Identity Initiative Log

Housekeeping

The last few months have been very hectic with consulting, a new permanent position in physical security and the arrival of new member of the family.

I will continue (begin again?) posting, but have worked out an agreement with Avisan communications to publish commentary with them on a regular basis. Some of my writings have appeared in their online publications, CR80News, SecureID News, RFIDNews, and Contactless News, or their print publication RE:ID. Those posts will also be cross posted/archived here, but will be more timely on the Avisian site. Once the URL is fixed, I’ll post more information here.

In the meantime, thanks for coming back and please drop us a line if you have any comments.

Bret Tobey

The Secure Documents We Didn’t Know We Had

A recent announcement researchers made about the uniqueness nano-structure of every document got me thinking about another technology from Mag-tek, MagnePrint.

Both technologies provide a way of uniquely identifying the fundamental makeup of individual credentials, paper and magstripes. With each of these, the actual structure of the document operates as a seed string for a hash, creating a unique “fingerprint” for that document.

The ultimate goal of secure documents is information integrity. As technology advocates we often get enamored with the high tech solutions. Maybe these two technologeis are enough to ensure the integrity of the document. Although simple, forgery becomes a practical impossibility. Even better, the costs are borne almost entirely on the issuance and reader infrastructure. Nothing beats paper and magstripe when it comes to ease and cost of issuance.

There are still good reasons to have some sort of smarts in documents like passports. However, the RFID component that so many privacy advocates rail against may not be the most secure solution. How about a contact smart card embedded in the document?

As technologists we like the most cutting edge solutions. If the real goal is maximizing security, are we obligated to advocate the solution that gives us the best bang for our security dollar? Lower credential costs means more dollars to spend on cameras or guards, two proven security technologies. Something to think about.

Wired News: Fraud Roshambo: Paper Beats RFID

a nice summary
of the report which I’ve been meaning to discuss for some time. Anyone following the security convergence discussions would not be surprised by Forrester’s conclusions. However, it puts numbers on the size of the security convergence market and adds the weight of third party validation to media and conference discussions about security convergence.

What does this mean for convergence? There are a few key areas that offer immediate opportunities for convergence with a moderate effort. First and foremost, card integration. Other areas are policy development, reporting structrues, monitoring software, combined incident response, and regulatory compliance. This is where we should see growth over the next 12 months. Now is the time to lay the groundwork for larger efforts in 2006.

Now, to 4AInternational. During engagements with my clients “security convergence” has a achieved buzzword penetration. Convergence issues are being taken seriously in the context of other efforts. What we are not seeing is security convergence as a stand alone project. Major vendors offer lip service but few effectively offer products and solutions.

Talking about the benefits of security convergence at the C-level is fairly easy. Getting to those benefits is a little more difficult. Traditionally the physical and logical security efforts in an enterprise have different organizational structures and career paths. Both can have great systems, but there are very few individuals with the experience to talk to both groups. What most people do not realize is that physical and logical security systems integration can start small and may not be as far off as they think. If 4AInternational can put together a team that outlines the convergence business case for both sides of security and shows the client the low hanging fruit, they could find themselves with a nice slice of that security convergence growth.

4AInternational

Security-Flaws � Blog Archive � Wedded to physical and IT security?

Educause’s Top IT Challenges, ROI and Security, Both Helped by Identity

It’s interesting to note that the two top challenges faced by higher ed CIOs, security and finance, are both addresses in many aspects by the integrated identity approach of ITM.

Security comes from streamlined provisioning and decommisioning of all aspects of identity at an institution, both physical and logical. At the transaction level, common security monitoring tools could provide a better perspective on your overall security situation.

Financially, identity initiatives offer ROI opportunities not found in many other IT efforts. For instance, security efforts traditionally weigh cost against risk of loss. The poor ROI leads to risk acceptance until we have major breaches, like those linked to from the Inside Higher Ed article. Following a breach, institutions often spend in a knee jerk reaction. It gives immediate satisfaction, but often provides a ROI in the future.

Approaching your identity efforts in holistic fashion focusing on security, sales and service, helps your security ROI piggyback on efforts with a clear financial return. For instance provisioning all your credentials and passwords from a single office reduces administrative overhead. In some instances, that single point of provisioning can also reduce IT overhead of multiple system interfaces to your badging system, physical access control and IT identity management efforts. Let dining and vending fund the office while IT reduces points of support and failure in identity provisioning. It’s worth looking into.

The original Educause survey report can be found here.

An article at Inside Higher Ed provides a good, brief summary. Inside Higher Ed :: Top IT Challenge: Paying for It

Smart Cards to Smart Paper: Gemplus Acquires Secure Printing Firm

Across the board, the idenity space is hot. Last week French smart card manufacturer spread its wings a little bit with the acquisition of Finnish secure document company, Setec.

Apparently their cooperation on the Singapore electronic passport last year impressed some folks. The deal makes lots of sense. As our paper documents become smarter, the vertical integration of the component manufacturers provides a logical competitive advantage. Pennies matter on this scale, so making production as efficient as possible means a more competitive Gemplus.

While it won’t immediately translate into benefits for the rest of Gemplus’ customer base, maybe it will down the road. Like most smart card companies, Gemplus gets most of their revenues from the telco industry. Although Gemplus has been supplying the ID market for some time, it always held more promise than profits. They made a big play into solutions just before the dot com bust. The Setec acquisition puts Gemplus in a stronger competitive place to pursue secure ID efforts like they won in Singapore.

Smart cards are already showing up in lots of other form factors than cards, so why not throw paper into the mix?

Gemplus Press Release

Gemplus snaps up e-document firm | The Register

California Bill Would Limit RFID, Dumb Down Building Security & Transit

In a bill with a good intent and poor execution, the California legislature is considering banning RFID in government documents. This could have a dramatic impact on building security, transit and campus ID programs. While many outlets, like Wired and RFIDNews have been watching this for a while, the bill’s recent passage out of committee deserves notice. It effectively dumbs down government building security and transit while not really protecting much information. A bill titled “Identity Information Protection Act” is sure to be a hit with consumers’ groups without a clear understanding of the impact.

The bill acknowledges beneficial uses for RFID by allowing exceptions such as toll road collection, ID bracelets for children under four, inmates, and mental health patients. Transit applications and building security are not included in the exceptions. Government facilities with existing RFID deployments not covered by exceptions would have until 2011 to phase those out.

Beth Givens, founder and executive director of the Privacy Rights Clearinghouse, quoted in RFIDNEWS, said “Senator Simitian’s bill provides vital protection for all Californians. Individuals who are required to carry government issued IDs should not be put in a situation where that document enables them to be monitored and tracked.” That’s an appropriate sentiment, but it misses the mark because security requires that tracking in some settings and transaction convenience mandates it in others, such as subways and campus dining.

Spurred by a combination of privacy concerns, federal initiatives and public outcry over a poorly considered RFID plan at an elementary school in Northern California, the bill seems to throw the baby out with the bathwater.

Much of the concern about government RFID documents is that your information would be freely available to anyone walking by. If the legislation read “only unique, alphanumeric identifiers can be unencrypted” much of the exsiting technology could be accomodated while still protecting privacy concerns. The ICAO recommended a system of storing a pin in a 2D barcode for government officials to “decrypt” more information. This provides for active presentation of the document before more sensitive information is passed along.

As for concerns about surreptitious tracking of individuals, it’s not really worth the effort. Legislation could forbid government tracking with a court order or public notice. Bad guys simply would not carry their documents and police would implement other, less expensive passive surveillance like video facial recognition.

For building access badges, the only alternative technologies are magstripes and bar codes, which are much easier to compromise. Some have suggested the use of contact smart cards for access control but those have proven problematic in the past.

In the US, almost all transit applications are run by the government and they are increasingly moving to contactless technologies as the only method for speeding throughput, increasing transaction security and allowing for the complex fare calculations many transit implementations demand.

Since much of the nation looks at California as a bellwether, expect other states to consider follow up legislation if the California bill passes later this spring. I’m all for privacy, but the implications of an ill-considered bill need to be heard.

Wired News: State Bill to Limit RFID

EPIC.org bill listing

Around the Capitol

http://www.rfidnews.org/weblog/2005/03/03/new-bill-will-protect-californians-privacy-rights-rfids-misnomer/

The Dartmouth Online Views on ID technologies

It’s just a college paper, but this article shows how wide the knowledge gap is about RFID and card technologies. The duo prox is nothing like an ICAO passport and has only a fraction of the security risks. Prox cards operate on a different frequency than the proprosed passport chips and only pass 26 bits of information to the reader, barely enough for an unique identifier.

Comparing a true contactless smart card to a prox card is like comparing a computer to a calculator. Whole different scale.

Why care about a Dartmouth student article? In any deployed identity system, user education is critical. I am not suggesting that Dartmouth educate their population on the nuances of wiegand vs. 13.56, but the population should know the relative risks of using a system with only an abstract idenitifier and one with a large amount of freely readable identity information. Something to consider. Done right, Dartmouth continues to deploy their identity solutions without having to engage in big debate about what the State Department wants to do.

The Dartmouth Online

Security Convergence means one credential, two technologies: Raak Technologies Joins HIDs Development Partner Program to Supply Strong Authentication Products and Services to HIDs Reseller Channel

Here’s an extension of the last post on security convergence. It’s really just a concrete illustration of the fact that the technologies for physical and logical security credentials can live side by side, but they still require different chips.

A few years ago, HID launched a contactless smart card line, iClass. While a lot of the smart card crowd looked down their nose at iClass, HID strategy squarely focused on the card and reader sets as an easy migration for their existing channel. HID’s channel of physical security integrators and installers were less concerned about the greatest smart card technology than with the ability to plug it into their existing systems. To many of the systems it hangs on, the iClass card and reader combo looks just like a dumb old prox card and that suits the customers just fine.

Recently, HID has worked effectively to expand the ecosystem around their cards and this press release shows that off. As I wrote a short while back, they are also bringing some of that ecosystem expertise in house with the acquisition of Synecard.

I’ll lay off HID for a while but they do show how users are not waiting for the “ideal” all-in-one technology, but putting together off the shelf components for an effective convergence solution.

Raak Technologies Joins HID%u2019s Development Partner Program to Supply Strong Authentication Products and Services to HID%u2019s Reseller Channel

Security Convergence - It’s Not About The Cards, It’s About Operations

In another security forum a security professional asked about using smart cards for a physical/logical security convergence project.

IT security folks often assume this should happen but it’s slow to get moving on the ground. The recent FIPS 201
standard is really bringing these discussions out in the open. Here’s my response to his questions. I hope you find it as helpful as he did.

The token (smart card) is an obvious place to handle security convergence and actually can be deployed fairly cost effectively. However, there is a substantial amount of confusion about what “smart card” convergence actually is. FIPS 201 addresses some of this but there is much to learn from previous, broader roll outs in business and higher education.

Issues to be aware of:

1. The PC/SC standard for smart card computer interfaces addresses a contact chip. This provides a higher level of security by requiring active presentation of the credential.

2. Physical security applications work best with RF technologies. It really boils down to wear and tear on readers and throughput at ingress points. This means a “converged” card will be effectively looking at two technologies, contact and contactless in the same form factor. You may even need to have multiple flavors of contactless, for instance 125 khz prox and 13.56 contactless smart card. Card manufacturers can accomodate this.

3. Physical access control systems rarely take advantage of the “smarts” in a card, most often using RF capabilities to broadcast a unique system identifier, rather than any challenge/response authentication. Don’t let the logical security guys make this assumption. Also, switching physical security tokens can represent substantial costs switching the readers at every door. Don’t cram a card down physical securitys throat or you may be stuck with the bill.

4. Address physical and logical security concerns seperately when looking at card technologies and the ROI. The only thing combined cards save on is plastic. In most instances you’re still paying for the seperate costs of physical and logical security chips. Your savings will come from reduced administrative overhead. Security is raised by reducing the number of provisioning and revocation points for an identity. This really needs to be a policy and operations identity initiative, not a card project.

5. You will have to maintain seperate provisioning systems for physical and logical security. I have yet to see a security vendor from one side that meaningfully crosses the gap to the other, so mature single system solutions are still pending. As a practical matter this can be addressed with the appropriate processes and data flows between systems. Not easy, but absolutely practical. The important thing to remember is that you have a single physical point of registration and issuance from an operational and policy standpoint.

6. Consider logical security applications for your smart card other than PKI. The card based private key is the holy grail of security, but deployments often falter under the cost of deploying and managing certificates for everyone. In most organizations, the vast majority if users could be adequately served with something along the lines of RSA’s SecurID, while deploying PKI to a subset of users. As the system matures, PKI can be expanded to include more users. If you play your cards right, literally, you can deploy PKI to users without having to exchange their cards down the road.

7. Make the card a payment vehicle. Someone will surrender their password for a candy bar, but you’ll have to pry their cards from their dead hands if that is the key to Mountain Dew. If the card means “lunch” it doesn’t get left in the desk. Don’t reinvent the wheel for this. A magstripe adds about 3 cents to the cost of the card and all the payment infrastructure is already in place.

8. Work to have both physical and logical security events reported in the same interface. Let both physical and logical security groups use this. Nothing paints the broader security picture like having it on the same screen. Both your physical and logical access control systems should have the ability to import/export events. If they don’t, upgrade. Do not make this a battle for control.

9. Get HR & public relations invovled. Internal branding is important, too. The “one card” can be a point of access for a variety of service points, not just security. It seems silly, but they can be an unexpected help at getting uninterested C level folks on board. Let the magstripe be an employee health insurance card, or the key to a sweepstakes. Giving away a free iPod to the xxxxth user in foodservice gets people a lot more excited, cheaply, than your latest security effort.

10. Be open minded about the card, but guard the security like a hawk. For instance, smart card based print & copy control can save real $$$, but their “required” card technology may not be adequate for security purposes.

Finally, don’t be fooled by the costs of cards and readers as the ROI. You’re already paying for a physical access card. You’re paying through the nose for lost passwords and bad identity management. USB smart card readers can be had as cheaply as $10 US in bulk. Build a comprehensive ROI for the project. Cards and readers should be a modest portion of that. This is where the “intangibles” from public relations, HR, food service, can providing a tipping momentum.

Personal Identity Verification (PIV) Project

Security, Sales or Service? What drives your identity implementation?

Every identity program is driven by at least one of these and many of the most effective programs lean on more than one driver.

Kim Cameron writes about how UCSF lost identity data by breaking four of his “laws of identity.” He’s right, but I believe that UCSF might not have had that lapse if they had been treating identity in a holistic manner.

If UCSF, or UC Berkeley or any number of other recent targets understood what the driver was for their identity information and implementations they could both secure their programs better and leverage them for maximum value.

Whether it’s the internal identity manifested by your id badge, or the external identities living in your databases, know why your organization is using them before creating your various identity structures.

Every vertical market should take this approach. Healthcare, education, government, and business all need to have a better understanding of why they use identity, where they use it know and how they can better leverage it in the future.

I’ll be having a conversation later this afternoon with one of my past healthcare bosses. It should be interesting and I’ll be using that vertical market to talk about identity & transaction management and it’s impact on internal and external identities. HIPAA makes that a really lively discussion.

Kim Cameron’s Identity Weblog

Phil Windley’s Technometria | Four Identity Laws Broken at One Blow