The last few months have been very hectic with consulting, a new permanent position in physical security and the arrival of new member of the family.

I will continue (begin again?) posting, but have worked out an agreement with Avisan communications to publish commentary with them on a regular basis. Some of my writings have appeared in their online publications, CR80News, SecureID News, RFIDNews, and Contactless News, or their print publication RE:ID. Those posts will also be cross posted/archived here, but will be more timely on the Avisian site. Once the URL is fixed, I’ll post more information here.

In the meantime, thanks for coming back and please drop us a line if you have any comments.

Bret Tobey

A recent announcement researchers made about the uniqueness nano-structure of every document got me thinking about another technology from Mag-tek, MagnePrint.

Both technologies provide a way of uniquely identifying the fundamental makeup of individual credentials, paper and magstripes. With each of these, the actual structure of the document operates as a seed string for a hash, creating a unique “fingerprint” for that document.

The ultimate goal of secure documents is information integrity. As technology advocates we often get enamored with the high tech solutions. Maybe these two technologeis are enough to ensure the integrity of the document. Although simple, forgery becomes a practical impossibility. Even better, the costs are borne almost entirely on the issuance and reader infrastructure. Nothing beats paper and magstripe when it comes to ease and cost of issuance.

There are still good reasons to have some sort of smarts in documents like passports. However, the RFID component that so many privacy advocates rail against may not be the most secure solution. How about a contact smart card embedded in the document?

As technologists we like the most cutting edge solutions. If the real goal is maximizing security, are we obligated to advocate the solution that gives us the best bang for our security dollar? Lower credential costs means more dollars to spend on cameras or guards, two proven security technologies. Something to think about.

Wired News: Fraud Roshambo: Paper Beats RFID

Comments (0)

Forrester issued a report earlier this year on the convergence of Physical and Logical Security. The author, Steve Hunt, felt strongly enough about the subject to leave and form 4AInternational, a consulting firm focused on securty convergence.

Security Focus, published a nice summary
of the report which I’ve been meaning to discuss for some time. Anyone following the security convergence discussions would not be surprised by Forrester’s conclusions. However, it puts numbers on the size of the security convergence market and adds the weight of third party validation to media and conference discussions about security convergence.

What does this mean for convergence? There are a few key areas that offer immediate opportunities for convergence with a moderate effort. First and foremost, card integration. Other areas are policy development, reporting structrues, monitoring software, combined incident response, and regulatory compliance. This is where we should see growth over the next 12 months. Now is the time to lay the groundwork for larger efforts in 2006.

Now, to 4AInternational. During engagements with my clients “security convergence” has a achieved buzzword penetration. Convergence issues are being taken seriously in the context of other efforts. What we are not seeing is security convergence as a stand alone project. Major vendors offer lip service but few effectively offer products and solutions.

Talking about the benefits of security convergence at the C-level is fairly easy. Getting to those benefits is a little more difficult. Traditionally the physical and logical security efforts in an enterprise have different organizational structures and career paths. Both can have great systems, but there are very few individuals with the experience to talk to both groups. What most people do not realize is that physical and logical security systems integration can start small and may not be as far off as they think. If 4AInternational can put together a team that outlines the convergence business case for both sides of security and shows the client the low hanging fruit, they could find themselves with a nice slice of that security convergence growth.

4AInternational

Security-Flaws » Blog Archive » Wedded to physical and IT security?

It’s interesting to note that the two top challenges faced by higher ed CIOs, security and finance, are both addresses in many aspects by the integrated identity approach of ITM.

Security comes from streamlined provisioning and decommisioning of all aspects of identity at an institution, both physical and logical. At the transaction level, common security monitoring tools could provide a better perspective on your overall security situation.

Financially, identity initiatives offer ROI opportunities not found in many other IT efforts. For instance, security efforts traditionally weigh cost against risk of loss. The poor ROI leads to risk acceptance until we have major breaches, like those linked to from the Inside Higher Ed article. Following a breach, institutions often spend in a knee jerk reaction. It gives immediate satisfaction, but often provides a ROI in the future.

Approaching your identity efforts in holistic fashion focusing on security, sales and service, helps your security ROI piggyback on efforts with a clear financial return. For instance provisioning all your credentials and passwords from a single office reduces administrative overhead. In some instances, that single point of provisioning can also reduce IT overhead of multiple system interfaces to your badging system, physical access control and IT identity management efforts. Let dining and vending fund the office while IT reduces points of support and failure in identity provisioning. It’s worth looking into.

The original Educause survey report can be found here.

An article at Inside Higher Ed provides a good, brief summary. Inside Higher Ed :: Top IT Challenge: Paying for It

Across the board, the idenity space is hot. Last week French smart card manufacturer spread its wings a little bit with the acquisition of Finnish secure document company, Setec.

Apparently their cooperation on the Singapore electronic passport last year impressed some folks. The deal makes lots of sense. As our paper documents become smarter, the vertical integration of the component manufacturers provides a logical competitive advantage. Pennies matter on this scale, so making production as efficient as possible means a more competitive Gemplus.

While it won’t immediately translate into benefits for the rest of Gemplus’ customer base, maybe it will down the road. Like most smart card companies, Gemplus gets most of their revenues from the telco industry. Although Gemplus has been supplying the ID market for some time, it always held more promise than profits. They made a big play into solutions just before the dot com bust. The Setec acquisition puts Gemplus in a stronger competitive place to pursue secure ID efforts like they won in Singapore.

Smart cards are already showing up in lots of other form factors than cards, so why not throw paper into the mix?

Gemplus Press Release

Gemplus snaps up e-document firm | The Register

In a bill with a good intent and poor execution, the California legislature is considering banning RFID in government documents. This could have a dramatic impact on building security, transit and campus ID programs. While many outlets, like Wired and RFIDNews have been watching this for a while, the bill’s recent passage out of committee deserves notice. It effectively dumbs down government building security and transit while not really protecting much information. A bill titled “Identity Information Protection Act” is sure to be a hit with consumers’ groups without a clear understanding of the impact.

The bill acknowledges beneficial uses for RFID by allowing exceptions such as toll road collection, ID bracelets for children under four, inmates, and mental health patients. Transit applications and building security are not included in the exceptions. Government facilities with existing RFID deployments not covered by exceptions would have until 2011 to phase those out.

Beth Givens, founder and executive director of the Privacy Rights Clearinghouse, quoted in RFIDNEWS, said “Senator Simitian’s bill provides vital protection for all Californians. Individuals who are required to carry government issued IDs should not be put in a situation where that document enables them to be monitored and tracked.” That’s an appropriate sentiment, but it misses the mark because security requires that tracking in some settings and transaction convenience mandates it in others, such as subways and campus dining.

Spurred by a combination of privacy concerns, federal initiatives and public outcry over a poorly considered RFID plan at an elementary school in Northern California, the bill seems to throw the baby out with the bathwater.

Much of the concern about government RFID documents is that your information would be freely available to anyone walking by. If the legislation read “only unique, alphanumeric identifiers can be unencrypted” much of the exsiting technology could be accomodated while still protecting privacy concerns. The ICAO recommended a system of storing a pin in a 2D barcode for government officials to “decrypt” more information. This provides for active presentation of the document before more sensitive information is passed along.

As for concerns about surreptitious tracking of individuals, it’s not really worth the effort. Legislation could forbid government tracking with a court order or public notice. Bad guys simply would not carry their documents and police would implement other, less expensive passive surveillance like video facial recognition.

For building access badges, the only alternative technologies are magstripes and bar codes, which are much easier to compromise. Some have suggested the use of contact smart cards for access control but those have proven problematic in the past.

In the US, almost all transit applications are run by the government and they are increasingly moving to contactless technologies as the only method for speeding throughput, increasing transaction security and allowing for the complex fare calculations many transit implementations demand.

Since much of the nation looks at California as a bellwether, expect other states to consider follow up legislation if the California bill passes later this spring. I’m all for privacy, but the implications of an ill-considered bill need to be heard.

Wired News: State Bill to Limit RFID

EPIC.org bill listing

Around the Capitol

http://www.rfidnews.org/weblog/2005/03/03/new-bill-will-protect-californians-privacy-rights-rfids-misnomer/

It’s just a college paper, but this article shows how wide the knowledge gap is about RFID and card technologies. The duo prox is nothing like an ICAO passport and has only a fraction of the security risks. Prox cards operate on a different frequency than the proprosed passport chips and only pass 26 bits of information to the reader, barely enough for an unique identifier.

Comparing a true contactless smart card to a prox card is like comparing a computer to a calculator. Whole different scale.

Why care about a Dartmouth student article? In any deployed identity system, user education is critical. I am not suggesting that Dartmouth educate their population on the nuances of wiegand vs. 13.56, but the population should know the relative risks of using a system with only an abstract idenitifier and one with a large amount of freely readable identity information. Something to consider. Done right, Dartmouth continues to deploy their identity solutions without having to engage in big debate about what the State Department wants to do.

The Dartmouth Online

Here’s an extension of the last post on security convergence. It’s really just a concrete illustration of the fact that the technologies for physical and logical security credentials can live side by side, but they still require different chips.

A few years ago, HID launched a contactless smart card line, iClass. While a lot of the smart card crowd looked down their nose at iClass, HID strategy squarely focused on the card and reader sets as an easy migration for their existing channel. HID’s channel of physical security integrators and installers were less concerned about the greatest smart card technology than with the ability to plug it into their existing systems. To many of the systems it hangs on, the iClass card and reader combo looks just like a dumb old prox card and that suits the customers just fine.

Recently, HID has worked effectively to expand the ecosystem around their cards and this press release shows that off. As I wrote a short while back, they are also bringing some of that ecosystem expertise in house with the acquisition of Synecard.

I’ll lay off HID for a while but they do show how users are not waiting for the “ideal” all-in-one technology, but putting together off the shelf components for an effective convergence solution.

Raak Technologies Joins HID%u2019s Development Partner Program to Supply Strong Authentication Products and Services to HID%u2019s Reseller Channel

In another security forum a security professional asked about using smart cards for a physical/logical security convergence project.

IT security folks often assume this should happen but it’s slow to get moving on the ground. The recent FIPS 201
standard is really bringing these discussions out in the open. Here’s my response to his questions. I hope you find it as helpful as he did.

The token (smart card) is an obvious place to handle security convergence and actually can be deployed fairly cost effectively. However, there is a substantial amount of confusion about what “smart card” convergence actually is. FIPS 201 addresses some of this but there is much to learn from previous, broader roll outs in business and higher education.

Issues to be aware of:

1. The PC/SC standard for smart card computer interfaces addresses a contact chip. This provides a higher level of security by requiring active presentation of the credential.

2. Physical security applications work best with RF technologies. It really boils down to wear and tear on readers and throughput at ingress points. This means a “converged” card will be effectively looking at two technologies, contact and contactless in the same form factor. You may even need to have multiple flavors of contactless, for instance 125 khz prox and 13.56 contactless smart card. Card manufacturers can accomodate this.

3. Physical access control systems rarely take advantage of the “smarts” in a card, most often using RF capabilities to broadcast a unique system identifier, rather than any challenge/response authentication. Don’t let the logical security guys make this assumption. Also, switching physical security tokens can represent substantial costs switching the readers at every door. Don’t cram a card down physical securitys throat or you may be stuck with the bill.

4. Address physical and logical security concerns seperately when looking at card technologies and the ROI. The only thing combined cards save on is plastic. In most instances you’re still paying for the seperate costs of physical and logical security chips. Your savings will come from reduced administrative overhead. Security is raised by reducing the number of provisioning and revocation points for an identity. This really needs to be a policy and operations identity initiative, not a card project.

5. You will have to maintain seperate provisioning systems for physical and logical security. I have yet to see a security vendor from one side that meaningfully crosses the gap to the other, so mature single system solutions are still pending. As a practical matter this can be addressed with the appropriate processes and data flows between systems. Not easy, but absolutely practical. The important thing to remember is that you have a single physical point of registration and issuance from an operational and policy standpoint.

6. Consider logical security applications for your smart card other than PKI. The card based private key is the holy grail of security, but deployments often falter under the cost of deploying and managing certificates for everyone. In most organizations, the vast majority if users could be adequately served with something along the lines of RSA’s SecurID, while deploying PKI to a subset of users. As the system matures, PKI can be expanded to include more users. If you play your cards right, literally, you can deploy PKI to users without having to exchange their cards down the road.

7. Make the card a payment vehicle. Someone will surrender their password for a candy bar, but you’ll have to pry their cards from their dead hands if that is the key to Mountain Dew. If the card means “lunch” it doesn’t get left in the desk. Don’t reinvent the wheel for this. A magstripe adds about 3 cents to the cost of the card and all the payment infrastructure is already in place.

8. Work to have both physical and logical security events reported in the same interface. Let both physical and logical security groups use this. Nothing paints the broader security picture like having it on the same screen. Both your physical and logical access control systems should have the ability to import/export events. If they don’t, upgrade. Do not make this a battle for control.

9. Get HR & public relations invovled. Internal branding is important, too. The “one card” can be a point of access for a variety of service points, not just security. It seems silly, but they can be an unexpected help at getting uninterested C level folks on board. Let the magstripe be an employee health insurance card, or the key to a sweepstakes. Giving away a free iPod to the xxxxth user in foodservice gets people a lot more excited, cheaply, than your latest security effort.

10. Be open minded about the card, but guard the security like a hawk. For instance, smart card based print & copy control can save real $$$, but their “required” card technology may not be adequate for security purposes.

Finally, don’t be fooled by the costs of cards and readers as the ROI. You’re already paying for a physical access card. You’re paying through the nose for lost passwords and bad identity management. USB smart card readers can be had as cheaply as $10 US in bulk. Build a comprehensive ROI for the project. Cards and readers should be a modest portion of that. This is where the “intangibles” from public relations, HR, food service, can providing a tipping momentum.

Personal Identity Verification (PIV) Project

Security, Sales or Service? What drives your identity implementation?

Every identity program is driven by at least one of these and many of the most effective programs lean on more than one driver.

Kim Cameron writes about how UCSF lost identity data by breaking four of his “laws of identity.” He’s right, but I believe that UCSF might not have had that lapse if they had been treating identity in a holistic manner.

If UCSF, or UC Berkeley or any number of other recent targets understood what the driver was for their identity information and implementations they could both secure their programs better and leverage them for maximum value.

Whether it’s the internal identity manifested by your id badge, or the external identities living in your databases, know why your organization is using them before creating your various identity structures.

Every vertical market should take this approach. Healthcare, education, government, and business all need to have a better understanding of why they use identity, where they use it know and how they can better leverage it in the future.

I’ll be having a conversation later this afternoon with one of my past healthcare bosses. It should be interesting and I’ll be using that vertical market to talk about identity & transaction management and it’s impact on internal and external identities. HIPAA makes that a really lively discussion.

Kim Cameron’s Identity Weblog

Phil Windley’s Technometria | Four Identity Laws Broken at One Blow

Following up on the last post, HID is part of Assa-Abloy’s Identification Technology Group. Traditionally heavy in the hardware space, the addition of Synercard directly under HID signals loud and clear that HID is trying to transform itself from a hardware supplier into a complete systems provider.

That could make HID’s channel very nervous but it’s critical that HID push into new territory. HID made their name with the 125 khz prox cards and readers in the access control space. Over the last few years their aggressive development and marketing of 13.56 Mhz iClass cards looks like simple repositioning. However, no one expects HID to be as dominant in smart cards as they have been with 125 khz. That means HID has to find new revenues to supplant the 125 khz stream that will eventually diminish.

With the launch of their VertX access panels, many leading access control providers saw HID encroaching on the traditional smarts of the access control market. Until the acquistion of Synercard, the argument could be made that HID was just taking a logical next step as a hardware provider.

Now, it appears HID will be expanding their footprint in the access control space to where it overlaps with much of their channel. Watching their balancing act between the 125 khz cash cow and the drive to acquire new markets will be interesting. They have momentum, but so does GE, TI and IR in the physical identity space. More on those later…

From the Computer Associates acquisition of Netegrity last fall to Oracle’s acquisition of Oblix last week, the identity market is moving. Those two are some of the more obvious but here’s a couple others worth watching, Microsoft and HID.

Everybody watches Microsoft like a hawk, but HID, or ASSA-Abloy escapes much notice outside of the physical security space. That’s about to change and I’ll write more about why later…

After a whole series of conversations following the Slashdot post, I need to clarify the relative roles of idenity mangement from a digital perspective and the broader perspective of identity & transaction management.

Most of the conversations these days on the topic of identity management center around digital identities. Without a doubt, that’s the hot area and it’s huge. As an information security professional it’s near and dear to my heart.

However hot digital identity may be, organizations taking a broader perspective can leverage identity for even greater value. That’s the premise behind the Identity Initiative, to encourage organizations to develop a synergy between the identity for their network and what they can do across the enterprise. The concept of Identity & Transaction Management encompasses the realms of digital identity management and all the transaction infrastructure where identity can be physcially used across the enterprise. Think university ID cards meets digital certificates.

Last week was the National Association of Campus Card User’s (NACCU) annual conference. Other obligations kept me from attending for the first time since 1997. That and the beginning of the events log got me thinking aobut what are the “Don’t Miss Events” as it relates to Identity & Transaction Management.

For those looking to draw additional value from your identity management initiatives, college campuses are a great place to look. Unlike most corporate organizations, higher education often leverages their identity for value added services while neglecting security. Add that solution set to a corporate or government security stance and you have a recipe for a broad identity.

NACCU just passed and Card Tech/Secure Tech is just around the corner. IDWorld is emerging as a strong fall conference for identity. ISCWest is the premier spring physical security event. ASIS takes the physical security lead for the fall. I’ve always enjoyed the RSA conferecne, especially with my PKI experience. Moving to the straight transaction side, NAMA (vending) and FSTech (food service), NACUFS (more food), and IPI (parking) are all good shows. NACAS, NACUBO and ACUHO all offer oppotunities to learn about how higher ed draws additional value from what they traditionally call “card programs.” Educause in the fall offers another really good chance to look at hgher ed identity, this time from the IT perspective.

Wow, I know that seems like a lot, but I barely touched on the information security opportunities and left out the government conferences entirely. Please drop us a comment or email, to let us know which events you get the most out of. Check our events calendar and feel free to submit any we missed.

CTST, ISCWest and NAMA almost overlap in the coming weeks in Vegas. I however, will be attending an Infosec conference in Orlando and then heading down to Ft. Lauderdale for the International Parking Institute conference. Don’t laugh, there’s a lot of money in parking and we always want security around our cars.

One of our readers, Kafka, asked if had heard of SXIP. Great timing.

Last week I suggested that well provisioned identity would go a long way to solving both the access control (authentication) and transaction security. That’s not much of a stretch and there are several really good digital identity frameworks emerging. Which ones are your favorite?

Looking into the details of each, I become more convinced that we are missing a big step, provisioning. We become enamored with the technologies and the frameworks, but miss the whole point of “who says you are(not) a dog.”

We had quite a dustup last week as one of Microsoft’s key people mentioned that Longhorn is moving to two factor authentication. So what? Once you move beyond local logon and move outside your home and enterprise, it doesn’t matter how many forms of authentication you have. I only care if someone vouches for your identity.

Today, your bank plays that role with the major credit cards and most merchants effectively assume that risk by honoring them. To paraphrase the commentary CIO Magazine it’s reaching the point where either the consumer, the bank or the merchant will blink and then we have problems. Of course, if we had well provisioned identity nobody needs to blink.

So, back to my original point, what are your thoughts on the different established and emerging digital identity frameworks? What about provisioning frameworks? Has anybody heard from Identrus lately?

Digital ID Programs

xdi.org

sxip.org

Identrus.com

Yesterday was very busy, with our posting on Slashdot about the impact of Microsoft’s move away from passwords. Our only hiccups came from the Comments functions and I appreciate the interest shown. Identity, security and privacy are always hot topics in the /. community and we hope to offer more soon. In any event, please come back and participate in the conversation.

Bret Tobey

How to Save the Internet, or On the Internet Everyone Should Know You’re a Dog

The CIO Magazine dated for the Ides of March has an article on “How To Save The Internet.” It raises some very interesting questions about the role and lifecycle of the internet. With a “doom and gloom” tone, the article lists several big ideas to “save” the internet from its security problems. Here’s one simple “Big Idea” to fix a lot of security concerns. Identity.

That’s it. Give everyone meaningful identities for communities they conduct transactions in. Aside from simply malicious attacks, access control and transactional security are the real base concerns for internet security. Most information posted to the internet is designed for public consumption so the largest concerns are integrity and protecting administrative access. The information with value and transactional sites account for the greatest exposure.

By “Meaningful identities” I mean well provisioned, well managed identities for organizations and individuals. These go a long way towards reducing that risk with the right identity management infrastructure. If you’re a dog, those with assets or transactions to protect need to know that.

The technologies exist for identity management and access control are mature. What we do not have is agreement and what it takes to provision and identity we can trust across multiple applications. Until then we will have a wide range of identity “silos” and a pile of post notes with passwords.

What is Identity & Transaction Management(ITM)? A quick survey of infosec magazines shows that identity management is a hot area. With broad industry efforts like SAML and the Liberty alliance, dozens of vendors and big boys like Microsoft joining the game in earnest, it’s big and it’s absolutely necessary.

But it’s only part of the picture. Identity management in technology discussions generally refers to someone’s online identity and how it relates to various access control schemes. The problem is that’s only one aspect of an organizational identity. Organizational identity can be an intangible asset, like goodwill and should be managed accordingly.

Identity & Transaction Management (ITM) covers the broader area of managing the full lifecycle of identity and all the physical and logical infrastructure to make that identity valuable in an organization. For most organizations it starts with security, but a tremendous amount of value can be added through better service and increased sales. Remember how shocking it was to find out that most people would give up passwords for a candy bar? If we trade our passwords for tokens as security experts recommend and Microsoft intends to do, that number goes down. It goes way down when that token is the same thing we ue to buy candy bars. Give it a positive value (food) for the user drives a much higher compliance than a negative value imposed by the organization (password loss). Think about it and post your comments.

Much of what is posted at www.identityinitiative.com are thoughts and sources exploring the implications of Identity & Transaction Management. As the book, The Identity Initiative nears completion much of that will be posted here for validation. Your feedback is important because we’d rather look silly on the blog than in hard cover.

During a security panel at CEBIT Detlef Eckert, Microsoft’s Senior Director for Trustworthy Computing, commented that Longhorn would abandon passwords in favor of two factor authentication. As reported on Vnunet.com, Microsoft’s new operating system was making the move to “bring the level of trust business needs.” While the panel generally agreed better digital identity was needed, even two factor authentication still leaves some bases uncovered.

Cryptography guru Bruce Schneier raised some concern over whether faith in two factor authentication would leave other vulnerabilities. Specifically citing the man in the middle and trojan attacks, Schneier did agree that two factor was better than simple passwords. His concern was that the implementation cost for remote internet authentication would not be justified by long term fraud reduction.

For local authentication, which covers much of what Microsoft operating systems do today, two factor authentication is a boost. As Microsoft continues to move into the broader realm of identity management many people will be concerned about their intentions. Two factor authentication generally requires more robust provisioning and management which may explain Microsoft’s intention to move their Identity Server into the default server package. Robust existing efforts like SAML and the Liberty Alliance should be concerned by the new competition. Organizations and users also need to pay close attention to how Microsoft and others position to control their identity platforms.

The Harvard Crimson Online :: News This article highlights that new methods of distributing information shift ethical boundaries. Harvard is revoking the admission of 119 applicants who “peeked” at acceptance letters residing on the servers of their online application partner, ApplyYourself. An anonymous hacker posted the information on how to access the letters in the Business Week B-Schools forum.

At the very least, these students were guilty of trespassing and poor judgement, justifying Harvard’s actions. Other schools, such as MIT have taken stands in support of Harvard. While the applicants are responsible for their own actions, both Harvard and ApplyYourself exhibited sloppiness, if not negligence.

University associations and identities are some of the most valuable. As the reach of learning institutions extends with online teaching, recruiting, seminars, episodes like this show that universities need to take a broader approach to managing their identities. Traditionally, universities have been at the cutting edge of identity management, but only within the ivy walls. As the categories of recruit, applicant, alumni, resident, seminar participant, etc…, become more a part of the university community their identity and association needs to be managed, too. In this case schools could take a sheet from the corporate playbook with federated identity and extranet access control. We’ll be watching to see how much is learned from the crushed hopes of Harvard’s B-School applicants.

Relevant Links

http://www.applyyourself.com/

http://forums.businessweek.com/bw-bschools/start

http://www.reuters.com/printerFriendlyPopup.jhtml?type=oddlyEnoughNews&storyID=7841543