Securing theEnterprise in aNetworked WorldStandards-Based Physical/Network AccessControl Integration
IntroductionTechnology has changed the nature of the enterprise and how enterprises protect themselves fromthreats and manage risk. Assets once were things that could be “secured” with walls, alarms, keys andguards. Security systems were purchased and operated by a security department, monitored after hoursby a contract central station and very localized.Today, an organization’s most valuable assets may be invisible – data and information about itscustomers, technology, business plans and financial assets. And instead of locking these assets away, wenow make them accessible to our staff, customers and business partners from their desktops, laptopsand mobile devices, often far away from the walls of protection we have built, and sometimes inlocations where network access is offered as a marketing convenience to accompany a refreshing cup ofcoffee.And while the nature of business demands that we make data accessible everywhere all the time,government imposed regulatory environments have increased, and the cost in time, money and damageto brand as a result of a security breach or data hack is, at best, expensive, and may be fatal.Organizations now realize that security is no longer a department, but an integral component of themanagement of the enterprise. It is not something that is purchased or bolted on, but something thatmust be woven into the very fabric of the business. Effective security and risk management now touchesand must include human resource policies, identity management, physical security, cyber security,network security, credentialing, logical access, surveillance, compliance initiatives, reporting andforensics.Connecting the dots across all of those disciplines has been the challenge. This whitepaper discusses astandards-based enterprise solution that allows disparate systems to share unstructured data acrossunstructured relationships and to act upon this information in accordance with organizational policies,providing a cohesive security management framework that ties it all together.The Physical/Cyber Security GapIn most enterprises, physical security and cyber security efforts are distinct disciplines, with distinctmissions, departments and management structures. Therein lies the problem. Between those silos liegaps in process, policy and practices that may be exploited by attackers inside and outside theorganization. Most organizations have deployed some type of physical access control system that requires the use of access cards, PIN numbers and/or biometric verification to enter buildings and specific areas within those buildings. Most have also implemented some type of network access control environment, and the majority of those rely on
user name password for network authentication and access. And since each of those systems isgenerally under the control of a different department with a different mission, almost none haveintegrated the two. Each system seems to fulfill its individual mission, which can create a false sense ofsecurity, or worse, create conditions that may lead to serious security breaches.As an example, consider the following company, whose physical security and IT security departmentshave established the following rules: All employees must use their access card at all building entry points All employees must use network passwords that contain at least 8 characters, which must include at least one capital letter, one number and one other special character. Passwords cannot be a dictionary word. Passwords are case sensitive, must be changed every 60 days, and may not be reusedBoth are good, strong security policies. But in the real world, what will happen? Employees will hold the door open for their co-workers who arrive together While strong passwords provide additional protection against password hack attempts (the most common password in unrestricted environments is My password: xYhwpn57*b “password”), strong password policies almost guarantee that the employee will write down his new secure password and keep it in his desk drawerSo let’s see what can happen when an employee travels to visit a company site in another city. Hearrives at the remote site, and uses his access card to enter the door, and his access is recorded as anormal event in that site’s access control system.Back at HQ, someone has found the sticky note on which the employee has written his very strongpassword, and has logged onto the system under that employee’s name and has been granted access toall the traveling employee can see, and all activity will be logged to the traveler’s IT account. Thenetwork access control system validated the user name, password – even the status of the virusprotection of the computer logging onto the network, and all conditions were successfully met.In this case, both systems did what they were supposed to do. No physical security alarm wasgenerated, no network anomaly reported. But a serious breach occurred.In an integrated world, a person’s presence in a building or specific area would be one of the factors thenetwork security system considers before it allows access to critical network resources. This would notonly enhance network access security, but improve physical security, as employees would be less likelyto tailgate in behind each other, even if the door is held open by another polite, but security policyviolating person.Once the technical aspects of physical/network access control integration are in place, additionalpolicies may evolve. Readers may be placed at physical points of egress from the building, andemployees would need to use their access credential to leave the building, which disables their local
access privileges, and enables remote and VPN network access. Doing so provides a more accurateaccounting of who is in the building or area at any given time.IT Meets Physical SecurityFor several years, the buzz in the physical security world has been the convergence of physical and cybersecurity. The problem was that “convergence” meant different things to different physical securitysystem and device vendors. To some, it simply meant adding a terminal server in front of a serial deviceand connecting it to an IP network pipe. To others, it meant developing custom integrations throughAPI’s, SNMP, syslog, etc. And to many in the IT space, convergence with physical security was not evenon their radar screen.The security threat that organizations face, however, is very much converged. Organizations must havestrong physical and cyber security environments, as weaknesses in either will be exploited by enemieswho don’t care how they get in. To truly meet the challenge and vision of convergence, cyber andphysical security efforts, systems, policies and data must be coordinated and interoperable.Standards and TrustTo obtain interoperability between disparate systems, two elements are necessary – a standard way tocommunicate, and trust between the parties and systems doing the communicating so that each partycan validate the identity of the other with a very high level of assurance.While the IT community has long embraced standards, the physical security industry has been slow tofollow suit. Some standards are emerging in physical security but, when it comes to securing data atrest and in transit, the IT industry has already tackled the challenge. In particular the 100+ memberTrusted Computing Group has developed an open architecture and suite of protocols designed to allowhigh levels of interoperability, yet increase the security of data and protect the operational integrity ofthe devices that are connected to the IP network. The architecture is referred to as the TrustedNetwork Connect (TNC). Among its protocols, the IF-MAP (interface for Metadata Access Point) providesa secure, open and flexible approach for communicating or sharing data between trusted applications,devices and systems.IF-MAP has several components that provide both standards-based interoperability and high degrees oftrust, all of which are widely embraced by the IT industry. Specifically, this protocol suite includes: • Mutual Certificate-Based Authentication - establishes trust between devices / systems that share information • Encrypted Communications (protects data while in transit) • Simple Object Access Protocol Bindings - SOAP is a protocol specification for exchanging structured information in the implementation of Web Services in computer networks. In other words, it provides a basic messaging framework upon which web
services can be built. It relies on eXtensible Markup Language (XML) as its message format • XML Metadata Exchange - a widely used and endorsed schema for communicating data between devices and applications in a common manner. XML based protocol consists of three parts: an envelope - which defines what is in the message and how to process it - a set of encoding rules for expressing instances of application-defined datatypes, and a convention for representing procedure calls and responsesMore specifically, IF-MAP defines a protocol and associated database used by applications and systemsto publish information, subscribe to changes in information and interest, and search for relevant data.This publish, subscribe and search model allows compliant devices to seamlessly share informationwithout requiring individual, custom integration efforts. All compliant devices publish events and statusto the Metadata server, and other compliant devices can choose which information and systems theywish to subscribe to. This is very much like social media for networks. In essence, we go from acomplex, brittle and expensive myriad of point to point custom integrations that ends up lookingsomething like this:To a more streamlined, efficient and effective network environment that allows various networkcomponents to share date with others, even though those relationships and data may be unstructured.The IF-MAP protocol provides such an environment, which looks more like this:
Images Courtesy of InfobloxIF-MAP Converges Physical and Cyber Access ControlPhysical access control systems like those provided by Hirsch typically control movements throughdoors, parking gates, and other physical portals and barriers. Authorized personnel authenticatethemselves at those portals using a credential, which may be an access card, a PIN number, a biometricelement (finger, iris, etc), or some combination of those components. These systems protect physicalassets like buildings, equipment, personnel by insuring that only the right people access sensitive areas,and assist with governance and compliance activities through role-based permission assignment and bybuilding an audit trail of all activities.Recognizing the impact of physical security on the cyber and IT security worlds, Hirsch is a member ofthe Trusted Computing Group and has adopted the IF-MAP communications protocol as an option fortheir Velocity™ physical access control system. Hirsch has labeled their IF-MAP enabled communicationsoption the Hirsch PACE™ Gateway.Threats to an organization include network and cyber attacks, which force organizations to implementhighly restrictive network environments and processes that make it difficult and inefficient for trustedusers to gain access to network assets that may be critical for them to complete their tasks. The HirschVelocity PACE IF-MAP implementation solves this problem by giving organizations the ability to have adynamic and flexible network access control policy (NAC) based on “presence” in an area.One of the initial use cases of Hirsch PACE Gateway is the linking of physical presence in an area orfacility to network access privileges. In this case, Hirsch Electronics, Infoblox and Enterasys teamed toprovide end to end physical and network access control integration. The Hirsch Velocity™ Physical
Access Control Ssystem (PACS)processes access control entry and exittransactions and publishes those events(including person and locationmetadata) to the Infoblox IF-MAPServer. That person’s location statusbecomes one of the parameters theEnterasys Network Access Controllerconsiders before granting that personaccess to network resources. If thatperson should leave the area, localprivileges may be disabled, etc.A similar network access controlsolution is available with JuniperNetworks Universal Network AccessControl products.The security benefits of such a convergence include: Enhance the physical security environment o Minimize the likelihood of physical access “tailgating” at doors. Persons who neglect to present their credential to designated door entry readers may be denied access to all or selected network resources o Encourage the use of “EXIT” readers. While we cannot lock people inside of areas, it is often desirable to know which persons are actually in which areas at any time. If all persons badge “in” and “out” of areas or buildings, we can get an accurate accounting of who is where, which can be helpful when arming alarm systems and in emergency evacuation situations. With the IF-MAP network security integration, leaving an area and using an exit reader can disable local network privileges and enable remote VPN access privileges. Enhance the network security environment o Minimize the likelihood of internal password hacks. Even if a co-worker compromises a fellow employees’ password, that password would not work if that target employee was not physically in the area or building o Minimize the possibility of downloads of controlled information by unauthorized individuals o Eliminate simultaneous network connections from multiple locations o Enforce log-off policies. While most organizational policies require employees to log off their desktops when they leave their area, not all do. If the employee uses his access card at another reader or at an exit reader, the NAC controller will pick that up and auto log off that user
o Increase remote access security. Persons who have badged in the building can be denied remote, VPN or even wireless access Enhance compliance efforts. o This type of integration can help organizations comply with separation of duties and desktop security requirements under Sarbanes Oxley, HIPAA privacy regulations, DCID and ICD secure facility specifications, GLBA privacy concerns and more. More importantly, as part of an overall policy-driven enterprise security program, measures like this can be effective in preventing the kinds of data breaches than can ruin an organization’s reputation and credibility o Ensure consistent de-provisioning in network and physical security environments upon employee separationAn especially compelling feature of this kind of integration is that it does not care what type ofcredential is used to identify persons, so does not require rebadging of employees or the introduction ofa PKI infrastructure. Proximity cards, PIN codes, biometrics – whatever the organization is using now forphysical security purposes can still be used. User name and password may still be used at the desktop,etc.The above applications tend to rely on physical presence of an individual as becoming a policy fornetwork access or denial. A next-step logical expansion of this application is to have the Hirsch physicalaccess control system subscribe to events and perform actions based on activity published by other IF-MAP compliant systems and devices on the network. For example, Hirsch Velocity could subscribe toActive Directory events (disable, enable, delete, lock) and, accordingly, create/enable/disable and deletephysical credentials and privileges, insuring complete and accurate physical/logical and network accessprovisioning and de-provisioning. As additional TCG members adopt the IF-MAP standard, there will beother applications and opportunities for PACE, including integration with wireless access controllers,SCADA and network security and event management (SIEM) systems.SummaryAs the threat organizations face becomes more sophisticated, and budgets tighten, organizations musttake creative and effective measures to protect their people, their assets and their data. The linesbetween physical security, identity management, provisioning, network security and logical security areblurring, and managing risk is now a C-Level imperative.By adopting IF-MAP, Hirsch has placed itself squarely in the IT camp that is driving trusted, scalable,standards-based interoperability and data sharing not just in the security space, but throughout the ITecosystem.InfoBlox, Enterasys Systems, Juniper Networks and Hirsch are all members of the Trusted ComputingGroup. http://www.trustedcomputinggroup.org.For more information on the Hirsch PACE Gateway, please visit http://www.hirsch-identive.com/products-services/converged-security/pac-nac-integration.