Multi-layered security

Enterprises have typically focused on securing the network perimeter and relied on static passwords to authenticate users inside the firewall. This is insufficient, given the nature of today’s Advanced Persistent Threats (APTs) and internal risks associated with Bring Your Own Device (BYOD) adoption. Static passwords can be a potential recipe for a security disaster. In this article Julian Lovelock, Vice President of Product Marketing, Identity Assurance HID Global explains that enterprises would benefit from not only employing strong authentication for remote access, but also extending its use to cover the desktop, key applications, servers, and cloud-based systems as part of a multi-layered security strategy.

Unfortunately, choosing an effective strong authentication solution for enterprise data protection has traditionally been difficult. Available solutions have been inadequate either in their security capabilities, the user experience they deliver, or in the cost and complexity to deploy them. Now, we have the opportunity to eliminate these problems using Near Field Communications (NFC)-enabled credentials that can reside on smart cards or smartphones, and can be employed to secure access to everything from doors, to data, to the cloud. Versatile, NFC-based strong authentication solutions can:

  • Support converged secure logical access to the network and cloud-based services and resources, as well as physical access to buildings, offices and other areas;
  • Support mobile security tokens for the most convenient and secure access from smartphones or tablets; and 
  • Deliver multifactor authentication capabilities for the most effective threat protection, as part of a multi-layered security strategy.

The Challenges of Strong Authentication

Multi-factor authentication, also known as strong authentication, combines something the user knows (such as a password) with something the user has (such as mobile and web tokens), and can also be extended to include a third factor in the form of something the user is (which can be ascertained through a biometric or behavior-metric solution).

Users have grown weary of the inconvenience of hardware OTPs, display cards and other physical devices for two-factor authentication. Additionally, OTPs are useful only for a limited range of applications. The industry is now replacing hardware OTPs with software tokens that can be held on such user devices as mobile phones, tablets, and browser-based tokens. With software OTPs, organizations are able to replace a dedicated security token with the user’s smartphone, enabling the two-factor authentication to grow in popularity and convenience. A phone app generates an OTP, or OTPs are sent to the phone via SMS. However, there are security vulnerabilities with software OTPs that have driven the need for a far more secure strong authentication alternative, such as smart cards based on the Public Key Infrastructure (PKI). The downside to this approach, however, is its high cost and level of complexity to deploy. 

Future Mobile Opportunities

The benefits of NFC technology are many as it becomes a standard feature of smart phones, tablets and laptops targeted at the enterprise market
NFC-based mobile model will deliver particularly robust security, and will be especially attractive in a BYOD environment

The benefits of NFC technology are many as it becomes a standard feature of smart phones, tablets and laptops targeted at the enterprise market. Users can have a smart card or smartphone that grants access to resources by simply “tapping in” – without the need to enter a password on touch-screen devices, or the need for additional devices to issue and manage. In addition, there are a number of steadily growing NFC-based tap-in use cases that are poised for strong adoption in the enterprise, including tap-in to facilities, VPNs, wireless networks, corporate Intranets, cloud- and web-based applications, and SSO clients, among many other scenarios. These benefits and the wide range of potential applications – along with the fact that manufacturers are enabling more and more phones, tablets and laptops with NFC -- are driving many companies to seriously consider incorporating secure NFC-based physical and logical access into their facilities and IT access strategies.

The mobile model will deliver particularly robust security, and will be especially attractive in a BYOD environment. It will be implemented within a trusted boundary, and use a secure communications channel for transferring identity information between validated phones, their secure elements (SEs), and other secure media and devices. The authentication credential will be stored on the mobile device’s secure element, and a cloud-based identity provisioning model will eliminate the risk of credential copying while making it easier to issue temporary credentials, cancel lost or stolen credentials, and monitor and modify security parameters when required. It will also be possible to combine mobile tokens with cloud app single-sign-on capabilities, blending classic two-factor authentication with streamlined access to multiple cloud apps on a single device that users rarely lose or forget.

The NFC tap-in strong authentication model will not only eliminate the problems of earlier solutions, it will also offer the opportunity to achieve true convergence through a single solution that can be used to access IT resources while also enabling many other applications. These include such physical access control applications as time-and-attendance, secure-print-management, cashless vending, building automation, and biometric templates for additional factors of authentication – all delivered on the same smart card or NFC-enabled phone alongside OTPs, eliminating the need to carry additional tokens or devices. Historically, physical and logical access control functions were mutually exclusive within an organization, and each was managed by different groups. Now, however, the lines between these groups will begin to blur.

Additional Considerations for the Cloud

As BYOD continues to grow in popularity and many cloud-based applications are accessed from personal devices, enterprises will need to take a layered approach to security
Enterprises would benefit from employing strong authentication for cloud-based systems as part of a multi-layered security strategy

As identity management moves to the cloud and enterprises take advantage of the Software as a Service (SaaS) model, there are other critical elements to consider. For instance, it will be critical to resolve challenges around provisioning and revoking user identities across multiple cloud-based applications, while also enabling secure, hassle-free user login to those applications.

The most effective approach for addressing data moving to the cloud will likely be federated identity management, which allows users to access multiple applications by authenticating to a central portal. It also will be critical to ensure the personal privacy of BYOD users, while protecting the integrity of enterprise data and resources. Several other security issues also emerge. IT departments won’t have the same level of control over BYODs or the potentially untrustworthy personal apps they may carry, and aren’t likely to be loading a standard image onto BYODs with anti-virus and other protective software. Nor is it likely that organizations will be able to retrieve devices when employees leave. We will need to find new and innovative ways to address these and other challenges. Notwithstanding the risks, the use of mobile phones equipped with SEs, or equivalent protected containers, opens opportunities for powerful new authentication models that leverage the phone as a secure portable credential store, enabling use cases ranging from tap-in strong authentication for remote data access, to entering a building or apartment.

Additionally, as BYOD continues to grow in popularity and many cloud-based applications are accessed from personal devices, enterprises will need to take a layered approach to security, recognizing that no single authentication method is going to address the multiple devices and multiple use cases required by today’s mobile enterprise.

A Layered Security Approach

In addition to multi-factor user authentication as the first layer of security, both inside the firewall and in the cloud, there are four other layers that should be implemented.

The second layer is device authentication. In other words, once it is determined that the user is who he or she says she is, it is important to verify that the person is using a “known” device. For this step, it is important to combine endpoint device identification and profiling with such elements as proxy detection and geo-location.

The third layer is ensuring that the user’s browser is part of a secure communication channel. Browser protection can be implemented through simple passive malware detection, but this does not result in the strongest possible endpoint security. It is more effective to use a proactive hardened browser with mutual secure socket layer connection to the application. 

Migration to NFC-based strong
authentication and true converged
solutions requires an extensible
and adaptable multi-technology
smart card and reader platform

The fourth layer is transaction authentication/pattern-based intelligence, which increases security for particularly sensitive transactions. A transaction authentication layer can include Out-Of-Band (OOB) transaction verification, transaction signing for non-repudiation, transaction monitoring, and behavioral analysis. 

The final layer is application security, which protects applications on mobile devices that are used to deliver sensitive information. The application must be architecturally hardened and capable of executing mutual authentication. Adding this layer makes data theft much more complex and costly for hackers.

Effectively implementing these five security layers requires an integrated versatile authentication platform with real-time threat detection capabilities. Used in online banking and ecommerce for some time, threat detection technology is expected to cross over into the corporate sector as a way to provide an additional layer of security for remote access use cases such as VPNs or Virtual Desktops.

Migrating to New Capabilities

Migration to NFC-based strong authentication and true converged solutions requires an extensible and adaptable multi-technology smart card and reader platform. For optimal flexibility and interoperability, this platform should be based on open architecture, and enable both legacy credential and new credential technology to be combined on the same card while also supporting NFC-enabled mobile platforms. To meet security requirements, the platform should use contactless high frequency smart card technology that features mutual authentication and cryptographic protection mechanisms with secret keys, and employs a secure messaging protocol that is delivered on a trust-based communication platform within a secure ecosystem of interoperable products. 

With these capabilities, organizations can ensure the highest level of security, convenience, and interoperability on either cards or phones, along with the adaptability to meet tomorrow’s requirements including a combination of both strong authentication for protecting the data and applications in the cloud, and contactless high-frequency smart card capabilities for diverse physical access control applications. 

With proper planning, organizations can solve the strong authentication challenge while extending their solutions to protect everything from the cloud and desktop to the door. These converged solutions reduce deployment and operational costs by enabling organizations to leverage their existing physical access control credential investment to seamlessly add logical access control for network log-on. The result is a fully interoperable, multi-layered security solution across company networks, systems and facilities.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

Author profile

Julian Lovelock Vice President, Strategic Innovation, HID Global

In case you missed it

Security Technology And AI: A Powerful Duo In The Fight Against COVID-19
Security Technology And AI: A Powerful Duo In The Fight Against COVID-19

A person infected with the Coronavirus (COVID-19) infects an average of 2.5 other people within five days. You do not need to be a mathematician to realize that early detection of infected people is key to successful pandemic containment. The aim of effective containment strategies is therefore not so much to reduce the number of absolute cases as it is to extend the time frame within which they occur. Without effective containment measures, the virus spreads rapidly and is beyond the capacity of the health care system. However, if infection rates can be minimized through early detection and rapid, targeted identification of further infections, cases will continue to occur over a longer period of time and remain within the capacity of the health care system. Identifying, testing and results For example, the goal of many countries is to carry out as many Corona tests as possible to quickly identify infected people. It is then necessary to identify and reach potentially-infected people and isolate them in quarantine. This is a tried and tested procedure. But this method also costs valuable time in the fight against the virus and has many unknowns. The determination of a concrete test result alone sometimes takes up to 48 hours due to limited laboratory capacity. Added to this is the imprecise and slow procedure for determining contact persons. Or do you still remember exactly who and where you shook hands with in the last ten days - and could you provide information on this? Security technology to the rescue When it comes to the time factor, security technology can be a great help. Thermal imaging cameras and temperature sensors, for example, can help to detect a person with elevated body temperatures. Fever can also be one of the symptoms in those infected with the Coronavirus. At neuralgic points such as airports and train stations, or at entrances to hospitals, thermal imaging cameras can quickly reveal which people have fever. Presumably infected people can be easily separated and asked about other symptoms. Physical security technology can make a great contribution here. Dr. Frank Gillert, a professor at the University of Applied Sciences in Wildau, Germany states, however, as one of the leading scientists for logistics-centric security research, he demands "rapid innovation in dealing with situations like COVID-19 should be a priority". He sees enormous potential in the possibilities of IT and artificial intelligence; "We should use the disruptive changes that are currently taking place and that are challenging global orders to strengthen the significance in IT infrastructure development and also in security technology development.“ The goal in a global crisis And he is right: In global crises such as the Corona pandemic, security-related deficits become apparent and space is created for technical innovations. The goal of governments and companies is to restore security and save human lives as quickly as possible. The German data analytics powerhouse G2K, for example, has developed a Corona Detection & Containment System (CDCS) that is ready for immediate use in record time. Detection takes place in combination with AI-supported data analysis to specifically identify virus hotspots and distribution routes, as well as to identify other potentially infected persons. When developing the system, the focus was on two questions: How do I detect a suspected infected person in crowded environments and even more importantly, how do I quickly and comprehensively determine the person's contacts and previous whereabouts, and find correlations and patterns in this information? The data experts of the Berlin-based company found the answer in the combination of physical security technology and their existing data analytics platform. The G2K system The system is based on G2K's scalable IoT platform "Situational Awareness Builder" (SAB), which is already in use in several projects worldwide and sets standards in process automation and process optimization, including security management. As soon as a person with fever is detected by the system, he or she can be immediately screened to avoid contact with other people and thus prevent possible new infections, i.e. to interrupt the chain of infection. For this purpose, stationary thermal imaging cameras or smartphones equipped with a temperature sensor accessory can be used. The potentially infected person must now be registered and referred to a doctor or hospital for further specific diagnostic measures. The entire process is covered by a mobile G2K application. A combination of security and medicine The platform can bring together available hospital capacity, infection reports, movement and contact profiles and provide an excellent picture of the source of infection. Thus, medically necessary isolations can be implemented quickly. At the same time, infected patients can use the app to document their recovery and become actively involved. All this data is centrally managed and analysed, using deep learning methods. This provides crisis managers with a single monitoring, control and resource management tool that enables immediate action to be taken to combat the spread of the virus and gives officials full transparency on the status of the pandemic. Karsten Neugebauer, founder and CEO of the company behind the solution, explains his commitment as follows "A few weeks ago we too were faced with increasing difficulties due to the Corona crisis. As we have a strong presence in Europe in particular, we had to struggle with postponed project starts and limited resources". But instead of burying their heads in the sand, G2K's dedicated team decided to declare war on the virus." "In our entrepreneurial duty, we, therefore, decided to use our available technology and equip it to fight COVID-19. Our team has been working day and night over the last few weeks to expand our software platform to enable us to contain the pandemic quickly and effectively. Politicians must now immediately push ahead with the unbureaucratic implementation of prevention and control measures such as our CDCS to ensure the stability of our public systems," demands Karsten Neugebauer. The pandemic continues As the COVID-19 pandemic spreads from continent to continent, researchers around the world are working to develop antidotes to the virus. As long as this has not been found, the spread of the virus must be slowed down internationally. Only by this can system-relevant infrastructure be held consistently. Combining modern physical security technology with platform technology and artificial intelligence provides an excellent possibility to slow down the current and for sure, future pandemics.

Face Recognition: Privacy Concerns and Social Benefits
Face Recognition: Privacy Concerns and Social Benefits

News reports and opinion columns about face recognition are appearing everyday. To some of us, the term sounds overly intrusive. It even makes people shrink back into their seats or shake their head in disgust, picturing a present-day dystopia. Yet to others, face recognition presents technology-enabled realistic opportunities to fight, and win, the battle against crime. What are the facts about face recognition? Which side is right? Well, there is no definitive answer because, as with all powerful tools, it all depends on who uses it. Face recognition can, in fact, be used in an immoral or controversial manner. But, it can also be immensely beneficial in providing a safe and secure atmosphere for those in its presence.  Concerns of facial recognition With the increased facial recognition applications, people’s concerns over the technology continuously appear throughout news channels and social media. Some of the concerns include: Privacy: Alex Perry of Mashable sums up his and most other peoples’ privacy concerns with face recognition technology when he wrote, “The first and most obvious reason why people are unhappy about facial recognition is that it's unpleasant by nature. Increasing government surveillance has been a hot-button issue for many, many years, and tech like Amazon's Rekognition software is only making the dystopian future feel even more real”. Accuracy: People are worried about the possibilities of inaccurate face detection, which could result in wrongful identification or criminalization. Awareness: Face recognition software allows the user to upload a picture of anyone, regardless of whether that person knows of it. An article posted on The Conversation states, “There is a lack of detailed and specific information as to how facial recognition is actually used. This means that we are not given the opportunity to consent to the recording, analyzing and storing of our images in databases. By denying us the opportunity to consent, we are denied choice and control over the use of our own images” Debunking concerns  The concerns with privacy, accuracy, and awareness are all legitimate and valid concerns. However, let us look at the facts and examine the reasons why face recognition, like any other technology, can be responsibly used: Privacy concerns: Unlike the fictional dystopian future where every action, even in one’s own home, is monitored by a centralized authority, the reality is that face recognition technology only helps the security guard monitoring public locations where security cameras are installed. There is fundamentally no difference between a human security guard at the door and an AI-based software in terms of recognizing people on watchlist and not recognizing those who are not. The only difference is that the AI-based face recognition software can do so at a higher speed and without fatigue. Face recognition software only recognizes faces that the user has put in the system, which is not every person on the planet, nor could it ever be. Accuracy concerns: It is true that first-generation face recognition systems have a large margin for error according to studies in 2014. However, as of 2020, the best face recognition systems are now around 99.8% accurate. New AI models are continuously being trained with larger, more relevant, more diverse and less biased datasets. The error margin found in face recognition software today is comparable to that of a person, and it will continue to decrease as we better understand the limitations, train increasingly better AI and deploy AI in more suitable settings. Awareness concerns: While not entirely comforting, the fact is that we are often being watched one way or another on a security camera. Informa showed that in 2014, 245 million cameras were active worldwide, this number jumped to 656 million in 2018 and is projected to nearly double in 2021. Security camera systems, like security guards, are local business and government’s precaution measures to minimize incidents such as shoplifting, car thefts, vandalism and violence. In other words, visitors to locations with security systems have tacitly agreed to the monitoring in exchange for using the service provided by those locations in safety, and visitors are indeed aware of the existence of security cameras. Face recognition software is only another layer of security, and anyone who is not a security threat is unlikely to be registered in the system without explicit consent. The benefits In August 2019, the NYPD used face recognition software to catch a rapist within 24 hours after the incident occurred. In April 2019, the Sichuan Provincial Public Security Department in China, found a 13-year-old girl using face recognition technology. The girl had gone missing in 2009, persuading many people that she would never be found again. Face recognition presents technology-enabled realistic opportunities to fight, and win, the battle against crimeIn the UK, the face recognition system helps Welsh police forces with the detection and prevention of crime. "For police it can help facilitate the identification process and it can reduce it to minutes and seconds," says Alexeis Garcia-Perez, a researcher on cybersecurity management at Coventry University. "They can identify someone in a short amount of time and in doing that they can minimize false arrests and other issues that the public will not see in a very positive way". In fact, nearly 60% Americans polled in 2019 accept the use of face recognition by law enforcement to enhance public safety. Forbes magazine states that “When people know they are being watched, they are less likely to commit crimes so the possibility of facial recognition technology being used could deter crime”. Saving time  One thing that all AI functions have been proven to achieve better results than manual security is speed. NBC News writes, “Nearly instantaneously, the program gives a list of potential matches loaded with information that can help him confirm the identity of the people he’s stopped - and whether they have any outstanding warrants. Previously, he’d have to let the person go or bring them in to be fingerprinted”. Facial recognition can also be immensely beneficial in providing a safe and secure atmosphere for those in its presence With AI, instead of spending hours or days to sift through terabytes of video data, the security staff can locate a suspect within seconds. This time-saving benefit is essential to the overall security of any institution, for, in most security threat situations, time is of the utmost importance. Another way in which the technology saves time is its ability to enable employees (but not visitors) to open doors to their office in real-time with no badge, alleviating the bottleneck of forgotten badge, keycode or password. Saving money A truly high-performance AI software helps save money in many ways. First, if the face recognition software works with your pre-existing camera system, there is no need to replace cameras, hence saving cost on infrastructure. Second, AI alleviates much of the required manual security monitoring 24/7, as the technology will detect people of interest and automatically and timely alert the authorities. Third, by enhancing access authentication, employees save time and can maximize productivity in more important processes. The takeaway AI-enabled face recognition technology has a lot of benefits if used correctly. Can it be abused? Yes, like all tools that mankind has made from antiquity. Should it be deployed? The evidence indicates that the many benefits of this complex feature outweigh the small chance for abuse of power. It is not only a step in the right direction for the security industry but also for the overall impact on daily lives. It helps to make the world a safer place. 

Axis Expects Body-Worn Camera System to Expand the Technology Use Cases
Axis Expects Body-Worn Camera System to Expand the Technology Use Cases

Axis Communications has introduced a body-worn camera solution, which the company says represents a natural extension of their corporate vision, business strategy and core competence. The new body-worn cameras and other elements of the system will provide Axis new opportunities to grow by tapping into existing and new customers. The fast-growing body-worn camera market is an attractive one, and Axis sees opportunities to extend the use of body-worn cameras beyond the current core market of police and corrections officers. Private security applications for the technology include healthcare, education, banking, public venues, retail, logistics, transportation and places of worship. The new body-worn camera system was designed with Axis partners and ecosystem in mind, says Martin Gren, Founder and Director of New Projects at Axis. “We try to make it fit with existing customers.” Deploying and using the system The new body-worn camera system was designed with Axis partners and ecosystem in mind Gren says the system is easy to deploy and use. The Axis W100 camera provides 1080p images, wide dynamic range (WDR) and has dual microphones, operating 12 hours on a single charge. GPS/GNSS global satellite navigation provides location, and a six-axis gyroscope and accelerometer offer additional data beyond the video image. For example, sensors might be triggered in some situations to initiate recording.  One-bay (Axis W700) or eight-bay (Axis W701) docking stations enable high-speed supervised data offloading and battery charging, and a system controller (Axis W800) provides a central point for integration and management. Use of Zipstream compression technology saves on bandwidth and storage. Video cannot be accessed in the field, but only when a camera has been docked. There are many layers of security, and encryption protects all data used in the system from being accessed by outside agents. The USB interface cannot be connected to an ordinary computer but only to the docking station. Open standards Open standards ensure easy integration with video management systems and/or evidence management systems, whether on-premises or in the cloud. At the time of release, the Axis body-worn camera system is already integrated with Milestone XProtect, Genetec Security Center, and Axis Camera Station VMSs. It is also integrated with the Genetec Clearance cloud-based evidence management system. An application programming interface (API) will facilitate additional integrations over time.  The body-worn cameras will be sold through the current Axis channels The body-worn cameras will be sold through the current Axis channels of distributors, systems integrators and resellers. The camera is part of the Axis “ecosystem,” which includes the company’s familiar network cameras as well as recent additions such as access control, network audio systems (including loud speakers), intercom door stations, a radar detector and other Internet of Things (IoT) devices. “The more things you integrate, the more value you add to customers,” said Gren. The new body-worn camera systems are core products for Axis; they are not made by another original equipment manufacturer (OEM) and merely sold under the Axis label. “When we decided to do body-worn cameras, OEMing was not an option,” said Gren. “Instead we took some experienced Axis engineers and a bunch of new ones to develop this product line to ensure the same Axis quality and compatibility.” Introducing the new product The body-worn camera system was unveiled remotely in a press conference webinar; the original plan was to introduce the new product at ISC West, which was canceled to minimize spread of the novel coronavirus. In addition to announcing the new product, the Axis executives provided commentary and insight into the ongoing coronavirus crisis. “The security industry is a close-knit community that is connected in more ways than one,” said Fredrik Nilsson, Axis Vice President of the Americas. “We are all in this together. The industry has always exemplified resiliency, ingenuity and vision to address such challenges.” We are all in this together. The industry has always exemplified resiliency, ingenuity and vision" “There is some disruption in the Axis supply chain, but we have a broad partner-based supply chain when it comes to our sub-suppliers, our seven global CLCs (Configuration and Logistics Centers) and the distributors who keep inventory for integrators,” said Nilsson in the March 18th press call. “There is some stress on some components, but things are working relatively well under the circumstances. We are monitoring it on a day-to-day basis, but so far we have been able to hold things up very well.” Gren offered a comment on the possible use of thermal cameras (which Axis makes) to measure body temperature during the COVID-19 crisis: “When we designed our thermal cameras, that was a common question,” he said. “But in general, it is difficult to use a thermal camera to get an accurate reading. We have one model – the Q2901 – that is a temperature-accurate thermal camera, and if you look straight into the camera, it is accurate to around 1° F. However, there are more efficient ways to [measure temperature]. In general, it’s not a business application I would recommend.”