- Overview
- Interview with Dr. Cole
- Student Comments
- Domain 1: Access
- Domain 2: Network
- Domain 3: Management
- Domain 4: Application
- Domain 5: Cryptography
- Domain 6: Architecture
- Domain 7: Operations
- Domain 8: Planning
- Domain 9: Law
- Domain 10: Physical
- The Convergence of Physical Security
- Category: Physical Security
Authors: Terry Martin and Alexandra Bakhto
Date Added: March 30th, 2007
Introduction
The convergence of physical security with information security, in addition to being driven by the InfoSec physical security model describing the entire facility as a security system, is also developing in support of another objective: Single Sign On (SSO). SSO is driven by powerful directives such as Homeland Security (HSPD-12) and FIPS 201.
In practice, SSO means one thing: Smartcard technology
SSO requires the convergence of traditional physical security with IT for a number of reasons, such as the following:
- Reduction of the cost associated with issuing and revoking authentication and access control credentials across information systems and facilities
- The capability to know where a person is in relation to network authentication
For example, it is useful for the IDS system to know if a person is in the building at the same time a remote authentication request is made. To support this capability, the information systems are given "read" ability from the physical systems.
Another emerging development is the capability of the information systems to "write" to the physical systems. For example, if a person's network authentication credential is issued or revoked, the physical access control credential is issued or revoked at the same time.
An advanced development of this concept is the capability to populate an SSO identity and authentication credential across multiple physical systems and the network with a single integrated process. This allows the SSO authority to enroll, print, and issue a photo-ID/physical access control card and network identification/authentication credential from a single entry point and process.
In addition to governmental initiatives such as HSPD-12 and FIPS 201, two private sector initiatives are being developed that speak to the complex task of developing convergence and interoperability:
- oBIX
- PHYSBITS
The various types of Smartcard technologies are described in our paper titled "Physical Access Controls." In this paper, we examine in more detail how Smartcard technology can support the objectives of the information security professional. One of those objectives is to make information security affordable.
Open Building Information Xchange—oBIX
oBIX is a set of standards developed by a committee of the Organization for the Advancement of Structured Information Standards—(OASIS).
The objective of oBIX is to define a standard web services protocol to enable communications between building mechanical and electrical systems and enterprise applications, enabling facilities and their operations to be managed as full participants in IT infrastructure.
Building systems use many esoteric binary communications protocols such as BACnet, LonTalk, Modbus, and DALI, to name a few, and a number of proprietary formats as well.
The task of oBIX is to normalize these communications to web-based services, XML, in particular, delivering facilities systems data in a format consumable by enterprise applications that is compatible with IP networks.
Generally, oBIX deals with the interoperability and convergence of electrical and mechanical facilities systems.
Physical Security Bridge to IT Security—PHYSBITS
PHYSBITS represents a more focused effort addressing the convergence of traditional physical security systems and information security. The effort is organized by the Open Security Exchange (OSE).
PHYSBITS narrows the issues of convergence and interoperability down to the discrete technologies of traditional physical security, addressing Smartcard technology development directly.
A number of organizations participate in these efforts, with Global Platform and Java card technology holding a strong position as the preferred development platforms for multiple application Smartcard technology.
Various standards address everything from the physical characteristics of the card to the identification of card issuers.
Single Sign On—SSO
When considering a SSO solution, consider a number of points , including the following:
- The systems that a credential will need to navigate
- The cost of the token
- How effectively it can be bound to the person (nonrepudiation, loss, theft)
- How it might be utilized to deliver additional value
Physical Characteristics
The physical characteristics of the token begin with its form factor, which takes two basic shapes:
- Card
- Fob
A fob configuration is useful for convenience. Its compact form supports deployment attached to key rings and as an extension of the key head of a conventional key. However, it does not support the additional value that can be associated with card formats.
Photo-ID
One of the earliest implementations of a credential representing a Smartcard is the photo-ID badge. Although not technically a Smartcard, the photo-ID represents the concept of issuing an authentication credential to a person.
The ability for other people within an organization to visually check and monitor identities is a simple, unobtrusive, and inexpensive measure. Because physical access control tokens come in various form factors, the ability to utilize the card format as a photo-ID carrier, although less convenient than fob type form factors, is a solid consideration in the selection.
Highly sophisticated integrated card processing equipment can emboss full-color, high-resolution images on the card, at the same time writing to the electronics of the card and enrolling it into the system.
Printing and embossing technologies are so advanced that photo-ID cards can be embossed with holographic security images and biometric information such as the user's fingerprints.
Bar Code
Bar code technology is another printed image technology that is extremely inexpensive. Early implementations of bar codes were simple sequences of lines that optical scanning equipment could read. Data is interpreted from the width and spacing of the vertical lines.
Although the basic bar code technology is simple, it has been developed into numerous implementations with varying degrees sophistication, security, and data density.
The principal security issue with bar codes is that they can be easily copied, so they are not suitable for medium- or high-security applications. However, they are extremely reliable and inexpensive.
The simplest implementation is a conventional UPC bar code, readily recognizable as goods labeling, product identification, and so on.
Figure 1: Simple Bar Code
Flavors of more advanced implementations variously known as data strip, 2D, dot matrix, stacked bar, color code, and so on can contain significantly more data. In fact, the matrix bar code can carry data at densities up to five million characters per square inch, which is sufficient to encode high-resolution images.
Figure 2: 2D (Stacked) Bar Code
Bar code technology can serve as an implementation of steganography. Visually, a bar code can represent an image, within which the data payload is concealed.
Figure 3: Image from Data Generated by a Bar Code Printer
Magnetic Stripe
In addition to optical technology, the card format supports magnetic stripe technology, which is inexpensive and more secure than optical imaging.
Biometric
Biometric data does not need to mean an expensive card. Printing biometric information such as a high-resolution photograph, signature, physical description, and even fingerprint image on the card enables a biometric implementation without the expense of embedded electronics.
Embedded Chip
Embedded chip technology is by far the most expensive; however, it comes with significant advantages, security not being the least of them.
Chip technology is actually what Smartcard technology is about. Adding an integrated circuit with memory, processing, and wireless communications creates an extremely useful microprocessing package.
Servicing functionality for applications such as identity and authentication management, integrated access control, field collection of data, credit cards, and telephone cards, the embedded chip Smartcard has emerged as a prolific component of the convergence market.
Industry estimates state that there were more than 3 billion Smartcards deployed worldwide in 2000, and annual shipments continue to grow from more than 2 billion in 2005 to an estimated 4.5 billion by 2010.
The trend toward embedded chip technology is well established, and the information security professional is well advised to implement it as part of policy.
Fob Format
The other option for packaging is the fob format. The fob is a useful package for the token where user convenience outweighs the added value of card format or card features are not required.
Figure 4: Fob Packaging for Embedded Chip
Fob format has the advantage of convenience and durability; however, it does not support the added value delivered by the multifunctionality of the card format. Some manufacturers produce a similar package that is directly attached to the head of high security keys.
Summary
There is a wealth of Smartcard technology developers with well-established channels to market, and the extremely high volume has driven the costs down.
By adopting an embedded chip SSO card solution that can integrate photo-ID badging, bar coding, mag striping, holographic security, and biometric data, the information security professional has a full selection of added function and value to support the objectives of information security.
