For the longest time, employees of an organization used a credential, be it a card or a keyfob, to gain physical access to the building. But more and more, access to both the physical doors as well as IT resources – those that reside on the network – is converged, resulting in what is called physical and logical access integration on one credential.
According to a recent whitepaper by HID Global, such convergence was driven by various factors including an increase in the occurrence of advanced persistent threats (APTs) worldwide, as well as a decrease in the control of IT assets due to sanctioned and unsanctioned BYOD (“Bring Your Own Device”) adoption. Improved user experience was also cited.
“The ability to combine access control for physical and IT resources on a single device that can be used for multiple applications improves user convenience while increasing security and reducing deployment and operational costs. It will eliminate the need for separate processes for separately provisioning and enrolling IT and PACS identities,” the whitepaper said. “Instead, it will be possible to apply a unified set of workflows to a single set of managed identities for organizational convergence. Organizations will be able to seamlessly secure access to physical buildings and IT resources, such as computers, networks, data, and cloud applications.”
With a converged access control model, the credential can be delivered in a variety of form factors, such as a smart card or even a smartphone. According to HID Global, there are three common models for architecting the solution, and they are summarized as follows:
With this model, users can take the same card they have been using with a door reader and tap it to a personal computer or laptop in order to gain access to their computer and network resources. However, according to the whitepaper, this approach doesn’t employ public key infrastructure (PKI), which enables strong authentication required of logical access, digital document signing, and highly secure access control for sensitive areas.
Dual chip card
A single smart card is embedded with a contactless chip for physical access control and a contact chip for logical access control. “The dual chip card model is popular with medium to large enterprises with sensitive intellectual property (IP) or customer data on their networks, because it delivers strong security,” the whitepaper said.
Dual interface chip cards
This model leverages a single PKI-capable chip, with both a contact and contactless interface to support both physical and logical access control. “The card can be used to support a contact card reader for logical access use cases, such as logging into a computer or signing an email, and PKI authentication for physical access,” HID Global said. “The dual interface card model is applicable primarily in U.S. Federal government organizations.”
According to HID Global, by default, PKI over a contactless interface can be slow for physical access usage. To address this challenge, HID Global cites FIPS 201-2, the latest evolution of the FIPS 201 United States Federal government protocol that allows the use of the Open Protocol for Access Control Identification and Ticketing with privacY (OPACITY) suite of authentication. OPACITY is expected to add roughly four times the performance for critical tasks, the company said.