, but in the future the ear canal might also serve as a means of identification and authentication. NEC Corporation has developed a biometric technology that relies on the unique shape of human ear cavities. “Since the shape and size of all ears are unique and different, NEC found that the acoustic features of the ear can be highly effective in identifying individuals,” says Shigeki Yamagata, general manager of Information and Media Processing Laboratories at NEC. The technology – which doesn’t have a name yet – uses an earbud to measure individually unique acoustic characteristics. NEC says the process takes one second. “An earphone with a built-in microphone is used to generate a few hundred milliseconds of acoustic signals from the earphone speaker and to receive the signals transmitted within the ear through the microphone,” Yamagata says. “A synchronous addition method – which

Summer 2016

adds and obtains the average of the waveforms of the multiple signals received – is used to eliminate noise from the received signals. It then calculates how the sound resonates within the ear.” NEC says the accuracy rate for recognizing an individual is greater than 99%. “One of the primary areas we are seeking to contribute to is public safety,” Yamagata says. “For example, this could help to ensure the security of large scale events as well as the maintenance and management of important infrastructure…by ensuring that only authorized personnel can use communications equipment.” Yamagata says this means of biometric authentication places only a slight burden on users who are already likely to be comfortable with using earbuds. “NEC’s new earphone technologies can be easily implemented with mobile devices, including smartphones and transceivers,” he says. “And authorization can be continuously confirmed while users are on the move without being confined to the range of a camera.” The company is tweaking the technology with plans to get it to market in 2018.

Gemalto is offering private sector enterprises, such as banks and mobile operators, a new ID verification solution. This suite of tools and services enables verification of customer credentials when opening new accounts and subscriptions in-branch or online, reducing financial losses and the negative impact on brand reputation caused by identity fraud. Gemalto’s ID Verification also helps financial Institutions enhance their Know Your Customer procedures, in line with the latest regulations, such as Anti-Money Laundering Directive. The enrollment process encompasses verification of documents such as ID cards and passports for forgeries and other discrepancies, biometric and/or visual customer authentication, and immediate background and risk assessment checks against relevant databases and watch lists. Branch staff using a standard scanner or tablet can perform the checks quickly and easily. Online customers are required to photograph their ID credentials and submit for automatic verification. ID Verification is designed to protect enterprises against the threat of fraudsters opening bank accounts or acquiring subsidized mobile phones, for example, and provides a firm foundation from which to launch innovative new services. It can be integrated easily with existing infrastructures and is available as a platform or in Software as a Service mode.

EBAY DEPLOYS FIDO eBay announced its membership in the FIDO Alliance and its FIDO Certified open source authentication server based on the FIDO UAF protocol. eBay is the first e-commerce company to directly achieve FIDO certification and the first

ID SHORTS

to open source a FIDO UAF authentication server. eBay is extending the multifactor authentication dialogue by making contributions from its e-commerce platform perspective. Through its membership in the FIDO Alliance and open sourcing its FIDO UAF Server and Android client, eBay is championing the effort for open authentication standards in commerce. The company hopes to further the adoption of this technology and welcomes contributors from across the Alliance to help build the community. There is a growing expectation that users should be able to easily access online commerce sites from multiple and varying devices. As a result, companies need

to ensure that authentication methods remain secure, private and frictionless in order to effectively mitigate

PKI SECURES INTERNATIONAL SPACE STATION RESEARCH Researchers on the International Space Station are using PKI and digital certificates to secure research with earthbound scientists. Airbus Defence and Space is providing a PKI solution from Safelayer to enable this interplanetary security. The laboratory on board the ESA Columbus Module of the International Space Station offers scientific research capabilities. Earth-based researchers,

together with the station crew, conduct thousands of experiments and the results of those projects can be highly sensitive and needs to be protected. For this purpose, PKI technology was deployed for digital signature in specific business processes. A key evaluation point was the ability to support Airbus requirements for the PKI registration workflow. In particular, it was important to find a solution with a user-friendly enrollment process where end-users could request and install certificates in just a few easy steps. The solution also had to support multiple end user client platformsÂ â&#x20AC;&#x201C; Windows, Mac, Linux and mobile devices.

RESEARCHERS ON THE INTERNATIONAL SPACE STATION ARE USING PKI AND DIGITAL CERTIFICATES TO SECURE RESEARCH WITH EARTHBOUND SCIENTISTS

Summer 2016

ID SHORTS

CLEAR PARTNERS WITH DELTA Delta Air Lines and CLEAR are partnering to bring CLEAR’s expedited security experience to more major airports across the country, reducing the time spent by customers in security lines. Delta will provide CLEAR’s biometric service to its U.S. Diamond Medallion members free of charge, and all U.S. Delta SkyMiles members will have access to preferential pricing. CLEAR is a biometric identity platform that utilizes fingerprint and iris identification technology at airports and sports stadiums across the U.S. This year, Delta and CLEAR plan to expand airport security line access points to Delta’s U.S. hub airports allowing registered customers to expedite the document check process at security screening checkpoints.

SURVEY: ONLINE IDENTITY VETTING AN OBSTACLE FOR CONSUMERS Banks wants to make it easy for consumers to open new accounts online but they have to comply with Know Your Customer and anti-money laundering regulations making online identity vetting crucial. These requirements are at odds as a European consumer survey revealed that 40% abandoned banking applications because they were too time consuming and required too much personal information. It found that there was also an issue with customers having to drive to a bank branch to show government-issued identification. The survey shows that 97% of consumers had access to a driver license, passport or utility bill that could form the basis of a digital identity, yet still had to go to a branch. Being able to complete the entire application online would go a long way in fixing the process. Some 55% of all

Summer 2016

respondents would be more likely to apply if the applications could be completed online. 93% of all respondents felt either neutral or positive about completing the entire identity vetting process online. This points to a desire to move to entirely digital processes, and this is reflected in customers’ experiences of in-branch interaction. A perfect situation would be a universal digital identity scheme, enabling any consumer to prove their identity online. A better solution is for banks to gain access to digital forms of existing identity – for example passports, driving licenses, utility bills or government identities. This would work around the requirement

for consumers to produce paper-based identity and would be relatively simple to implement across multiple geographies. If validated, existing ID is used and no further checks are necessary to determine identity. The survey of 2,000 consumers was conducted by Signicat, a Norway-based identity assurance provider.

150 FIDO-CERTIFIED PRODUCTS ON THE MARKET There are now more than 150 FIDO Certified products, up 50% in just one quarter. This latest round of certifications comes after the FIDO Alliance hosted its first

ID SHORTS

THIS YEAR, DELTA AND CLEAR WILL EXPAND AIRPORT SECURITY LINE ACCESS POINTS TO DELTA’S U.S. HUBS ALLOWING REGISTERED CUSTOMERS TO EXPEDITE DOCUMENT CHECK PROCESS WITH BIOMETRICS AND SECURE ID CARDS

Korean-based interoperability-testing event, which garnered the largest number of FIDO-implementing companies ever at a single event. Organizations attending these events are able to test and validate their FIDO implementations to prove that their certified products truly interoperate with each other – a necessity for achieving the FIDO Alliance’s vision for universal and interoperable strong authentication. Organizations with new FIDO Certified products include BTWorks Inc., Crosscert, CrucialTec, Dayside, Inc., eWBM Co., Ltd., FacialNetwork Inc., GOTrust Technology Inc. (GO-Trust), HANCOM Secure Inc., INITECH Co.,

Ltd., International Systems Research Co., KICA Inc. (Korea Information Certificate Authority), KT, Open Security Research, Inc., SECUVE, SGA Solutions, SK Planet, SK Telecom Co., Ltd.

ENTRUST DATACARD RELEASES VIRTUAL APPLIANCE FOR CYBERSECURITY Entrust Datacard released its IdentityGuard Virtual Appliance, which enables organizations to defend against enterprise level cyber attacks. The new, two-factor authentication solution offers organizations the ability to provide users

with secure access to an array of services and applications. The virtual appliance provides enterprises with a solution that includes Entrust IdentityGuard authentication software, a hardened operating system, a database and installation wizards. This packaged solution eliminates the need for IT departments to design and configure their own system and aims for a simplified deployment experience for IT management and the enterprise. In addition, the solution includes a self-service capability that enables users to manage authenticators at any time without the assistance of a help desk.

Summer 2016

REDEFINING

LOGICAL

ACCESS KNOWING EMPLOYEES, AUTHENTICATING USERS AND PROVISIONING ACCESS ACROSS NETWORKS AND IN THE CLOUD ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

Summer 2016

In the olden days, logical access control was a reference to accessing computers, email and networks. An employee would sit down at their computer in the morning, enter a username and password and unlock Microsoft Windows to access the device. The term “logical access” originated as a counter to physical access – the control of interactions with buildings and physical facilities. For years the security and smart card industries sought the convergence of physical and logical access – a single smart card or credential that could be used for both access to physical facilities and logical resources. Outside of federal agencies and large government contractors, however, convergence has been something of a unicorn – often discussed but rarely seen. Back in the day, gaining access to Windows was the first step. As systems evolved employees would use that same process

INSTEAD OF INSERTING A SMART CARD, ENTERING A PIN AND HAVING ACCESS TO EVERYTHING, ENTERPRISES ARE FINE-TUNING LOGICAL ACCESS and have access to email and secure network drives through Active Directory. As systems grew more advanced and the need for greater security arose, one-time passcode tokens would be issued for access to specific applications or web sites. Smart cards and readers would also be deployed for access to devices and sites and for controlling digital signatures. But logical access is much more than inserting a smart card into a reader, using a token to generate a passcode or authenticating with a mobile device. It extends well beyond the opening the front door for access to a system. It also governs what the employee can access once inside the front door. Clearly a lot has progressed since the days when logical access was limited to initial operating system login. But the term still persists and today encompasses a broad approach to enabling access to enterprise IT resources. Integrating initial and ongoing access to a growing list of devices – mobile, tablet, laptop, PC – is only the beginning. Granting access to email, network resources, data stores and an array of cloud-based applications often come next.

Certainly, the cloud has further complicated matters, forcing enterprises to figure out how to enable access to applications and data that reside outside their normal realm of control. But even that does not complete the picture. Generic access isn’t enough as modern logical access control also involves the assignment of roles and privileges – provisioning what an individual can do within a network or application.

KNOWING YOUR EMPLOYEES In both physical and logical access environments, enterprises have realized that vetting the individual is key. Before issuing a credential, enterprises – no matter the market – want to know the person receiving it, says Abrar Ahmed, CIO and senior vice president of technical services at SureID. “You have to know that identity and have it proofed before attaching it to a multi-factor credential,” he explains. The federal government has been doing identity proofing for a long time and has well-established practices. Agencies have also been issuing smart cards for a long time and using them for a variety of logical access applications. It started with identifying employees through a rigorous vetting process, issuing them a smart card for authentication and enabling access, says Patel. But in the last five years this has changed. It’s still about authenticating and enabling access, but it’s also about provisioning access within an application, says Vishvas Patel, vice president and chief architect at IdenTrust. Instead of inserting the smart card, entering a PIN and having access to everything, federal enterprises are fine-tuning that access. Enterprises have more applications that employees need to access and they want to control what can be accessed within those apps. “Organizations are moving away from a one-sizefits all approach,” says Patel. “Users are only provided access to what they need.” This makes logical access control complicated and time consuming. When onboarding a new employee who needs access to 25 different applications, it can take time to enable the access to start and then fine-tune what they can do, Patel says. Also, access to the system or application is done separately from provisioning access to data within that application. For example, Joe from IT might give access to an ordering application but it’s the department director Steve who will provision specific access within the ordering app. “Users are only provided access to what they need,” Patel adds.

Summer 2016

Another trend that has emerged is altering the requirements for authentication depending on the application and the risk involved, Patel says. For example, authorizing payments for contracts might require authentication factors beyond the smart card and PIN. “Additional chal-

lenges will be presented depending on the risk involved,” he explains. Layering different authentication methods and making them variable is another new technique. Instead of asking for a fingerprint every time, for example, an authentication system can use the fingerprint once, a one-time passcode

Redefining authentication in the enterprise In order to control logical access one must authenticate, and the evolution of the various authentication factors is interesting, says Pam Dingle, principal technical architect at Ping Identity. The “what you know” area has plummeted in value, Dingle says. Hardly a day goes by when the phrase “kill the password” isn’t seen somewhere. But “what you know” also includes knowledge-based authentication, or KBA. There are two common approaches to KBA – static and dynamic. Static KBA consists of something a user preselects and, in essence, enrolls as their answer to a specific question – such as mother’s maiden name, high school mascot or favorite movie. It is commonly used for password-reset types of applications. Understandably, static KBA can be fooled with some limited social engineering. The other approach, dynamic KBA, consists of quizzes that ask various biographical questions to which the user alone should have the answer – for instance, what bank carries your mortgage or how much is your monthly car payment. These authentication systems obtain the true answers to the questions from data sources like credit bureaus and public records. “A lot of people use (static) KBA for password recovery, but social engineering has turfed that as a standalone method,” Dingle says. Even dynamic KBA has proven vulnerable in a number of highly publicized attacks. “Unfortunately, what you know, everyone else knows, and now this factor receives a failing grade.” At the head of the class is “what you have,” Dingle says. Using a mobile device for multifactor authentication is no longer just the discussion of technicians in server rooms. Its importance is now reaching consumers. One-time passcodes delivered via text messages, however, are no longer considered sufficient, Dingle says. Usernames can be phished and then OTPs can be intercepted in transit or hacked in other ways, she explains. Mobile apps, such as Google Authenticator, have changed the game removing the opportunity for the OTP to be intercepted in delivery. Fortunately, authentication factors continue to evolve. Push notification via a mobile app – where the user is prompted to swipe or take action based on a message generated on screen by the app or service – will become the standard, says Dingle. “The approach is much more secure and also far easier to use,” she says.

Summer 2016

the next time and a voice biometric after that. Since a hacker doesn’t know which authenticator will be requested, the system is more secure, says Pam Dingle, principal technical architect at Ping Identity. “It used to be about using a smart card or biometric before access, but now you can layer things and make them more complex and variable,” she explains. “It’s harder to hack things if you don’t know which authentication factor will be requested.” Then there are techniques that don’t even require the user to actively participate – provide a biometric, passcode or other interaction – in the authentication at all. Adaptive authentication, sometimes referred to as passive authentication, is an oft-discussed topic when it comes to securing logical resources, Dingle says.

THE CONCEPT OF TRADITIONAL PERIMETERS AND FIREWALLS IS OUT THE WINDOW AS EMPLOYEES NEED ACCESS TO ALL TYPES OF CLOUD-BASED APPLICATIONS Adaptive systems require no input from a user, but instead look at a variety of other factors – IP address, time of login, device being used, etc. – to determine risk associated with the login attempt. If something is out of the ordinary the system asks for additional authentication factors before enabling access, but if all is well work can proceed without further interaction. Modern systems are being configured for continuous authentication that occurs

in the background, says Ryan Zlockie, vice president of authentication at Entrust Datacard. “We’re taking the intelligence we use for the initial authentication and also using it to make sure nothing happens during that session,” he explains. “We’re making sure someone doesn’t do something inappropriate during that session, and if something weird happens they can be asked to step up their authentication.”

THE CLOUD DISRUPTS As more enterprises are moving applications to the cloud it has made access more complicated, says Patel. “The cloud has complicated the management of logical access specifically when part of the app is in the enterprise’s control and parts are in the cloud,” he explains. Enterprises have to administer two different domains, the cloud and the network, which can be difficult. “The concept of traditional perimeters and firewalls is out the window as employees need access to all types of cloud-based applications,” says Zlockie. Before the emergence of cloud-based applications, the corporate enterprise

owned and managed applications. Controlling access was easy and done through traditional directories. As access to more and more applications and data was necessary, single sign-on came onto the scene to ease the burden of having to remember so many different usernames and passwords. Then there’s the cloud. It is not owned by the enterprise, but the enterprise still must manage access to its resources. Standards exist to enable use of existing systems for access to cloud apps, but the process can be complicated and take time to create.

THE EVOLUTION OF LOGICAL ACCESS STANDARDS Standards have helped ease some of the complexity surrounding logical access to the cloud at the enterprise level. Prior to the introduction of the iPhone, most applications were delivered via web browsers using SAML. “SAML was the right technology, delivered at the right time, to secure web sessions across domains,” says Ping Identity’s Dingle. But, she explains, two things happened to alter this landscape. First, there

Feds redefining logical access for contractors In the past, federal contractors who worked with multiple agencies needed different logical access credentials for each project. Even though the credentials used for access were the same, agencies weren’t able to provision them into their system. This created a cumbersome and expensive situation. This has changed, says Vishvas Patel, vice president and chief architect at IdenTrust. Now contractors can be vetted once, receive a credential and then have it provisioned appropriately wherever necessary. “Contractors interacting with civilian federal agencies are able to use a single authenticator across different agencies, be it a one-time passcode or PKI-based smart card,” Patel explains. “This makes their lives easier as they’re dealing with fewer – or even just one – authenticator.” Many of these contractors are using PIV-I smart cards, Patel says. Enabling them to work on agency networks requires additional middleware, but after that, deployment is a straightforward process, Patel says.

was an explosion of smart phones and mobile devices. Second, the application programming interfaces (APIs) changed to meet the need for multi-tenant cloud platforms to interact with many clients simultaneously. Soon after, the market shifted to native applications running on smartphones. “There was no browser involved, so SAML was no longer appropriate,” Dingle explains. The initial solution that developers came up with was far from ideal because the credentials were passed through multiple services, Dingle says. “The opportunities for abuse were terrible with that scheme, because the credentials were passed all over the place. The native application sees them, the API sees them, if the transport layer isn’t secured, and interception is a risk too,” she explains. Enter the OAuth protocol family, which solved the problem of storing user credentials and passing them to APIs by replacing the actual credential with temporary “access tokens,” Dingle explains. Users would authenticate once, preferably at their home authentication service, and then the application would receive an access token that could be stored and used to call APIs on behalf of the user, without storing their password. Identity professionals now have a comprehensive set of standards and supporting tools with which to work, Dingle explains. These tools can work under most circumstances to keep a user’s credential the secret that it should be, while giving IT departments tools to reduce risk.

NEXT STEPS FOR LOGICAL ACCESS CONTROL “We need a single trusted identity that can be used to access all the requisite digital resources,” he adds. “Logical access will not hold true in the future, we’re talking about digital rights management in a digital world.”

Summer 2016

SINGLE SIGN-ON DELIVERS BOTH CONVENIENCE AND SECURITY SSO MANAGES 100s OF USERNAME AND PASSWORD COMBOS IN ONE SECURE LOGIN PROCESS AUTUMN CAFIERO GIUSTI, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS

Trying to keep track of 100 different usernames and passwords can be like trying to store 100 keys on a single key ring. To simplify this process, enterprises are increasingly deploying an authentication system known as single sign-on to grant users access to multiple applications using just one set of login credentials. SSO enables users to access applications both on-premise and in the cloud. “Research shows the weakest point in the enterprise right now is users and their credentials, specifically compromised credentials. It’s the number one vector of attacks for cyber attacks,” says Corey Williams, senior director of products and marketing for Centrify, an identity management firm that offers single sign-on as a service. SSO enables enterprises to provide just the resources or applications that a specific

Summer 2016

user should have access to, based on that user’s roles and responsibilities, explains Teresa Law, senior product marketing manager for cyber security firm Symantec. “When done properly, a single sign-on solution enables enterprises to easily provide a consistent level of authentication across many resources and applications,” Law says. Convenience and security are the two primary advantages of single sign-on. The fact that SSO is both more secure and more convenient is unusual in the security world, says Pam Dingle, principal technical architect for Ping Identity, a provider of single sign-on and identity management services. “Usually in security, if you’re going to add more, it means you’re making your user’s life harder,” she says “But in this

case, we can make the user’s life easier and also increase security.” From a security angle, single sign-on works much like a passport. When a traveler hands over a passport to a border control guard, the traveler’s country is essentially vouching for that person – ensuring he or she is a valid, current citizen. The same thing happens when a company sets up a single sign-on system. A user can start off in any application, but the system redirects that person back to their home organization for authentication.

CONSOLIDATING 100 LOGINS INTO ONE Single sign-on authentication came about to address a pain point that many companies were experiencing: their users needed to sign into numerous applications sepa-

rately, each with a different username and password. “All of these little pools of passwords didn’t seem like such a bad thing when we were thinking about one app or two apps. But when there were 1,000 apps, it became a management disaster trying to understand who had what accounts in what applications using what passports,” Dingle says. This issue came to a head with the emergence of the cloud. Until then, security wasn’t as much of a problem because employee login information was kept inside the organization’s network perimeter. In the early days, if a company fired an employee and took away that person’s building key, it didn’t matter if the person still had active accounts. Later, revoking network access served a similar function as all applications were managed within corporate network walls. As the cloud became more prevalent, however, applications started moving outside the control of company IT departments. “You still had to access 100 applications and you still had to type in 100 passwords, but now you were typing them into websites on the open Internet,” Dingle explains. As a result, disabling a user became much more complicated than simply taking away a building key. “Having the control to understand which users are using which applications under what circumstances is a very big deal, especially for companies that have compliance and regulatory requirements,” Dingle says. Individuals and enterprises alike are becoming more familiar with SSO, with giants such as Google and Microsoft using single sign-on to enable user access to all of their products. In the past year, Google has been making a bigger play to gain ground in the SSO space. Google’s SSO tool allows users to leverage their Google Apps credential to sign in to enterprise cloud applications via single sign-on. Google wants business users and other administrators to use Google as an identity provider to access other online services. In March, Google extended its

single sign-on support to include Microsoft Office 365, Facebook at Work, Slack and several other products.

PRODUCTIVITY, SECURITY GAINS SSO enables users to be much more productive, and they tend to adopt applications more quickly, says Centrify’s Williams. When employees have access to numerous applications, they tend to avoid using

short lived and don’t represent the ongoing access of the password,” Williams says. This allows enterprises to maintain a vault of individual or shared passwords for each user’s accounts, and allows users to log on automatically without prompting them to type in the password itself. “It reduces errors that lead to users locking their accounts, and it encourages best practices around password complexity and uniqueness for better security,” Williams says. SSO puts all authentication requests

TEMPORARY SSO TOKENS PROVIDE A BETTER EXPERIENCE FOR END USERS BECAUSE THERE’S NO PASSWORD TRANSMITTED ACROSS THE WIRE, AND IT’S MORE SECURE BECAUSE THE TOKENS ARE SHORT LIVED AND DON’T REPRESENT THE ONGOING ACCESS OF THE PASSWORD the ones that are hard to access. As a result, they’ll rely on antiquated – and more timeconsuming ways – to accomplish certain tasks. For example, instead of using a new collaboration app, the employee might compose an email or make a phone call. “That doesn’t help to improve employee productivity,” Williams says. “All these new applications are frustrating to use if you can’t remember your username and password.” SSO can also reduce help desk calls, which Williams says are password-related as often as 40% of the time. An SSO system not only centralizes the authentication of applications, it often replaces usernames and passwords with temporary tokens generated via established digital identity standards. “These actually provide a better experience for the end user because there’s no password being transmitted across the wire, and it’s more secure for IT because these tokens are

for an application through a centralized platform, where a company can look at the user’s behavior and decide whether or not that person should be getting access to an application. For instance, there’s no need to challenge or deny access to someone trying to sign on to their e-mail during work hours and within their company’s corporate network. “But if they’re accessing a system that they haven’t accessed in three months from China after hours, then maybe I want to deny access or prompt them for additional factors of authentication,” Williams says.

A CASE STUDY IN SSO EVOLUTION Cetera Financial Group, a national network of independent broker-dealer firms, has relied on single sign-on to streamline workstation access for its advisers for seven years. About 20,000 independent financial advisers are direct members of the firm

Summer 2016

and need to access the company’s network and the 17 different service applications. “We had this whole ecosystem of providers and internal applications that had their own identity stores. We had to figure out how to make all that into one experience for our advisers,” says Matt Lehman, chief information security officer at Cetera. Cetera’s adviser workstation portal gives advisers a place to log in and access client and transaction information. If an adviser wanted to place a trade on behalf of a client, he would go to a trading button where another window would pop up, launching a third-party system. “That exchange has to have an SSO there, otherwise the whole thing breaks down really fast,” Lehman says. As the company’s needs have evolved over time, so too has its SSO setup. Moving to Centrify one year ago was the most recent step in this evolution. Previously, Cetera only relied on SSO for things that absolutely had to be done that way. The idea behind switching to Centrify,

Lehman says, was that the company wanted to start using SSO for everything and to have a single identity across cloud apps and internal apps alike. In the past year, Cetera has been able to cut down the time it takes to onboard new software applications – previously a three to nine month process – to three weeks or less. Cetera is also able to automate the process of granting entitlements for the company’s providers to access specific apps. Whereas the process used to take the company’s help desk three to four days, it now takes about an hour. “It cuts down our service desk’s costs as well,” Lehman says.

STEPS TO DEPLOYMENT For an enterprise to deploy its own single sign-on system, Dingle explains that the easiest and most common first step is to connect their existing user directory environment to an ID-as-a-service

CANADA EXPLORES TRUSTED ONLINE IDENTITIES In the UK there is Verify, in the U.S. you have the NSTIC and now Canada has its Digital ID and Authentication Council of Canada (DIACC). This council will work with those efforts but at the same time is an initiative focused on Canadian citizens, says Joni Brennan, a management consultant at the council. Brennan is no stranger to government identity projects having lead the Kantara Initiative, an industry standards organization focused on digital ID. DIACC – pronounced Dye-Ack – was started in 2012 as a Canadian Non-Profit Corporation originating out of the government of Canada’s Payments Task Force. It is designed to be a neutral forum where the public and private sectors collaborate to ensure Canada’s full participation in the identity aspects of the digital transformation and global digital economy. Leaders quickly realized digital identity was part of mobile payments but

Summer 2016

also crosses all markets, Brennan says. “They decided to formalize and create a consortium to identify and develop standards for digital identity management and make sure that Canadian culture and values were represented,” she adds. “It’s a global conversation and the DIACC wants to make sure that Canadian values for privacy and data protections approaches are maintained.” DIACC is similar to other organizations in the digital identity space but it’s also different, Brennan explains. The council Board of Directors comes from both the public and private sectors. “DIACC fosters public-private collaborations to create a trusted identity framework in Canada,” she says. The trusted identity framework addresses two Canadian priorities aligning with the Prime Minister’s Mandate Letters and with Canada’s 2016 Federal Budget. One priority is to modernize

public-sector service delivery to all Canadians. The other priority is to ensure Canada’s full and beneficial participation in the global digital economy. “We want to make secure, convenient, privacyrespecting credentials available to any service that would leverage a digital identity that is vetted and has attributes from an assured attribute provider,” Brennan says. The council isn’t starting from scratch with its identity efforts. Since 2012 Canadian citizens have been able to use login credentials from their financial institutions to access government services with a high level of assurance. The program is provided by SecureKey, a developer of identity services and solutions, and is built upon the company’s Concierge service. While high-assurance digital identity for consumers isn’t an easy feat anywhere, Canada has a few advantages,

server. This server will then send security assertions to the enterprise’s cloud apps. “You get a lot of benefit from that very simple first step,” she says. Larger organizations can then think about how to secure the application programming interface, or API, on their mobile apps. Dingle says there’s a substantial security risk for companies that use native mobile apps a lot. For cloud-based applications, Symantec’s Law says there are few, if any, hardware requirements necessary for SSO deployment. Integration primarily happens with other identity access management systems, authentication systems and the user directories that the enterprise uses. “Authentication solutions that offer features such as passwordless authentication using the biometrics on the mobile device eliminate the password and further improve the user experience,” Law says.

Brennan says. There are fewer stakeholders to manage – 10 provinces and three territories compared to 50 states in the U.S. – as well as fewer financial institutions. Canada also has a trusted attribute authority that can provide valuable information for digital identities. In its effort to create secure digital identities, DIACC has three areas of focus. The first is publishing a Pan-Canadian Trust Framework that, in collaboration with public and private sector stakeholders, defines the trust model for how the federal government, provinces and private sector will interact with these digital IDs. The trust framework includes roles and objectives for services within the Canadian identity ecosystem. Profiles for communities of interest will then detail criteria for how credentials are used in different instances. The second area is establishing proof of concept research papers and pilots that

Relying on one username and password might make things easier, but there are some risks involved with having a single set of keys to the kingdom. Enterprises are advised to pay close attention to that one password and watch for suspicious patterns in how users are logging into systems. “That’s much easier to do in a central environment,” Dingle says. Adding multi-factor authentication becomes especially important when using single sign-on. “If you’re any kind of organization that cares about risk, a username and password simply is not enough in today’s security environment,” Dingle says. Dingle points to Netflix, one of Ping’s clients, as an example. Netflix is outsourcing its multi-factor authentication to Google, which checks hundreds of different factors, beyond just passwords, to determine if a user is who they say they are. “The security theory behind SSO is that a watched central system has a better chance of success than 100 unwatched distributed systems,” she says.

THE TRUSTED IDENTITY FRAMEWORK ADDRESSES TWO CANADIAN PRIORITIES: TO MODERNIZE PUBLIC-SECTOR SERVICE DELIVERY TO ALL CITIZENS AND TO ENSURE CANADA’S FULL PARTICIPATION IN THE GLOBAL DIGITAL ECONOMY. explore how secure digital identities can be used to benefit everyday Canadians. The first proof of concept report has already been published and looks at how high-assurance digital identities can be used to remotely open new financial accounts online. The second research paper is targeted for release in the summer and will look at how a consumer can prove residency with other resources. Typically an individual uses utility bills as proof of address, for example, but this proof of concept will deploy a user-centric model to gain access to other records to support proof of residence.

For this project DIACC intends to leverage models aligning with the UserManaged Access standard that gives the consumer the ability to manage who may access their personal data and for what specific purpose, Brennan says. Additional pilots are expected in the future. The last focus of DIACC is education, Brennan says. The council seeks to reach out to the public and private sectors to educate them on the value of a trusted federated identity model, the process of developing the trust framework and DIACC activities, as well as solicit input from stakeholders within Canada and around the world.

Summer 2016

‘SIGNIFICANT UPDATE’ ON DECK FOR NIST’S DIGITAL AUTH RULES REVISIONS TO THE ‘LEVELS OF ASSURANCE’ TO TAKE PLACE ON GITHUB The four levels of identity assurance and risk assessment – commonly known as LOAs – can be a contentious topic among those in the identity industry. Well this summer the debate can rage in real time as the National Institute of Standards and Technology will propose a “transformational change” of Special Publication 800-63 with a large portion of the comments and editing to take place on GitHub, says Paul Grassi, senior standards and technology advisor at NIST. Some of the major changes will: Eliminate level two Deprecate use of over-the-air one-time passcodes (OTPs) Redefine acceptable use of knowledge-based authentication Specify acceptable password policies Require electronic document verification in addition to visual inspection for in-person identity proofing situations Enable remote identity proofing in prescribed situations Traditionally, NIST will release an update to a standard or special publication, comments will be accepted for a set amount of time, revisions will be made and then the final will be released. But with the revision to 800-63, NIST is taking a more collaborative approach releasing the draft on GitHub and working with participants throughout the summer. After the GitHub process is complete, NIST will still conduct a traditional public comment period before the release of the final special pub. “While we are being iterative and innovative we won’t be able to finish the publication on GitHub,” Grassi

Summer 2016

says. “Since this is a document bound by the White House Office of Management and Budget Policy we have to give our agency and private sector stakeholders a period of time for thoughtful review. We’re excited about the iterative approach on Github, but we can’t ask the whole of government to stop their mission to join the authoring process.” The change in process for revising SP800-63 is welcome says Mary Ruddy, research director at Gartner. Instead of releasing a draft standard, using GitHub and working with the community to get input before may yield better results. “NIST realized there needed to be some big changes and asked for input before, it’s the smart thing to do,” she explains. NIST is advocating that the four levels of assurance and authentication be reduced to just three, with the revised special pub essentially eliminating level two, Grassi says. “Level two looks very similar to level three proofing but only uses a level one credential, which doesn’t provide the security and privacy elements we want at this level in today’s online environment,” he explains. “Essentially, the new levels roughly equate to the old one, three and four.” If this change goes through it will put the U.S. in better alignment with international standards, Grassi adds. While that may be true, there will still be a divide. “I would like to see a greater emphasis on alignment with the European Union,” says Peter Alterman, COO at SAFE-BioPharma Association.

Such alignment would make it easier for the private sector, as companies work with various governments as users of online services. “Most of the larger commercial sectors do business with the U.S. government – particularly the IRS – but are also global, which means that until there is U.S.-EU harmonization companies will have to manage two related but distinct Identity and Access Management systems,” Alterman says. “That said, the EU needs to evolve towards the U.S. as much as the U.S. has to evolve towards the EU.”

SP 800-63 major changes include: Eliminate level two Deprecate use of over-the-air one-time passcodes (OTPs) Redefine acceptable use of knowledge-based authentication Specify acceptable password policies

ASSIGNING LEVELS TO VARIOUS IDENTITY FUNCTIONS

Require electronic document verification in addition to visual inspection for in-person identity proofing situations

NIST is also pushing to decouple the levels of assurance into its individual parts, namely assigning assurance levels independently for identity proofing, authenticators – previously called tokens – and assertions. Currently, a single LOA is assigned based on overall program security. “This will enable agencies to mix and match the level of identity proofing with credential strength,” Grassi explains. “It gives agencies a real opportunity to protect sensitive data (via a strong token or authenticator) while only completing a full identity proofing process when necessary.” In addition, it preserves the technical requirements for PIV, which will be at the highest level – the new level three – exceeding the current requirements for level four. The change reflects how the levels are actually applied in the real world, explains Ruddy. “It breaks the components down to their constituent parts and makes it less mushy,” she says.

Enable remote identity proofing in prescribed situations

REDEFINING PROOFING PROCESSES The identity proofing requirements are also rewritten and include some significant changes. NIST looked at what was being done with identity verification in the UK and Canada, as well as NSTIC pilots and market innovation, and incorporated some of those ideas into the revisions, Grassi says. The idea is to offer more options to get to the necessary identity assurance level, Grassi says. “Now we have steps that focus on characteristics and outcomes to reach an assurance level, rather than a singular, prescriptive process,” he explains. “With the revisions, we’ve given characteristics of evidence that must be supplied by an applicant, as well as various steps to validate the evidence to reach the levels.” For example, if an individual provides an electronic passport that is validated with the chip, that would be a high value document and something the draft language considers “superior,” Grassi says. If other documents – driver licenses and birth certificates – are validated by a trained expert with specialized equipment that would also contribute to a higher score.

The new draft SP 800-63 would also enable remote, videobased identity proofing, such as scanning a driver license or passport with a mobile device, Grassi says. “Smartphone cameras and the underlying technology have the resolution and algorithms that can check the security features on documents and detect pretty sophisticated fraud,” he adds. The revision basically does away with visual-only document inspection at the higher levels forcing some electronic verification to be added to these processes, Grassi says. One of the more controversial revisions may be the addition of virtual in-person identity proofing as an equivalent to traditional in-person proofing for the highest level of identity assurance, Grassi says. The requirements for this will be stringent. “It’s not meant to be used for when I’m sitting in my home office but instead sitting in front of specialized, hardened equipment like a kiosk,” he explains. There are also changes to the oft-maligned knowledge-based authentication (KBA) – which NIST now calls knowledge-based verification (KBV). The last version of 800-63 did not allow KBV, but the latest draft hones the requirements of how it may be used. “Rather than pretend it doesn’t exist, we provide careful requirements for its acceptable purpose and use,” Grassi explains. “The mechanism can be used as a starting point in resolving identity, but there are stringent requirements.” Also, the draft attempts to specify acceptable data sources that can be used for KBV. Grassi explains that KBV is currently based on data that is assumed to be private but can be readily obtained online or via social engineering attacks. “We’re trying to hone acceptable, limited use of KBV to that which uses the most non-publicly available data as possible,” Grassi says. As more organizations try to improve online identity vetting, this is another step in the right direction, Ruddy says. “Anyone

Summer 2016

who is serious already has your credit bureau records,” she explains. “This general data isn’t good enough anymore.”

KILL THE PASSWORD OR KILL THE TOKEN?

GitHub 101 GitHub is a popular platform for software developers. The site boasts a community of more than 15 million people, where developers can discover, use, and contribute to 38 million projects using a collaborative workflow. Individuals can use it for their own projects and enterprises can use it to collaborate with others. Many were surprised – but pleasantly so – when NIST announced it was going to use GitHub to work with the industry and the public to revise Special Publication 800-63. The standards creation process within the federal government has been unchanged for many years. A draft is released, comments are submitted, NIST goes back and evaluates the comments, another draft is released and as long as nobody complains too much it becomes a standard. NIST knew the authentication guidelines could be tricky so it wanted to take a more collaborative approach. Enter GitHub. “A lot of federal and private stakeholders want to have a voice in this,” says Paul Grassi, senior standards and technology advisor at NIST. “We didn’t want to start with a blank page. We wanted to enable people to submit edited text. Folks can comments as they wish and we’re going to iterate for the better part of the summer.” NIST choose GitHub because it has been a mainstay of the development and standards communities for years now. It is the epicenter for evolving open source software and an essential component in every coder’s toolkit. Second, as a platform, GitHub has many characteristics that make it attractive as a place to develop this special publication. It supports broad engagement, excellent version control and multiple avenues for collecting and receiving input. NIST is asking for contributors to provide substantive input and are strongly encouraged to collaborate with the team and other public participants via GitHub.

Summer 2016

The revised draft also does away with the word “token,” instead opting for “authenticator,” Grassi says. There had been some overlap and confusion with some of the security APIs when it came to the phrasing, so it was easier to get rid of it altogether. While everyone might want to kill the password, the revision doesn’t do away with it. Rather, it updates the requirements for passwords based on modern research and best practices. The new requirement is a password with a minimum of eight characters, regardless of the assurance level – but we encourage the use of 64-character passwords that allow a complete set of characters, with no composition rules and expiration, Grassi says. This would make passphrases possible, such as “NIST is making many changes to 800-63.” Making users change their password after a set period of time has little security advantage and significant usability challenges, which could lead to unintended vulnerabilities, he adds. The revision is also deprecating SMS one-time passcodes as an authenticator, Grassi says. “They remain allowed, but we are sending a strong signal that we hope agencies will transition to other techniques with an expectation that it will be removed in a future version.” Man-in-the-middle attacks and other hacks have found these systems vulnerable so NIST is recommending that agencies start investigating other authenticators. App-based OTPs such as Google Authenticator, however, would be acceptable with the revision. NIST has also expanded the scope for biometrics while specifying security and performance requirements, which in the past had been omitted. Specifically, the draft enables server-side matching of biometrics, whereas only match-on-card biometrics had been allowable prior. These updates – both to the process for reviewing documents and to the content itself – are intended to reflect NIST’s commitment to meeting the needs of today’s digital environment, Grassi says. “It’s cliché to say that technology moves fast, but we face a massive challenge to address evolving technologies and threat environments on a global scale and at Internet speed – all without compromising on our responsibility to protect individuals’ security and privacy,” says Grassi. “We rely on the broad identity community to help us create smart, modern and practical guidance, and we hope this approach provides a more nimble way for our stakeholders to do just that.” See you on GitHub.

With PPG TESLIN substrate, there’s security in numbers ®

230,000,000 Driver’s Licenses

Years

25,000,000

500,000,000

e-Passports

Countries

240,000,000 National IDs

50,000,000

Other Secure Government Credentials

TESLIN substrate has been trusted for more than two decades by governments and other institutions around the world to make credentials more secure. ®

As a stand-alone material or as part of complex multi-component secure credentials, Teslin substrate can be embedded with program-specific security features to deter document forgery and enhance credential authentication. In addition to accepting printed high-resolution security features, Teslin substrate reproduces high-definition color photos and forms exceptional bonds with security inks, laminates, coatings and patches to permanently expose any evidence of tampering. Durable, yet flexible, Teslin substrate also helps cushion and protect embedded electronics and card body integrity in ways that stiff printable plastics can’t. When you’re ready to design a secure and durable credential that’s easy to authenticate and difficult to replicate, visit teslin.com/numbers. And discover why, with Teslin substrate, there’s security in numbers.

Certificates

LEGAL IDENTITY for ALL PROJECTS AIM TO PROTECT THE GLOBE’S MOST VULNERABLE CITIZENS VIA DIGITAL ID GINA JORDAN, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS

It was late June of 2014 when businessman John Edge was invited to a screening of a short film directed by actress Lucy Liu. “Meena” is about an 8-year-old girl sold to a brothel and forced into sex slavery for more than a decade. It’s based on a true story. “It’s horrific,” Edge says.

Summer 2016

A panel of experts took questions afterward, including Susan Bissell, chief of child protection at international humanitarian group UNICEF. “Susan articulated that one of the biggest problems in protecting children who are at risk of sexual violence is a lack of birth certificates or identity,” Edge says. The film got his attention. He saw the identity issue as a technology problem and was immediately moved to put his background in business and financial services to work. He went home and sketched out a plan, offering details to Liu the next day over lunch. “I’d recently sold my company, and I was looking for a purpose,” Edge says. “So, ID2020 was started on the 27th of June, 2014 – the day after I saw ‘Meena.’” ID2020 seeks to create a system by the year 2020 that would be technically and legally compliant for children regardless of nationality, origin or status. “The term often used is ‘the last child,’ and the last child is referred to as an orphaned 5-year-old girl from nowhere,” Edge says. “It’s really difficult to create a legal identity for somebody who’s not from somewhere. ID2020’s mission technically is around this thing called

self-sovereign identity – being able to prove that you are you.” The purpose of ID2020 is to nurture public-private partnerships that can create an opportunity for emerging technology to connect with organizations that are working toward U.N. Sustainable Development Goal 16.9 – legal identity for all. “Success on 16.9 will enable those persons that are invisible in society – and may become vulnerable – to have a legal identity,” Edge says. “Once a person has an identity, government and non-government organizations can help them become safe, part of society, financially included and economically active.” The U.N. Sustainable Development Goals were set in September 2015 with a pledge that no one will be left behind. The agenda contains 17 goals, containing 169 targets, to be reached by 2030.

Edge has his sights set on just one target. “ID2020 will create a system that would create an identity for the last child that would be scalable to a billion, and that is difficult,” Edge says. “The team and I have spent the last year and a half working through the concept of what it would take to do an enterprise grade system, something that would work at enormous scale.” ID2030, the subsequent step, involves scaling that ID2020 system and delivering it to more than a billion people. As for what kind of ID will be used and how a stateless child’s identity will be proved, Edge says it’s too soon to know. “The first 18 months has been focused on regulation, compliance and policy. Technology is not the concern,” he says. “Everybody wants to know what the technology is, but they’re missing the point. There’s lots of technology out there but it’s how

you compile it and how it fits in with regulation and compliance.” “We have voice recognition, facial recognition, iris, multiple different technologies. How they’re combined in order to create a recognized legal identity is the key, and one of the interesting catch 22’s is that every single country has a different way of recognizing a legal identity,” he adds. ID2020 is trying to create something that will lead to international collaboration. “If it’s going to scale to a billion – and there’s this thing called IoT going on – it’s probably a good idea to build out mobile,” Edge says. “It’s a cyber security problem, so we need to design this system with the end in mind. That is why I’m not saying it’s going to be an iris scan on an Android phone using this app. That is not how we’re going about it.”

IT’S REALLY DIFFICULT TO CREATE A LEGAL IDENTITY FOR SOMEBODY WHO’S NOT FROM SOMEWHERE. ID2020’S MISSION IS AROUND THIS THING CALLED SELF-SOVEREIGN IDENTITY – BEING ABLE TO PROVE THAT YOU ARE YOU.

Summer 2016

Ultimately, the team is striving to meet the mission of the Sustainable Development Goals. “Technology providers around the world are welcome and encouraged to collaborate,” Edge says. “It is such a big challenge and if we are to achieve it, it will be done by a collective. So, ID2020’s purpose is to scale to a billion, and provide policy enabled identity that works for the last child by 2020.”

THE WORLD BANK’S IDENTITY INITIATIVE

THE WORLD BANK ESTIMATES 1.5 BILLION PEOPLE – LARGELY IN ASIA AND AFRICA – ARE NOT CARRYING A DOCUMENT THAT RECOGNIZES THEIR LEGAL IDENTITY. APPROXIMATELY HALF OF THOSE ARE CHILDREN UNDER THE AGE OF 14. THE GROUP’S ID4D INITIATIVE TARGETS THIS GLOBAL PROBLEM.

The goals set by ID2020 are admirable and the task massive, but technology is only one part of a much larger puzzle. A stated goal of ID2020 is to bring emerging technologies together with government organizations, NGOs and other groups addressing this global challenge. One group ID2020 could assist is the World Bank’s Identification for Development (ID4D) initiative, which is working toward a similar goal. The World Bank estimates 1.5 billion people – largely in Asia and Africa – are not carrying a document that recognizes their legal identity. Approximately half of those are children under the age of 14. “In Sub-Saharan Africa, for example, more than a third of the population faces this challenge and more than 40% of births are left unregistered,” says Vyjayanti Desai with the World Bank Group (WBG), an international development agency. Desai is the program manager for WBG’s ID4D initiative, launched about a year and a half ago to support progress toward identification systems using 21st century solutions. The goal is to get information to governments worldwide about best practices for delivering birth registrations and a legal identity to every person. “Advances in technology including biometrics and data management provide an opportunity to leapfrog traditional, paper-based approaches,” Desai says. “The ubiquity of mobile connectivity also provides an unprecedented opportunity to deliver services faster and more efficiently than ever before, as well as reach remote and rural areas.” Like ID2020, Sustainable Development Goals 16.9 also drives ID4D. The ID4D team has created a global dataset across 198 economies and an assessment tool to gauge a country’s existing identity landscape. Thirty countries have been assessed so far. Researchers are evaluating the legal constraints and opportunities for women to obtain an ID, as well as the role of identification in achieving financial access. The World Bank is helping countries transition to digital identification methods through technical assistance, financial support and expert guidance.

Summer 2016

“We have begun a process to convene government officials, the private sector and development agencies to agree on a shared vision,” Desai says. “We are hoping that by bringing together multiple stakeholders across a single platform, we can define a shared set of principles.” The World Bank has seen the impact of strong identification systems in developing countries like Bangladesh. Some 96 million residents there have been issued a smart, national ID card for delivery of government and private sector services. It turns out that linking such benefits to an ID card can lead to greater citizen enrollment in an ID database, but each country is doing it their own way. Morocco, for example, is moving to computerize its civil registry, while India has instituted a biometric identification system. Desai says governments need a plan to reach remote communities, as well as aid clients at female-only enrollment centers where women and children are disproportionately impacted by a lack of documentation. She says governments need to work together on an integrated identification solution in lieu of the piecemeal systems currently in place that often include redundant and costly biometric enrollments. Biometrics seems likely to play a key role going forward because individuals can be uniquely identified. “However, we need to understand the issues and needs at the national level to see what makes the most sense for that particular context,” Desai says. “Technology will continue to advance and continue to be more affordable, so we need to ensure that systems being designed now can adapt for all the potential new technologies in the future.”

Certiﬁed Smart Card Industry Professional The industry’s only standardized certiﬁcation program recognizing professionals with advanced smart card industry knowledge and experience

With the CSCIP credential, you are immediately recognized as having the most up-to-date knowledge of smart card technology. The designation distinguishes you as a certiﬁed professional with knowledge of both current smart card technology and applications and emerging trends.

GET CERTIFIED

BUILD YOUR

CAREER

The Smart Card Alliance offers three separate CSCIP credentials CSCIP The general CSCIP certiﬁcation is for professionals who support all applications using smart card technology.

CSCIP/Government The CSCIP/G certiﬁcation focuses on identity and security applications and government-speciﬁc smart card initiatives.

CSCIP/Payments The CSCIP/P certiﬁcation focuses on payment applications including EMV chip, mobile, contactless and transportation.

All CSCIP certiﬁcations demonstrate proﬁciency in the following principles: • Smart card technology fundamentals • Security • Application/data management • Mobile and NFC usage models • Identity and access control usage models (CSCIP and CSCIP/G only) • Payments usage models (CSCIP and CSCIP/P only)

To learn more about CSCIP certiﬁcation, training dates, and fees, visit: www.smartcardalliance.org/cscip 1-800-556-6828

S E NS DOOR E P TS & MOR O E H S C K T C A O R L SS FROM SC S, WIRELE S E C C STARTING A D UD-BASE O L C R O F Constructing a new office building from scratch presents a unique opportunity to deploy the latest and greatest in physical access control. Companies can leapfrog technologies – jumping from old janitor-size key rings to wireless entry, biometric access points and cloud-based security. Administrators can grant or deny access from anywhere at anytime and via any networked device. And with modern systems there’s less of a need for on-premise infrastructure, which ultimately means lower costs for end users. But to take advantage of this opportunity afforded via new construction, companies need to address key issues up front to maximize their physical access control capabilities and stay ahead of the ever-changing security technology.

ARCHITECT: AUTUMN CAFIERO GIUSTI, CONTRIBUTING EDITOR PROJECT: AVISIAN PUBLICATIONS

Summer 2016

FOR NEW BUILDINGS, ONE OF THE MOST SIGNIFICANT CHANGES WITH PHYSICAL ACCESS CONTROL IS THE WAY THEY'RE WIRED - OR NOT WIRED. “You need to make sure to install a system that’s future-proof,” says Pat Barry, CEO of BluB0x, a company that specializes in cloud-based physical access control systems. Barry suggests that systems deployed in new buildings should strive to incorporate technologies that the security industry will be using for the next 15 years. He advises clients to choose access control systems that embody three adjectives – unified, open and smart – and three nouns – cloud, mobile and biometrics. Companies planning a new building might be tempted to fall into old habits, opting for a completely hard-wired system or traditional security communication protocols like Wiegand. But security providers are encouraging companies to break out of that comfort zone to get the most out of a new system. To do that requires a bit of frontend planning. Brad Aikin, commercial electronics business leader for security products provider Allegion, says that too often companies design and build a new space first and then address security as an afterthought. He says physical access control should be part of the initial discussion on how the space will be designed and used, and companies should plan for physical access control installation along with the build-out of other systems, such as IT infrastructure. “If they think of physical access control as a service within that ecosystem, it can really optimize not only the cost of providing security, but the ability to use that information to effectively manage the rest of the space,” Aikin says.

NEW ACCESS CONTROL DELIVERS BOTH CONVENIENCE AND SECURITY Next-gen physical access control systems are designed to offer security without forgoing user convenience. “We’ve moved away from providing security at the expense of convenience,” Barry says. “With today’s technology you can have both.” One of the most significant changes with physical access control systems is the way they’re wired – or not wired. There are more options available for wireless components, such as locks and readers, and in many cases there’s no server anymore as the cloud has replaced it, explains Aikin. That means less infrastructure is necessary, which translates to lower upfront costs because there isn’t as much equipment to install on site. “The cost to install and manage that access point has been reduced significantly based on advancements in technology,” he says. With wireless door locks becoming more prevalent, many doors – even networked ones – can be part of a wireless network and no longer need to have individually wired connections, explains Steve Van Till, CEO and founder of security systems provider Brivo, Inc. More readers and controllers are being consolidated inside these locks, meaning fewer pieces of equipment are needed. “You’re reducing the footprint you need to get security,” Van Till says. Eliminating the expense, workload and damage that come with pulling wire

to various doors and locations throughout a building makes it feasible to put electronics on more interior doors than in the past. This gives tenants the ability to use the same credential for perimeter doors as for interior doors, versus having an electronic credential for outside doors and a key for inside doors. “There’s still a place where keys have a fit, but the electronic credentials that already exist for the perimeter can now be applied on the interior and generally reduce operating costs for property managers,” Aikin says. Today’s physical access control systems are shifting toward network cabling and away from dedicated security wiring. Instead of having a large, centralized control panel in a closet with heavy wiring going to all end points, new systems are doing away with the bulky control panel in favor of edge devices with network cabling connected to all doors. As a result, it’s becoming more common for companies to bring in networking companies to run the cable for physical access control systems rather than relying solely on a security company, Van Till says,

PRE-CONSTRUCTION CONSIDERATIONS A new building requires companies to consider what they want for their physical access control system in terms of security, efficiency and convenience, Aikin says. That means looking at factors like the number of tenants and how dynamic their access rights will be.

Summer 2016

Then there are the different needs for different building tenants. A doctor’s office, for example, will have different needs than a small business. Locations with heavy foot traffic will be different than those that do not serve a visiting customer base, and high-traffic areas might require additional layers of security.

IT'S AN ARMS RACE. FIND THE STRONGEST CARD YOU CAN, AND YOU'LL PROBABLY GET SOME GOOD LIFE OUT OF IT BEFORE IT'S COMPROMISED. Service maintenance and upgrades is another key factor when mapping out physical access control. Some companies are moving to a hardware-as-a-service model to avoid the problem that comes with relying on old hardware to keep up with new software. “We upgrade our iPhones every six months and our software every two weeks,” Barry says. “If

you can do it on your phone, you should be able to do it with your office building.” Because more security systems are connected to the cloud, Van Till suggests that companies should think about having two different Internet service providers coming into their office for the sake of redundancy. That way if one provider goes down, the other is still there to ensure security. “In the days before security systems were connected to the cloud, you didn’t have to think as much about redundancy in your ISP connections,” he says. “But now that it’s become an essential part of business continuity, it’s something that you need to add to your checklist.” A proper risk assessment can be a good first step to help identify critical areas of the building and what types of security are needed, says Rick Focke, senior product manager for Tyco Security Products. New construction accounts for about onethird of Tyco’s physical access control market. The next step, Focke says, would be to look for the most secure credential available, possibly one with biometrics. “It’s an arms race,” he says. “Find the strongest card you can, and you’ll probably get some good life out of it before it’s compromised.”

SIA STANDARDIZES ARCHITECTURAL SYMBOLS FOR PACS IN NEW CONSTRUCTION So, you’re building a new headquarters and want to have the latest and greatest when it comes to physical access control and security. Before the first beam is put in place, architects will be using Computer Aided Drafting to design the buildings and layout each floor. In addition to the use of these plans be architects and building contractors, security system integrators and electrical contractors also rely on them to make sure that wiring, access control readers, cameras and other security technology are in the correct place. To ensure that everyone in this chain is on the same page, the Security Industry Association has created a standard – AG-01 – which includes a collection of standardized architectural icons to indicate where security components should be placed on blueprints and plans. Late in 2015, the standard was updated to include modern components such as IP-based readers, biometric controllers and more.

Summer 2016

HARD WIRING VS. WIRELESS Wireless door locks and the other advancements in physical access control don’t seem to preclude the need for hard wiring in new buildings. “Wires are diminishing, but they’ll be with us for quite some time,” Van Till says. The battery life of wireless devices is limited to about 12 to 24 months, assuming 50 to 100 cycles of use per day. For a high traffic area such as the perimeter of a building, which could easily exceed 100 cycles per day, hard wiring continues to be the more cost efficient option. And in many cases, perimeter doors and heavier entrance devices, such as roll-up garage doors, are not yet available in a wireless configuration. “There are a lot of great advancements, but there’s still not one solution that fits every access point in the building,” Aikin says. There are compromises that come with using wireless locksets in terms of alarm response time and speed of updates. Often these locks do not continuously communicate with the server, as this would reduce battery life to just weeks or months. Instead, locksets commonly check for updates every hour.

Over the years there have been a number of security symbol lists developed by different organizations. These symbols were originally developed before Computer Aided Drafting came to the fore. Sometimes manual drafting symbols can be cryptic, recognizable only by those who use them on a regular basis. This has led many security organizations to develop their own “home grown” variety of symbols. As many as four different sets of symbols can be seen on a single project: the security manager’s set for concepts, the security consultant/engineer’s for construction documents, the security contractor’s for shop drawings and the electrical contractor’s for installation drawings. This standard is intended to serve as a model for elaboration and incorporation into computer products used either for security systems design and layout. AG-01 was based on the ASTM F967 Standard Practice for Security Engineer Symbols and updated to include symbols required for security system design and implementation.

However small, considerations such as these do have an impact on security. “They’re getting better, but they’re still not as secure as your traditional wired door,” Focke says. Still, he believes it’s worth looking at which areas of a new building would be suited to wireless locksets.

WIEGAND VS. ETHERNET The traditional Wiegand interface continues to be the norm even for new construction, likely because it’s been around for so long and people are used to it, says Aikin. But an increasing number of companies are opting for newer Ethernet-based systems as a more secure option, whether hard-wired or wireless. “Wiegand is still what the installation channels are most comfortable with,” Aikin says of Wiegand. “But in a new building, Ethernet is the fastest growing option because of its ability to leverage the new infrastructure.” This idea of leveraging new infrastructure is key in new construction. Building a facility from scratch presents a oncein-a-lifetime opportunity to plan and deploy future-proof physical access control systems.

The symbol design criteria include: Easily recognizable icons representing the form or function of the device Simplification to minimize memory usage and plotting time and permission for symbols to be hand drawn A reduced number of symbols that use generic icons and single-character attributes for the mount style and for the technology or type of device. The previous revision of AG-01 was released in 2001. AG-01 V.3.0 addresses some of the industry’s latest technologies, including IP cameras, advanced intrusion sensors, Power over Ethernet and biometric devices, among others. The AG-01 Standard is available for purchase online in the SIA Store.

Summer 2016

EMV INFRASTRUCTURE COULD ID PATIENTS FOR HEALTH CARE SERVICES NEW REPORT OUTLINES SCENARIOS FOR CONVERGING PAYMENTS AND IDENTITY

Summer 2016

With EMV payment terminals rolling out across the U.S. and heath care fraud totaling billions of dollars the Smart Card Alliance suggests that these new payment devices could help stymie health care fraud. The alliance released a white paper detailing how converging EMV payments and health care identity could reduce costs and complexity for providers while reducing fraud. The paper gives four scenarios on how the new system might work: Scenario 1: Two chip cards and one multiapplication point-of-sale terminal The two chip cards perform independent transactions on the same payment terminal, which runs two separate applications to route transaction information to the appropriate back-end system

Most major retailers have converted legacy payment systems to systems that include smart card readers that can accept EMVcompliant chip cards, and many have also included support for NFC and contactless payments as part of the conversion. U.S. retailers are making progress in migrating their legacy infrastructure to support EMV chip payments, with more than 750,000 merchant locations enabled as of January 2016. By adopting the smart card security standards used by EMV

BY ADOPTING SECURITY STANDARDS USED BY EMV CARDS, HEALTH CARE PROVIDERS COULD HELP STOP FRAUD. SMART CARDS CAN HELP WORKFLOW AUTOMATION, PAYMENT AUTHORIZATION, HEALTH RECORD SECURITY, PATIENT IDENTITY MANAGEMENT AND AUDITING

Scenario 2: One multi-application chip card and one multi-application terminal A single chip card hosts two applications that use the same payment terminal. One chip card application manages financial payment transactions while the second application manages health care identity authentication. The POS terminal runs two separate applications to route transaction information to the appropriate back-end system.

Scenario 3: One chip card with a â&#x20AC;&#x153;specialâ&#x20AC;? payment application In a variation of Scenario 2, a special payment application on the chip card provides non-payment transactional support. Scenario 4: Mobile health care transactions Mobile transactions can use NFC with a terminal that supports contactless payments. The mobile application could use a derived credential from any of the above scenarios to facilitate a mobile transaction for health care identity authentication or payment. The pace of EMV migration in the U.S. is accelerating. According to the EMV Migration Forum, more than 400 million EMV chip cards have been issued in the U.S., and 60% of consumers have at least one EMV chip card in their wallet.

cards, health care providers could help stop fraud. The smart cards use standards-based solutions that can help health care providers achieve new workflow automation that facilitates real-time payment authorization, increases patient health record security, improves patient identity management and provides new auditing capabilities. Issues of ownership, responsibility and implementation cost have stalled smart card adoption for identity authentication within the U.S. health care industry, but EMV payment migration is expected to stimulate interest in smart cards. Payment terminals and systems are being converted to accept EMV and as this infrastructure expands, the costs associated with health care provider implementation and adoption of a smart card infrastructure decrease. The health care industry could experience benefits if adoption is uniform and if the EMV chip infrastructure is leveraged for identity authentication. While certain standards may still need to be developed, health care adoption of EMV and smart card-based identity authentication solutions can increase security, decrease payment vulnerability, reduce fraud and improve workflow for health care organizations.

Summer 2016

FEDS SCRAP CONNECT.GOV GSA TO BUILD CENTRAL IDENTITY HUB AS 18F TAKES OVER PROJECT The idea was straightforward, give U.S. citizens the ability to use digital identities they already have in order to access federal web sites and services. Depending on the risk for a specific transaction, the citizen would be required to take additional identity-proving actions in order to step up the level of assurance. This was the idea behind Connect.Gov. It was supposed to be a government-wide identity platform, but it appears the project is being scrapped. In its place, GSA is planning to build its own platform from scratch. The U.S. Post Office started the project in 2013. To provide the underlying technology, a contract was awarded to SecureKey. The company runs a similar program in Canada, called Concierge, which enables citizens to use their financial services credentials for access to government sites. Agencies started piloting application for Connect.Gov in 2015, but a number of factors contributed to low adoption, says one insider. The applications that agencies selected to test were small and obscure so citizens didn’t have strong incentive to use the system. Also, while credential providers had been set for the pilots – Verizon and ID.me – few people already had these

credentials so usage numbers were low. Between the obscure applications and a small base of credentials the projects never gained significant traction. While rumors have been swirling about the demise of Connect.gov, initiatives from the Obama administration have reinforced the need for the services the project was attempting to deliver. The Cybersecurity National Action Plan specifically called for multi-factor authentication to .gov sites, and it named the GSA to lead the effort. 18F, an entity within the GSA that helps federal agencies make IT acquisitions, is now overseeing that part of Obama’s plan. The future of Connect.gov or its remnants is unclear. According to a blog post from 18F, the new project will build off the work from Connect.gov, but doesn’t say exactly how it will do this. “To build this login platform, we’re using modern, user-friendly, strong authentication and effective identity proofing technology. This new platform will leverage the extensive lessons we’ve gained from agency efforts in the past, including lessons learned from our counterparts in the UK who built GOV.UK Verify.” Verify in the UK only accepts private sector credentials. 18F plans to create a platform that accepts them as well a way for citizens to sign up for government-issued credentials, Joel Minton, head of the project at 18F, told attendees at the Cloud Identity Summit. “We want to give the users choice but will

18F PLANS TO CREATE A PLATFORM THAT ACCEPTS PRIVATE SECTOR IDS AS WELL A WAY FOR CITIZENS TO SIGN UP FOR GOVERNMENT-ISSUED CREDENTIALS

Summer 2016

be providing a government account option and manage that securely,” he says. ID.me was one of the credential providers for Connect.Gov. The company’s CEO Blake Hall says that the project will be shuttered in August as 18F plans to build “something new.” According to Hall, they didn’t receive much feedback from agencies participating in the pilots. There were some rumblings that the system was slow and it was impacting the user experience, but there wasn’t much overall feedback. 18F has taken over the project and plans to build its own identity broker, attribute provider and single sign-on system for all agencies, Hall says. This was discussed at a meeting that Hall had with 18F officials. “Creating a central account for all citizen information is troubling,” he says. “It’s both Orwellian and would create one of the biggest honeypots of information for hackers to go after. I believe in a federated model that gives consumers choice. It would be horrible if any one private sector company had all Americans’ personal data in one place – but for that entity to be the federal government, absolutely not.” Connect.Gov was also under the umbrella of the National Strategy for Trusted Identities in Cyberspace, which proposed a public and private partnership to solve the digital identity woes facing citizens. Having a government-only solution goes against that idea, Hall says. Hall isn’t the only one that’s upset. There has been a bit of private sector backlash against 18F taking over the project. Twitter was aflutter after the 18F blog post, with one poster saying the government had been the equivalent of Lucy from “Peanuts” holding the football for the Charlie Brown – the private sector – and then pulling it away at the last second. But until the GSA and 18F release concrete plans for the new identity platform, it’s unclear what the future will hold.

Bringing Security, Privacy and Authentication to the Forefront of the Internet of Things Security and privacy are top priorities as the Internet of Things (IoT) creates an increasingly connected world—connected devices are expected to reach 21 billion by the year 2020. The Security of Things, the Smart Card Alliance’s newest event, takes a deep dive into the advantages and challenges IoT presents across every market, including payments, transportation, industrial, consumer and healthcare, and highlights the need for secure IoT architectures using embedded security and privacy technology. Don’t miss this event, the best venue to learn, communicate and network with fellow IoT security industry colleagues!

October 18-19 Chicago, IL www.sca-securityofthings.com

SECURITY INDUSTRY ASSOCIATION TAKES ON HEALTH CARE SECURITY SPACE KELLY VLAHOS, CONTRIBUTING WRITER, SECURITY INDUSTRY ASSOCIATION

A man, possibly high on methamphetamine, had a singular intention: to steal his infant child from the maternity ward before the state could take her away. Jason Matthew Bristol took the two-day old baby, wrapped her in a blanket and plastic bag and attempted to leave Thunderbird Hospital in Glendale, Arizona, on Jan. 21, 2015. But a bracelet affixed to the infant immediately set off alarms and locked down hospital doors before he could get away. It turned out to be a lifesaver in more ways than one, as officials say the blanket was placed on the tiny infant in such a way that it would have led to her suffocation. Hospitals can be fragile and violent places. According to the Bureau of Labor Statistics, of all workplace assaults from 2011 to 2013 upwards of 74% occurred in medical or social service settings. In addition, there are patients who escape – including prisoners, mental health patients – and raising the specter of recent mass shootings, people who come into the hospital setting who generally aren’t supposed to be there. As a result, the health care field is ramping up its security services to meet the threat. The video surveillance cameras, ID badges and bracelets outfitted with radio frequency identification (RFID) or other smart technology for patients and staff, the integrated alarm systems, mass notifications, license plate readers, and smart card-enabled access control, all combine for the kind of convergent security architecture that the country’s 5,627 registered hospitals, big and small, are reaching for today. The infant tags, for example, are already ubiquitous, and as a result infant abductions today are rare, according to the FBI. Meanwhile, moving the building’s access control systems to Internet Protocols (IP) and the improvement of cellular networks have improved physical security capabilities tenfold. Also, the

Summer 2016

Internet of Things (IoT) expands the universe of possibilities requiring full-time management and proactive cybersecurity to keep enterprising hackers at bay. All this is what the Security Industry Association (SIA) Health Care Security Interest Group is hoping to tackle in the coming year. Launched in late 2015, the group is made up of a range of professionals and SIA members directly involved in the health care space, from hospital security directors to industry vendors and consultants. The group’s mission is to assess the current landscape in order to bring better understanding and solutions to SIA members and the health care security industry as a whole, says Jim Stankevich, global manager for health security at Tyco Security Products. Stankevich is taking the lead as chair of the new group, with Bonnie Michelman, director of security services at Massachusetts General Hospital and Partners Health Care, serving as co-chair. Focusing on electronic physical security – as well as the role of IT and cybersecurity – the group’s goal will be to explore emerging health care technology for health care providers and patients, as well as figure out what works now, what the possibilities are and what the future holds, says Stankevich. Aside from identifying the challenges facing health care facilities – the rise of violence being a top concern – the group will track emerging technologies and not just the hardware. The group wants to wrap their arms around the role of metrics and analytics in making the most of current systems and in developing capabilities for new customers. They will also talk about securing those systems. Finally, the group will also serve as an information-sharing hub for members, and work toward developing best practices across the vertical. While these may seem like lofty goals, all of the

INSIGHTS Cutting-edge viewpoints on the use of security technology from the industry’s leading electronic physical security association. Learn more at securityindustry.org.

group’s work will keep in mind today’s shrinking budgets and return on investment. “There is a lot of hospital consolidation, and budget constraints, and I think hospitals in general are looking at ways to buy better, consolidate and improve inefficiencies,” says Stankevich, noting that for fiscally challenged hospitals, investing in new physical security systems is a hard sell. “Certainly security is not a revenue generator, it’s an expense.” There are hospitals and care facilities that can’t see beyond those financial hurdles, notes working group member Ben Scaglione, director of Health Care Security Solutions at G4S Secure Solutions. “Health care spending is all about medical equipment. They all have card readers, access control and the CCTV seems to be good. But the integration and the advanced technology isn’t really there – all their systems are five to 10 years old,” he explains. “There isn’t a strong understanding that systems need to do other things.” Strategic integration is key for security systems. All elements of the security apparatus need to be connected to form a protective and preventative web around hospital patients and staff. For example, license plate readers and video surveillance not only need to be in HD resolution and accessible by mobile devices and web-enabled platforms, but should be programmed with analytics that need to trigger alarms and lockdowns based on that facility’s risk factors. But that’s not all. The move toward IP-connectivity brings traditional security solutions into the 21st Century and enables them to communicate, according to Lauris Freidenfelds, director of security services at Rush University Medical Center. That includes all video and access control systems, wireless voice radio communications and panic devices at each PC workstation, which are transmitted via the network to the campus command

center, Freidenfelds says. Nurses and other staff also wear these devices as they move through the buildings. Wireless connectivity also enables mass emergency notifications, which are critical to campus-wide alerts. Integration is also vital to the working group, says Freidenfelds. As technology becomes more complex, it’s created a need for more data driven analytics and management to harness and utilize it. “We do not have enough manpower to accomplish what is needed to keep hospitals safe without technology,” he adds. But with all this technology comes new risk. In February, Hollywood Presbyterian Hospital paid $17,000 in Bitcoin as ransom for its electronic medical records, which had been seized and locked with an encryption key by hackers. And it wasn’t the first institution to pay untraceable ransom for critical records and network access. At least two New England police departments have paid Bitcoin ransoms to retrieve hacked files. Experts estimate that paid ransoms have reached $1 billion annually. While it looks like the Los Angeles hospital fell victim to a phishing expedition – an unwitting employee may have opened an email file that launched the malware that made the attack possible – there are vulnerabilities in physical security networks that can act like “ramps” over to the IT networks of hospitals, where sensitive patient and employee records live, says Michael Chipley, a building security expert with the PMC Group. As the IoT expands, marked by the expanded use of data generated in the cloud and mobile computing, cybersecurity will be critical to any institution where individuals’ private data – or even their lives – are at stake. Some hospitals are still making those first steps to integrating their systems and all this will come into play as the working group seeks to provide an educational component to practitioners and the vendors who work with them.

HEALTH CARE SPENDING IS ALL ABOUT MEDICAL EQUIPMENT. ACCESS CONTROL SYSTEMS TEND TO BE OLD AND THERE ISN’T A STRONG UNDERSTANDING THAT THEY NEED TO DO MORE.

Summer 2016

AXING PVC FROM HIGH-SECURITY DOCUMENTS ISSUERS FINDING ADVANCED CARD MATERIALS WORTH THE ADDED INVESTMENT

Good old polyvinyl chloride. It’s the primary material in the vast majority of IDs, payment cards and the like. But it’s also not secure, has long-term durability problems and is readily available to counterfeiters – $35 will get you 500 blanks on eBay. There are many problems with PVC. Card issuers – federal and financial alike – want a longer lifespan from cards, and PVC is only able to provide so much durability. Then there’s security concern, which as brought to the public consciousness as news spread of students buying near-perfect fake driver licenses from China. Lest we forget, there are also environmental concerns with PVC. All these are reasons why it’s time to deprecate PVC as the primary material for government-issued identity, access control and payment cards and make the move to composite cards utilizing advanced card materials.

Summer 2016

Composite cards still use PVC, but in much smaller quantities. Using a PVC core with other materials such as polyester, Teslin and polycarbonate can add strength and security to the credential. “Every card material has its strengths and

needs, Scaglia explains. “If you want a fiveyear, dual-interface card, PVC isn’t strong enough to do that,” he says. “You need to adopt other materials as well.” The biggest downside for PVC is durability, experts say. As they spend more

PVC VENDORS WILL SAY THEIR CREDENTIALS CAN LAST UP TO FIVE YEARS OR LONGER, BUT LARGESCALE TESTING OF PVC-ONLY CARDS HASN’T BEEN DONE IN MORE THAN A DECADE weaknesses,” says Pierre Scaglia, global segment manager for Secure Credentials at PPG Industries. The trick is finding the right composite materials that suit the credential’s specific

money embedding electronics, issuers want longer life out of the credentials. PVC vendors will say their credentials can last up to five years or longer, but large-scale testing of PVC-only cards hasn’t been done

in more than a decade, says Dave Tushie, technical and standards representative at the International Card Manufacturers Association. Tushie was part of the testing conducted between 2000 and 2003 that looked at the durability differences of PVC-only card bodies versus various composite card types. Durability and bend testing found that 75-80% of the PVC-only card bodies registered as failures versus a failure rate of just 20% for the composite cards. At that time durability needs were less demanding – two to three years for payment cards and four to five years for driver licenses, Tushie says. Issuers now want a longer lifespan. This testing was conducted a long time ago and improvements in PVC have been realized, but it’s hard to tell how much better they’ve become since there hasn’t been any open testing, Tushie says. And while PVC vendors may have improved the durability of their materials in the last decade, manufacturers of other materials have been doing the same. MorphoTrust provides driver license issuance systems and works with states on how best to issue the documents. The vast majority of states that the company works with have moved away from PVC-only credentials in favor of composite cards, says Roland Fournier, senior marketing program manager at MorphoTrust. “Fiveyear durability is the maximum you can expect with PVC, but with composite cards you can get seven or eight years,” he explains. That’s not to say PVC is without its uses among next generation credentials. Adding other materials can strengthen PVC adding durability and security, Tushie says. “It’s amazing how little polyester you need to

put into a card to improve the durability,” he explains. “You can have composite card with a PVC core and other materials on the outer layer and you get remarkably improved performance.” There was a flex test with a PVC core card that featured a polyester overlay that survived 200,000 flexes in a testing scenario, Tushie says. The ISO standard for

material has to work well with existing personalization technology.” There are some changes that also have to be made to the manufacturing process, Tushie says. Sometimes the materials have to be orientated on the core material a certain way, which can take extra time. Some overlays may also require slightly different temperatures in order to adhere properly.

PVC IS COMMONLY AVAILABLE TO ANYONE WHO WANTS IT. FROM A SECURITY STANDPOINT, THIS MAKES IT A NIGHTMARE FOR AN ISSUER. successful a flex test requires only 50,000 repetitions. “We stopped the test because there were no failures,” he adds.

SECURITY Another issue with PVC is the ease of obtaining the material, says Fournier. “The material is commonly available to anyone who wants it,” he explains. “It’s a nightmare for an issuer.” Adding polyester, Teslin or other materials makes it harder to counterfeit a document, Fournier says. But adding these materials adds complexity and costs to the manufacturing and personalization processes. Composite cards are more expensive but if an organization is issuing enough they can realize economies of scale, Fournier says. “If an issuer has an existing process and they choose a new material, they have to make sure it works with their existing equipment,” he explains. “The new

And when it’s all said and done, the additional cost of materials, personalization and changes to processes may prove too much for some issuers. “They can be a little more reluctant if they think they have a stable process in place now,” Tushie says.

ENVIRONMENTAL CONCERNS Another reason to stop using PVC or decrease its use in credentials is the environmental impact, Fournier says. Creating PVC yields a lot of environmental waste. “Getting the raw materials for PVC carries a stigma and some issuers started shying away from it because of the environmental impact,” he says. As issuers want longer life, better security and an environmentally friendly credential, it may be time to move away from PVC – or at least deprecate its use – and start looking at composite materials that better fit the needs of issuers.

Summer 2016

YOUR USER ID AND PASSWORD HAS BEEN STOLEN ...IN THE MEANTIME... ANDRE BOYSEN, DIGITAL IDENTITY EVANGELIST, SECUREKEY

Every morning when I leave the house, I do a quick pat down to check for essentials: Phone? Check. Wallet? Check. Keys? Check. These three belongings are basic representations of my identity and are woven into my daily activities. Quite frankly, they’re critical, and like millions of others, I go through this same process whenever I’m leaving a restaurant, a movie, or anywhere else...when I remember to do it. But what happens when I go through the check-down process and find one of my essential items is missing? I’m overcome with an immediate sense of dread, followed by a tremendous sense of urgency to recover or replace what I lost. My motivation to recover these items consequently transcends whatever else I have going on that day – that’s how critical these items are to my daily life. Because of their importance, my “meantime to recovery” for any of these items is usually a small window. The shorter this window is, the more I’m mitigating risk not only for myself, but potentially the credit card company, phone carrier and other services that may have to cover fraudulent activity. I was thinking about these two interconnected concepts recently after I received a notification that a user ID and password to an online service I seldom use was “potentially compromised.” Are consumers equally motivated to recover their online login information, as they are a lost wallet? Are they as driven to reduce the meantime to recovery to as short a window as possible? The answer often is no – or “it depends on the credential.” If you find that your banking user ID was compromised, you’re likely to change it as soon as you can get online. There is a high motivation driving the meantime to recover to as sort a window as possible. These two concepts – “motivation to recover” and “meantime to recovery” – are critical for online services to understand and cultivate in consumers. Today’s threat landscape has hardened people to the fact the there is a real possibly their user ID and password will be stolen or compromised at some point. Getting the consumer motivated to recover them is important in eliminating the latent risk of the natal compromise. Low motivation extends the meantime to recovery, prolonging the time an attacker has to use and exploit a credential in their

Summer 2016

attack. More time to potentially leak consumer information. More time to conduct fraudulent financial transactions. More time to drive up the remediation costs of a breach. More time to damage the brand. More time to destroy any goodwill or trust that has been built up with the consumer. Can companies cultivate a high motivation in their customers? The numbers on their face are not good – today’s average consumer has more than 130 user IDs and passwords. It’s no wonder why the average person is only concerned with the credential equivalents of their keys, wallet and phone. This is usually a banking credential, a social media ID credential or something equally critical to their well-being. So how does an online service protect itself from falling into the abyss of user ids and passwords, motivating their customers to cover their credential? There are two primary methods, one that is extremely difficult, and one that is much easier. The hard way is to change your business so that the consumer highly values it and would never want a credential to the service exposed. Easy to type, not easy to do. The second way? Anchor to an existing user ID and password that ANY customer would be highly motivated to recover – like the aforementioned banking example. One increasingly popular option is to anchor to a social media platform like Facebook or LinkedIn because consumers often access them several times a day. However, given the recent data breaches at LinkedIn and Tumblr, social media platforms are seemingly more susceptible to data breaches than financial online services whose security is considered by many to be unparalleled. This is what the Canadian Government has opted to do in partnership with SecureKey and its Concierge Service – it empowers users to access the online services they want using their familiar and trusted online banking user ID and password. Aside from the tremendous convenience this affords a customer, it also alleviates risk for online services by eliminating the use of passwords and personal information to log in a customer. In the end, the web service has a choice: does it partner with a service that anchors an identity to a trusted source to eliminate the risk and stress, or does it become the user’s 131st?

EXECUTIVE STRATEGIES FOR SECURITY SUPPLIERS AND PRACTITIONERS OCTOBER 19 – 20, 2016 • THE GRAND HYATT, NYC

MAKE YOUR IDENTITY KNOWN AT THE SECURITY INDUSTRY’S TOP EXECUTIVE CONFERENCE “At SNGTM, I gain vital market intelligence that helps me craft business strategies.” — Ken Mills, Global Marketing and CTO, Surveillance and Security, EMC Corp.

SECURINGNEWGROUND.COM

FIPS 201 APPROVED PRODUCTS LIST REVAMPED BY GSA FOCUS MOVES FROM COMPONENT TESTING TO SYSTEM INTEROPERABILITY Mention certification, product testing and the approved products list to those in the smart card and physical security markets and executives will likely bristle. Time consuming and expensive comprise the common refrain when it comes to the product testing needed in order to be placed on approved product lists from the federal government. Vendors have had to go through these steps since FIPS 201 was released almost a decade ago. Agencies wanted assurances that the products they purchased from different vendors would work together and throughout the enterprise. For example, a credential issued at a GSA office in Chicago should be able to work at a GSA facility in Washington. This testing required vendors to hire an independent lab to test the products against the specification. This cost thousands of dollars and took a considerable amount of time.

Summer 2016

Originally, the approved products list tested each component to see if it met the specification. This led to problems when different pieces were put together, says Rob Zivney, senior consultant at Identification Technology Partners. “People would buy the components, put them together and they wouldn’t work,” he explains. In response to the problem the General Services Administration, which managed the approved products list, changed how testing is done for FIPS 201. Now, instead of testing individual components, testing is done to make sure parts work within an entire system. The GSA also mandated that physical access system installers become certified to reduce problems when systems are deployed. This type of certification for PACS vendors was established due to federal agencies providing us feedback that installers didn’t know how to configure the PKI correctly in PACS systems when

doing the installation, says Chi Hickey, director of Testing and Procurement of the Identity Assurance and Trusted Access Division in GSA’s Office of Government Wide Policy. The certification covers OMB policies, FICAM roadmap and guidance, PKI, certificate validation and other information.

CHANGES WERE OVERDUE The updates to the FIPS 201 Evaluation Program began in 2012 in response to the publication of the Office of Management and Budget Memorandum M-11-11, Hickey explains. The new program not only tests products and services for conformance with FIPS 201 requirements, but also tests products for alignment with the Federal Identity Credential and Access Management (FICAM) roadmap and guidance. Prior to 2012, the FIPS 201 Evaluation Program relied heavily on self-assertion

with checks by vendors and independent labs rather than functional security and penetration testing conducted on the systems. No interoperability testing was conducted between products, so there was no indication of which listed products worked with each other. There were also limited functional requirements, outdated testing standards and insufficient categories. The revamped Evaluation Program tests products related to physical and logical access control systems that interact with the PIV, the Defense Department’s Common Access Card and PIV-I cards to determine whether the products are conformant with the FIPS 201 standard. The Approved Product List (APL) is the official list of products that have passed testing and have been approved by the Evaluation Program. The Evaluation Program and the APL are designed to help vendors, as well as industry, federal, state and local stakeholders as it is GSA’s goal to help the industry as a whole understand requirements and help federal agencies find conformant, secure, and interoperable products. The GSA has made efforts to streamline the process to have products approved for the APL, Hickey says. Applicants who

Will GSA’s new approval process push PIV-I in the enterprise? More than a decade ago it was a commonly held belief that the smart cards and systems deployed by the federal government would be used in private enterprises across the country. For the most part the crossover hasn’t happened. PIV-I – the standard for non-federal employees – is being used by some of the largest government contractors, but the use of FIPS 201 systems outside of federal agencies and contractors hasn’t gained widespread traction. Enterprises already have physical access control systems in place, they work well and most don’t see a need to rip and replace with a more expensive, complex system, says Rob Zivney, a senior consultant at Identification Technology Partners. Zivney and other industry insiders were less than optimistic that these changes to FIPS 201 and the approved products list will have much impact. In general, most agree that the approval effort is crucial for federal agency business but is unlikely to show large rewards outside government.

want to have their product or service evaluated go to the GSA web site, register and obtain information regarding the evaluation process. The applicant fills out forms and submits an application package to the evaluation program. The program then schedules testing and, when possible, the office works with the applicant to resolve issues identified during testing. Upon

passing the testing process, the product or service is listed on the APL. The GSA started communicating with vendors about the changes in 2012 and early 2013, Hickey says. “The vendors were significantly impacted and GSA recognized that, therefore the GSA Office of Government Wide Policy is currently funding the testing for PACS systems,” she explains. “Usually, when a vendor applies to get a product certified for FIPS

Summer 2016

201 testing, they pay for it out of their own pocket. Since GSA recognized the impact it would have to the vendor community we are paying for the testing instead.” The GSA also created a communication strategy and received buy in from all stakeholders – vendors, industry and federal agencies – about implementing this new THE NEW REQUIREMENTS end-to-end system testing. SEEM TO BE A PROVERBIAL Drafts of the functional MIXED BAG. ON THE requirements and test case documents were distributed PLUS SIDE, THE SYSTEMS to the stakeholder comAGENCIES ARE DEPLOYING munity and vendors and ARE OPERATING PROPERLY industry weighed in. “We AND SECURELY, BUT IT’S incorporated a lot of their comments to include differTAKING SIGNIFICANT TIME ent topologies for PACS to FOR VENDORS TO HAVE not stifle vendor creativity, THEIR SYSTEMS TESTED but ensure that as long as AND PLACED ON THE LIST, the PACS met the functional requirements and test cases COSTING THEM SALES it passed,” Hickey adds.

MIXED REACTION FROM STAKEHOLDERS The new requirements seem to be a proverbial mixed bag. On the plus side, the systems agencies are deploying are operating properly and securely, but it’s taking significant time for vendors to have their systems tested and placed on the list, costing them sales. Allegion manufactures wall mounted smart card readers and wireless reader and lock peripherals for physical access control systems that were certified under

Summer 2016

the first FIPS 201 Approved Products List. When the government progressed to FIPS 201-2 they removed the APL and replaced it with a current approved products list based on FIPS 201-2 and placed all the legacy products on the removed product list. This impeded Allegion’s ability to sell these products on federal projects, says Terry Collins, director of government sales at Allegion. Since Allegion only provides one component of an overall physical access control system, the company must find partners with the other components to test under the new FIPS 201-2 requirements, Collins says. Allegion is still waiting for its first overall system to be approved – the first of which should be submitted to the GSA later this year. Vendors must first have a full system available in order for testing to take place. If that full system passes, then Allegion would go on the APL with that specific system. Allegion must have their components tested with other PACS providers as well, which will mean many more testing cycles, explains Collins. While vendors seemingly have to jump through more hoops, the end result will be systems that work and are more secure, says Lars Suneborn, director of training programs at the Smart Card Alliance. The organization runs the training program to certify physical access control system installers as required by the GSA. The changes were designed to make sure that the system worked with all the components and are truly secure, Suneborn says. The changes brought on by FIPS 201

and the more recent changes from the GSA bring about a shift in how physical access control systems are built and deployed, he says. While procurement officers would previously go down the approved products list and pick and choose components, now they have to choose systems and certified installers.

PROGRESS TO DATE The Smart Card Alliance has been running training classes for more than a year, Suneborn says. More than 120 individuals have been certified. As for the APL there are 25 vendors with 27 solutions available for agencies to purchase. Even though there are certified technicians to install the systems, along with entire systems now available,

WHILE PROCUREMENT OFFICERS WOULD PREVIOUSLY GO DOWN THE APPROVED PRODUCTS LIST AND PICK AND CHOOSE COMPONENTS, NOW THEY HAVE TO CHOOSE SYSTEMS AND CERTIFIED INSTALLERS they still aren’t necessarily being deployed. Educating federal procurement officers on these requirements is the last step, Zivney says. Those in the DC Beltway know about the requirements, but those at smaller facilities outside have no idea. “Unless we train the procurement officers it’s still going to be a problem,” he says.

Pentagon getting rid of Common Access Card? The U.S. Defense Department has been a pioneer when it comes to smart cards in the federal government, first issuing the cards in the 90s. So when the agency’s CIO mentioned eliminating the cards in the next two years, it caught many by surprise. Pentagon CIO Terry Halvorsen told the 2016 Federal Forum that the agency plans to get rid of the Common Access Card in the next two years and replace it with an “agile,” multi-factor authentication system. The cards would be replaced by “some combination of behavioral, probably biometric and maybe some personal data information that’s set from individual to individual.” The smart card credential may still be used for physical access, but that would be its sole function. Another reason for the move is so the U.S. can share information with its allies. The Pentagon is working on an identity standard and methodology with Australia, Britain, Canada and New Zealand that would not include the Common Access Card. A number of smart card industry executives and government officials were caught off guard by Halvorsen’s comments. Additionally, it would seem to contradict HSPD-12. The directive, signed by President George W. Bush, called for a standard, interoperable credential across all agencies that would be used for physical access to facilities and logical access to computer resources. The other problem is timing. A behavioral, continuous biometric systems, such as the one Halvorsen mentions, would have to go through testing and certification before it could be used by any agency. Development, selection, testing and rollout for such a solution would be a time-intensive process.

Summer 2016

FIDO MAKES PITCH FOR GOVERNMENT ADOPTION U.S. AND UK ALREADY TAKING STEPS TOWARD INCORPORATING THE SPECS Authentication is important for governments seeking solutions for improved security, privacy, interoperability, and better customer experiences. With modern authentication approaches entering the market, the FIDO specifications are offering governments better options for strong authentication. But government policy needs to evolve as the technology evolves. That’s the takeaway from a recent webinar hosted by the FIDO Alliance. Brett McDowell, executive director of the FIDO Alliance, began with an understatement. “The world has a password problem.” As data breaches mount – costing millions of dollars per breach to the enterprise – the need to find an alternative to passwords becomes more pressing. SMS for one-time passcodes comes with reliability challenges and delays, confusion to some users and credentials that are still phishable. “The new model is FIDO – Fast Identity Online,” McDowell says. “This is public key cryptography applied to online authentication in a way that delivers true interoperability between web sites and devices, web browsers and dedicated security devices.” There was a time when enhanced security meant a decrease in convenience – or vice versa. McDowell says that can change with the introduction of the FIDO authenticator into the architecture. “We knew you couldn’t solve this problem with a single product. It doesn’t matter how big you are, how much market

OUT OF THE BOX, A FIDO CREDENTIAL IS PRIVACY ENHANCING – THERE’S NO WAY TO TRACK AND PROFILE USER BEHAVIOR ONLINE.NIST IS LOOKING TO RUN A FIDO SERVER ALONGSIDE A PKI SERVER FOR STRONG INTEROPERABILITY penetration you have,” McDowell says. “The password problem is too big for any one stakeholder – even any one government to solve on their own. It had to be done with open standards.” The non-profit FIDO Alliance was launched in early 2013 with 6 members. Its purpose: develop standards that address the lack of interoperability among strong authentication devices and address problems surrounding usernames and passwords. Deployments of FIDO-compliant devices and servers began the following year. The FIDO certification program launched last year, and many FIDO-certified smartphones and tablets

Summer 2016

are now being shipped. The Alliance has grown to more than 250 companies in its membership. “Right out of the box, a FIDO credential is privacy enhancing,” says Paul Grassi, senior standards and technology advisor at the National Institute of Standards and Technology. “It’s built into the spec that there’s no way to track and profile user behavior online.” Given the fact that FIDO is now commercially available, Grassi says NIST is looking at having a FIDO server run alongside a PKI server for strong interoperability. “Now we have a strong authentication solution that defeats the most common attacks like phishing, defeats the vulnerability of a data breach because there’s no secrets on the server that can be reused if there is a data breach, and it delivers what we’ve been waiting for all this time which is a better user experience,” McDowell says. “So now there’s actual market demand to put this in place.” Governments around the world are focusing on identity and authentication requirements for their own systems as well as those systems or industries that they regulate. The UK government recently launched Gov.UK Verify, offering secure identities using FIDO. There still needs to be some education, however. “We find a lot of governments are not aware of FIDO or don’t properly understand it,” says Jeremy Grant, managing director of the Chertoff Group and former senior executive advisor for the National Strategy for Trusted Identities in Cyberspace (NSTIC). Grant says governments should know that: Two-factor authentication no longer brings higher burdens or costs Technology is now such that two secure, distinct authentication factors can be enabled in a single device – particularly with mobile Strong authentication needs to be the “right” kind as some solutions are better than others FIDO is designed to enhance privacy. It supports the Privacy Principles of the European Data Protection Directive and other government privacy initiatives. There are no third parties involved, no secrets in the server and biometric data never leaves the device. “The Alliance mapped its privacy principles against the Identity Ecosystem Steering Group requirements,” Grant says. “FIDO from a policy perspective and a market perspective enables better security for online services, reduces cost for the enterprise, and at the end of the day it’s simpler and safer for consumers.”

FEDERATED IDENTITY KNOCKS DOWN SILOES IN CLINICAL DRUG RESEARCH Traditionally, the pharmaceutical industry has been highly siloed when it comes to data. Information is stored within the enterprise and doesn’t leave. This has been changing in the last few years, though, as drug companies are working with outside researchers, academics, patient groups, government and others to research new medications, says Mollie Shields-Uehling, president and CEO at SAFE-BioPharma Association. “There are all sorts of new players in the clinical trial business,” she explains. “What used to be an inside-the-enterprise operation has become a collaboration among many partners that are far flung around the globe.” This brought about the creation of the TransCelerate Shared Investigator Platform, a single point of access for interaction between investigators participating in clinical trials from geographically dispersed sites and clinical trial sponsors. TransCelerate is a consortium of 18 clinical trial sponsoring companies that have come together to share resources, establish more uniform processes and streamline the trial process. Clinical trials used to be paper-based and required scanning, faxing and mailing large amounts of paper because everything required a physical signature, explains Shields-Uehling. The Shared Investigator Platform is designed to make this process electronic to ease collaboration among the different parties involved – without sacrificing the protection of sensitive information or intellectual property – to bring new drugs to market quicker. The platform is using credentials issued and verified by Exostar that comply with the SAFE-BioPharma digital identity and digital signature standard, says ShieldsUehling. The idea is that with a single credential clinical investigators and other participants will be able to access what they

need to collaborate on trials spanning multiple sponsors, as well as apply digitally – a requirement for certain regulatory agencies. Investigators may be working on clinical trials for multiple medications and drug companies. Instead of having to remember passwords and keep separate credentials for each of the companies and trials – as is the case presently – they will be issued a single credential by Exostar that can be used to access the applications and data for any relevant trial, says Vijay Takanti, vice president of security and collaboration solutions at Exostar. The participating organizaTHE IDEA IS THAT WITH A SINGLE tions have agreed to a single CREDENTIAL CLINICAL INVESTIGATORS onboarding process, Takanti says. The new platform aims WILL BE ABLE TO ACCESS WHAT THEY to reduce the burden on inNEED TO COLLABORATE ON TRIALS vestigators by enabling them SPANNING MULTIPLE SPONSORS to share information with multiple sponsors and make it easy for them to access various sponsor IT systems. For example, if an investigator is working on a trial for a Pfizer medication plications, Takanti explains. There are lab and then gets hired to work on a trial for notebooks, educational materials about Merck, there’s no need to re-execute the ontrials, and other applications to promote boarding process or issue a new credential. secure collaboration. To start, investigators register through Participants use the SAFE-BioPharma the Shared Investigator Platform. The Platcredential to enter and are presented with form is integrated with Exostar’s identity all the different applications, which they and access management solution, which are permitted to access. Exostar is working handles identity vetting and credential with the TransCelerate member companies issuance, in addition to working with existto expand the number of connected aping registries and downstream systems. plications accessible with the credential, Through the Shared Investigator Platcreating a stronger value proposition for form, individuals can access multiple aptrial coordination and delivery.

Summer 2016

ALABAMA TACKLING INCOME TAX FRAUD WITH ELECTRONIC IDS More than 700,000 records were breached in the 2015 IRS hack, leaving citizens vulnerable to additional identity theft and fraud. Fast-forward to 2016 and the IRS is still struggling to find a way to properly identify citizens in the digital world. But thankfully some states are exploring use of different technologies to protect citizens from having their tax returns stolen. Alabama and North Carolina are among the first states to enable citizens to use high-assurance credentials to lock down their state tax returns. North Carolina is doing it as part of a grant from the National Strategy for Trusted Identities in Cyberspace, but Alabama was so excited about the initiative, they’ve decided to pay for it themselves. “We are paying $250,000 for it but it’s a low cost for fighting fraud,” says Julie P. Magee, revenue commissioner with the state of Alabama. MorphoTrust is providing the technology that enables citizens to lock down their tax returns. Citizens have to download the MorphoTrust eID app and then scan the front and back of their driver licenses using their smartphone, says Mark DiFraia, senior director of solutions strategy at the company. The scanned document is authenticated at which point the user takes a selfie to be matched, via facial recognition, to the photo on the document that was scanned. That information is also checked against what the state has on record. If everything matches a credential is issued to the mobile device. Then when logging on to the state site, instead of entering

Summer 2016

a user name and password, the citizen authenticates to the app with another selfie via facial recognition and then scans a QR code from the site to enable access. In the instance of the tax return, the citizen will be notified once the return has hit the Department of Revenue. The citizen then logs in to the site as a final step to authorize that the transaction is legitimate. With 92% of tax returns filed electronically something to link the identity of the person to the return has become essential, Magee says. The eID system will be in place for next year’s returns, but Alabama previously implemented a knowledge-based authentication quiz to try and stop fraud as well as to alert citizens when their return was filed. If they were alerted and they hadn’t filed a return, then citizens were directed to call a hotline. That same quiz and alert system will remain in place as Magee expects it to take some time before widespread adoption of the eID becomes a reality. To aid in adoption, the Department of Revenue is going to work with the University of Alabama to create a marketing campaign to get the word out about the new system, Magee says. While the use of the eID will be limited to tax return filing for now, Magee has high hopes for it in the future. “User names and passwords are so easily obtained by hackers,” she explains. “And as people grow more comfortable with this we will be able to replace other user names and passwords with this app.”