Security Business

JUL 2019

Find news and information for the executive corporate security director, CSO, facility manager and assets protection manager on issues of policy, products, incidents, risk management, threat assessments and preparedness.

Issue link: https://sdi.epubxp.com/i/1141282

Contents of this Issue

Navigation

Page 86 of 108

S26 ACCESS CONTROL Trends And Technology | JULY/AUGUST 2019 digital devices, the onboard computer of your car, etc. PKI technology also provides the ability to encrypt the communication channel between digital objects, an internal network and access to cloud technologies. Authorization for access must include biometric authentication of the individual initiating the request for access, the digital transaction. PKI only provides half the security needed to protect the IT infrastructure. It provides securitization of the communication channel and mutual authentication between digital objects or networks. But PKI is unable to authenticate the individual human initiating the connection to the digital device or “connected object.” This could provide the means for an unauthorized individual to gain access into the digital or virtual workplace. Critically important to system integrators who specialize in the installation and maintenance of access control systems is the understanding and education of their personnel in how to properly implement existing security features to secure the access control system itself and its network communication. This includes but is not limited to: • Working with the customer’s IT department to assign certificates (PKI) for mutual authentication between the host of the access control software and the access control panels that manage the door. • Configuring the biometric devices and all elements of the system that communicate on the network to connect to backend software wirelessly or using a wired network executing TLS 1.2 security. • Enforcing password rules and role assignments to prevent unauthorized access to the access control management software. • Disabling any existing default username and password accounts once the system had been tested and accepted. Managing Complex Security Environments Security professionals are often challenged trying to effectively manage security operations where there are multiple physical access control systems, different biometrics systems, and multiple trusted sources. Reconciling these issues in order to have a robust security ecosystem is becoming easier with standards by organizations like the Physical Security Interoperability Alliance (PSIA). In a typical enterprise organization, an employee is on-boarded their identity documents required for employment eligibility are stored electronically and may be associated with some form of biometrics. This is normally managed by a human resource system or identity management system. As part of the on-boarding process the employee is enrolled in a local access control system, a logical access system such as Active Directory, and assigned access rights and privileges to buildings, networks, and applications. When mergers and acquisitions take place, large companies must manage multiple access control systems. As employees travel to different office locations, redundant data entry, enrollment, into the local access control system and/or logical access system takes place. This can result in a second credential based on different card technology which may be assigned a different domain and username to access the physical and network access issued to the employee. The PSIA has defined its Physical Logical Access Interoperability (PLAI) specification which addresses this problem by normalizing identity data and allowing the transfer of an individual’s assigned credentials across disparate access control platforms. There are two components to PLAI, an Agent and an Adapter. The PLAI Agent interfaces with the HR system or Identity Management System where the employee was first on-boarded and assigned an identity in the Active Directory and a membership in a network domain. The second component is the PLAI Adapter, which interfaces with the Agent and a specific access control system or biometrics system. For example, if a large enterprise organization has four different physical access control systems (PACS), each would have a PLAI Adapter, which would normalize the identity data. It would then send it to the Agent, allowing it to share across the security ecosystem. One trusted source to provide the identity data is an important feature, allowing a much more robust security infrastructure. ■ About the author: Consuelo Bangs, Senior Program Manager, IDEMIA Identity & Security USA, LLC. Consuelo Bangs brings over 40 years’ operational and management work experience: 20 years as a program manager, project manager, implementation specialist and business development specialist of biometric access control solutions; eleven years as project manager and consultant for process improvement and work re-design; and thirteen years in education. Currently she coordinates the requirements definition of IDEMIA access control products with engineering to meet commercial and government customer requirements, provides pre-sales and after sale support of customized projects. She holds a Bachelor of Science from the University of Virginia, a Master of Science Degree from The George Washington University and held an IEEE Certified Biometrics Professional certificate. We need our biometric identity to travel with us seamlessly in the physical and digital world

Articles in this issue

Archives of this issue

view archives of Security Business - JUL 2019