A question of trust and accountability
November 2017, Access Control & Identity Management, Integrated Solutions
Access and identity management is about trust. Who has access to your physical and logical properties and what they may or may not do there, when may they be there and are they qualified to be doing what they are doing?
Hi-Tech Security Solutions took the concept of trust and asked a few access control vendors for their take on the concept and how it translates into the real world of access. In this round table, we focused on the physical security vendors, leaving the digital access to a second conversation which is also published in this handbook.
The round table attendees were:
• Andrina Diedericks from IDEMIA (previously Morpho), focusing on the biometrics side of identity and access, where the company has over 30 third-party technologies integrated with its access and identity systems.
• Mike Kidson and Melville Frahm from Impro Technologies, a local manufacturer of software and hardware components, as well as a developer of integrated solutions.
• Leonie Mangold from Powell Tronics, a distributor and software developer focused on creating integrated third-party solutions for its two primary product lines, Morpho and Impro.
• Walter Rautenbach from neaMetrics, a distributor for Suprema in Africa and also a global software development specialist for the Suprema range of products.
• Greg Sarrail and Claude Langley from HID Global, representing the biometrics division (Lumidigm) of the larger HID group.
When it comes to assigning trust in terms of an access control scenario, there has to be an initial point where a level of trust is associated with a person or device. For example, at some stage of the process, someone has to decide that this person or that vehicle should be trusted and allowed access to certain properties and areas within a company.
Frahm says this trust is established in the initial engagement and enrolment process. Companies are quite entitled to and should take the necessary precautions when collecting people’s credentials, whether it is a photograph, fingerprints, making use of identity verification services and so on. This initial process sets the scene for future interactions and privilege assignment for the individual. If you know you have it right on that first enrolment, you are off to a good start.
Within this process, Kidson says this trust assigned to an identity must tie back to some kind of non-replicable component to ensure accuracy. “And the most difficult thing to replicate is the biometric. So, be it a facial recognition component, a fingerprint, an iris, whatever the case is, when you integrate that element onto a credential I think you are heading in the right direction.”
It is too easy to copy or clone physical documents like cards today. A recent demonstration showed how almost any physical credential can be cloned in a few minutes. There are, for example, some cards that can’t be cloned as easily (or yet), but the criminal element is always on the prowl and it is a matter of time before they find ways to compromise the next secure credential. Therefore, we need something additional, and the best option right now is in the form of a biometric.
Kidson believes biometrics is how you tie the trust idea together. It’s a safety net that until now you could not replicate and it is the closest way of authenticating that this credential is being used by the appropriate person. Moreover, he says integrating biometrics with your access and identity systems is the starting point for more security and is an important aspect of the solutions approach instead of simply buying individual technology components. “Instead of a component you need an holistic turnkey solution where there are integrations on the various components for improved reliability and trust.”
Solutions are us
Rautenbach agrees, noting that integration, or solutions are critical in this space. “Take for example the criminal clearance solution: an employee or a prospective employee comes in and places their fingers on a reader. It gets sent to SAPS and they say there is no criminal record. This is fine, but did we ask the right person to put their fingerprint down? The prints match a record at SAPS (or hopefully don’t match in the case of a criminal record check), but is the identity associated with that fingerprint on their side the same as the person sitting here?
“One of the things happening now is adding to the service, a confirmation that those thumbs belong to the person sitting there. Now you have closed that loop because you know the person verified against the Home Affairs database and the criminal record for that person actually belongs to that individual.”
And that is where the integration comes in, but it’s also where we run into a problem because it depends on the client being prepared to spend a bit of money on that closed-loop service. Is allowing someone access to your building worth the expense, or is who that person is not really that important?
“If I work at the Reserve Bank, then it’s important to have all that information, but if you come to visit our office, I am not going to do all those checks on you,” Rautenbach adds. “However, it’s the ability of technology today to link all the different systems together that makes for a more accurate and reliable mechanism for obtaining a level of trust for that identity.”
Kidson adds that it is also important to note that the databases we use in these processes are often overlooked as they need a refresh cycle as well. Authentication has a sell-by date and there needs to be a renewal window depending on what information and trust is being assigned. He also believes we need to add different components to these databases to improve identification and authentication.
For example, licence plate recognition recognises the number; it does not recognise the colour of the car, the shape of the car, the make of the car, etc. An holistic solution needs to bring additional components into the mix for more accurate identification – for people and things.
“As a company it is going to cost me money to re-verify you every 6 to 12 months so it doesn’t happen, yet, in the meanwhile, the employee goes through a court case and is convicted,” notes Langley. “You do not know and you will never know it because there has not been a second verification.”
He adds that the problem at this stage is that linking to external data sources is still too expensive, and the infrastructure is not there. He gives a bank as an example: they will interact with the Home Affairs National Identification System (HANIS) initially to verify that it is me, but then they create their own database because of a lack of infrastructure, lack of trust and cost. And then, while they may have an up-to-date database, they are not going to share it or allow access.
This example again serves to highlight the importance of trusted integration throughout the access chain, whether for top secret operatives or just to allow an employee access to the car park. Mangold and Diedericks concur, noting it has become standard in today’s world to add value to the ‘boxes’ that are sold. Not only does this improve the identity verification process, but it also adds an improved experience for end-users at the end of the day.
And perhaps, given the latest South African breach where millions of identity numbers and other information was left exposed on the Internet (and obviously stolen), basically leaving the entire country potential victims of identity theft, this serves to highlight the fact that identity verification is too important to leave to a tattered card of ID book without additional, integrated components to ensure people are who they claim to be.
Kidson refers back to his comment on biometrics, saying it’s easy to replicate a physical credential, but when you combine credentials and biometrics you add a significant level of security.
And, adds Langley, this is where multi-modal identification is proving its worth. “It’s not just one single point of identification but multiple, and it provides more of a secure platform than just a single authentication method.
Sarrail expands on this, noting it’s a question of educating the customer of the dangers of not using good verification solutions. Most customers quite naturally want to buy a single point solution and to compare the price with other point solutions. But in the end, they want (or rather need) an integrated solution that works to solve the problem they are faced with and which could cost them dearly.
So while you may focus on what the end device (a card or fingerprint reader, for example) costs, this is not going to solve a problem without the full integrated solution. And it is the full solution that is going to be the problem solver, money saver and fraud preventer in the greater scheme of things.
What do you always have?
While it’s easy to speak about credentials and biometrics, even having biometrics on your physical credentials to prove that the person with the card is the person who is supposed to have the card, we are often faced with the question of what is the best credential to have that can offer various forms of authentication and identity verification, but without placing an unrealistic cost burden on the company.
Rautenbach has a clear answer here: What do you carry with you all the time?
“I think your mobile phone is the ideal solution. If you provide cards to people and they lose it, that means someone can find it and potentially use it. If your ‘card’ is on your phone, it can be assigned to you and deleted remotely in an instant.
“So I love the idea of mobile credentials. You can use it for logical access as well, since most PCs have Bluetooth so you can have a BLE interface. Most importantly, I am not going to leave my phone at someone else’s PC, or at home, and if I lose my phone I will realise it very quickly. So it’s the perfect device for access control. You can switch over from identification to verification, and you can take it further by making the credential more intelligent, building biometric-on-device authentication in to activate the virtual card.”
And it doesn’t stop at fingerprints. While fingerprints are the go-to solution for biometric access at the moment, Kidson says Impro ran a facial recognition pilot at an industrial site where employees worked with their hands and often had damaged fingerprints. The result was only two out of about 3000 workers could not be authenticated via facial biometrics, indicating this will become a biometric to consider in the future. He also notes that the question of the type of facial recognition used is important, as 3D recognition is far more accurate and reliable than older 2D technology that can be spoofed with an image of a person.
Diedericks again notes the issue of risk profiles come into play and that more secure areas will require additional security levels or layers before access is granted, which can all be controlled on the smartphone. She adds that, while smartphone facial recognition is acceptable in certain instances, IDEMIA’s facial recognition solution takes 40 000 3-dimensional points on a person’s face and creates a template from that, making the process more secure and less vulnerable to spoofing.
Standards and quality
It’s all very well talking about integration and the need for holistic solutions, but the average buyer, no matter how educated they are or how aware they are of the need for better verification and authentication processes, is till bound by a budget set by people who are, at best, unaware of the risks and realities.
When purchasing your technology (which is hopefully part of a solution), it is important to look beyond the price and consider the quality of the products and whether they adhere to internationally accepted standards. This is not only an indication of their reliability and security, but also an indication that they will be able to be integrated into future expansions to the solution the organisation requires. And when looking at the various technologies mentioned in the Access & Identity Management Handbook 2018, it’s clear that even your intercom system can and should form part of the broader solution.
One biometric standard, specifically related to fingerprint biometrics Diedericks mentions is FBI compliancy and certification which, if adhered to, will stand the organisation in good stead if it needs to take its access logs to court. She does, however, acknowledge that not everyone needs a high-end biometric reader. A smaller company may be satisfied with a cheaper brand that is good enough to allow access to the premises. When you look at a larger company with additional requirements, you then need to consider the speed of recognition, the database size you can work with, encryption, liveness detection and other factors.
Sarrail says it all depends on what you want to get out of your system. The FBI standard, while still relevant, is a 20-year-old standard. “New multi-factor authentication systems are out that are never going to be addressed by that standard. So there needs to be a new set of standards that relate to this new data that is available.
“None of us have seen the Apple facial recognition system in person yet [the round table was held before Apple’s new products reached South African consumers – Ed.], but apparently it’s pretty good,” Sarrail continues. “There is not a set of standards around that and Apple does not care. It is in their bubble and they are going to protect it and use it for their users. But that sure is going to drive the rest of the industry to say: If they can do it on a phone, why are we doing it elsewhere? And that is going to have to result in new specifications that deliver the quality and reliability industry requires.
“The use cases today are going to be the drivers of new technology and the standards you need to deal with current threats. As such, while standards are important, we need to ensure they cover where we are technologically today and the ways in which we build solutions.”
Once they’re in
Of course, access control is more than simply deciding who gets in. It must also include what they are allowed to do once inside. Mangold says companies need to be clear about and make known their right of admission policies. This is more than simply deciding who gets in the door, but what they are allowed to do once on the premises. This applies whether they are accessing a business location or a residential estate, or even just using Wi-Fi as a guest.
“With an integrated solution you can manage where people are allowed to go. So if you, for example, are a high care nurse that comes into a frail care facility, you only are going to have access to that frail care facility at the point where you are enrolled onto the facility. Through your access system, you can furthermore guide people into areas where they are supposed to go. So by incorporating all of that into your access control through integration, you can actually manage where people are going, you can know who is on site, where they are, are they still on site, should they be off site.”
It starts with access groups in your access control system, says Rautenbach, when you predefine specific access groups and then assign access to those privileges. “But that is not where it should end. I might limit a visitor to only come into the reception area, but did that visitor try and access different areas? That sort of reporting to proactively assess what that guy did is something that is lagging at the moment.”
He adds that you can then go further and link logical access control, but then it becomes a different ball game because it is not turnstiles that you are managing, but what actual data and PCs people can manage – and that becomes a little bit more tricky because then you normally have a separate credential system that manages that type of process.
Of course, we are looking at the capabilities of technology here, which is an ideal situation. Langley and Kidson both mention that no matter what technology you have in place, there is always the human element to consider. Whether it’s a guard or receptionist who doesn’t care whether you have access or not, or a too-polite person within a building who allows you to tailgate, the human element is always the weakest link in security.
Diedericks relates the human problem to the issue of convenience. When the human element gets involved in the process of verification or authentication, convenience beats common sense and if the process is not convenient people will simply not comply. Looking at the passwords people still choose today is a clear indication that no matter how important security is and how much people are educated, simplicity and convenience beats all.
However, while agreeing, Mangold says you need to draw the line somewhere and force compliance if you don’t want to expose yourself to extended risks. “All the technology is useless without procedure and policy. You can have the best technology and the greatest integration, but if you do not enforce policy and procedure, it is absolutely useless.”
Sarrail highlights the concept of risk profiles. Relaxed security may be acceptable in some instances, but if you are in a high-security environment then you will make it more cumbersome on the individual. The right policies and procedures must be put in place, and enforced, according to the risk profile for the environment.
Frahm echoes that it is critical to ensure your security employees are following the procedures and will not circumvent them in a situation where they feel it may be justified to ignore them. His reasoning is that the criminal element is always watching and waiting to discover weaknesses like this that they can exploit.
With the knowledge that integrated solutions are the way to go for reliable and secure authentication and verification, we ended the discussion by asking our attendees for their insight into what will be important in the industry over the next year or two.
Kidson, unsurprisingly, is sure we will see an even more significant move to mobile access technologies than we have seen this past year or two. “I think we will be utilising these devices more in every sphere of our lives.” In addition, he sees more, more complex and improved integrations across the board.
Mangold sees an increase in ‘one version of the truth’ in future. In other words, having a single database in an organisation where credentials are securely stored and distributed to physical and logical access systems, as well as other business areas where they are needed. The days of having a database in HR, as well as the security department and another for IT security are over. As an example, she says Active Directory is often used as the source for Powell Tronics’ installations and information required for access is pulled from there to avoid having to capture information twice, avoiding errors and conflicts later on.
Sarrail expects cloud services to take off in the near future. There are already identity management services based in the cloud, but these are not as common or as attractive to companies of all sizes as they will be, and especially not as integrated into various systems public and private enterprises require.
While the report on the round table can only highlight snippets of what was discussed, the overall impression is that innovation in the access and identity market is in no danger of slowing and the options for end-users are more plentiful than ever. There is still a need for educating users on best practices and processes, but the industry seems to be setting its own standards in terms of what works in terms of authentication and verification to ensure security in even the smallest companies.
Hi-Tech Security Solutions thanks all the participants for taking the time to join the round table discussion and for their contributions.