Make presence in a building or area a policy in accessing network resources by integrating physical and network access through the Trusted Computing Group's IF-MAP communications standard.
2. Introduction
Technology has changed the nature of the enterprise and how enterprises protect themselves from
threats and manage risk. Assets once were things that could be “secured” with walls, alarms, keys and
guards. Security systems were purchased and operated by a security department, monitored after hours
by a contract central station and very localized.
Today, an organization’s most valuable assets may be invisible – data and information about its
customers, technology, business plans and financial assets. And instead of locking these assets away, we
now make them accessible to our staff, customers and business partners from their desktops, laptops
and mobile devices, often far away from the walls of protection we have built, and sometimes in
locations where network access is offered as a marketing convenience to accompany a refreshing cup of
coffee.
And while the nature of business demands that we make data accessible everywhere all the time,
government imposed regulatory environments have increased, and the cost in time, money and damage
to brand as a result of a security breach or data hack is, at best, expensive, and may be fatal.
Organizations now realize that security is no longer a department, but an integral component of the
management of the enterprise. It is not something that is purchased or bolted on, but something that
must be woven into the very fabric of the business. Effective security and risk management now touches
and must include human resource policies, identity management, physical security, cyber security,
network security, credentialing, logical access, surveillance, compliance initiatives, reporting and
forensics.
Connecting the dots across all of those disciplines has been the challenge. This whitepaper discusses a
standards-based enterprise solution that allows disparate systems to share unstructured data across
unstructured relationships and to act upon this information in accordance with organizational policies,
providing a cohesive security management framework that ties it all together.
The Physical/Cyber Security Gap
In most enterprises, physical security and cyber security efforts are distinct disciplines, with distinct
missions, departments and management structures. Therein lies the problem. Between those silos lie
gaps in process, policy and practices that may be exploited by attackers inside and outside the
organization.
Most organizations have deployed some type of physical access control system that
requires the use of access cards, PIN numbers and/or biometric verification to enter
buildings and specific areas within those buildings. Most have also implemented
some type of network access control environment, and the majority of those rely on
3. user name password for network authentication and access. And since each of those systems is
generally under the control of a different department with a different mission, almost none have
integrated the two. Each system seems to fulfill its individual mission, which can create a false sense of
security, or worse, create conditions that may lead to serious security breaches.
As an example, consider the following company, whose physical security and IT security departments
have established the following rules:
All employees must use their access card at all building entry points
All employees must use network passwords that contain at least 8 characters, which must
include at least one capital letter, one number and one other special character. Passwords
cannot be a dictionary word. Passwords are case sensitive, must be changed every 60 days, and
may not be reused
Both are good, strong security policies. But in the real world, what will happen?
Employees will hold the door open for their co-workers who arrive together
While strong passwords provide additional protection against password hack
attempts (the most common password in unrestricted environments is My password:
xYhwpn57*b
“password”), strong password policies almost guarantee that the employee will
write down his new secure password and keep it in his desk drawer
So let’s see what can happen when an employee travels to visit a company site in another city. He
arrives at the remote site, and uses his access card to enter the door, and his access is recorded as a
normal event in that site’s access control system.
Back at HQ, someone has found the sticky note on which the employee has written his very strong
password, and has logged onto the system under that employee’s name and has been granted access to
all the traveling employee can see, and all activity will be logged to the traveler’s IT account. The
network access control system validated the user name, password – even the status of the virus
protection of the computer logging onto the network, and all conditions were successfully met.
In this case, both systems did what they were supposed to do. No physical security alarm was
generated, no network anomaly reported. But a serious breach occurred.
In an integrated world, a person’s presence in a building or specific area would be one of the factors the
network security system considers before it allows access to critical network resources. This would not
only enhance network access security, but improve physical security, as employees would be less likely
to tailgate in behind each other, even if the door is held open by another polite, but security policy
violating person.
Once the technical aspects of physical/network access control integration are in place, additional
policies may evolve. Readers may be placed at physical points of egress from the building, and
employees would need to use their access credential to leave the building, which disables their local
4. access privileges, and enables remote and VPN network access. Doing so provides a more accurate
accounting of who is in the building or area at any given time.
IT Meets Physical Security
For several years, the buzz in the physical security world has been the convergence of physical and cyber
security. The problem was that “convergence” meant different things to different physical security
system and device vendors. To some, it simply meant adding a terminal server in front of a serial device
and connecting it to an IP network pipe. To others, it meant developing custom integrations through
API’s, SNMP, syslog, etc. And to many in the IT space, convergence with physical security was not even
on their radar screen.
The security threat that organizations face, however, is very much converged. Organizations must have
strong physical and cyber security environments, as weaknesses in either will be exploited by enemies
who don’t care how they get in. To truly meet the challenge and vision of convergence, cyber and
physical security efforts, systems, policies and data must be coordinated and interoperable.
Standards and Trust
To obtain interoperability between disparate systems, two elements are necessary – a standard way to
communicate, and trust between the parties and systems doing the communicating so that each party
can validate the identity of the other with a very high level of assurance.
While the IT community has long embraced standards, the physical security industry has been slow to
follow suit. Some standards are emerging in physical security but, when it comes to securing data at
rest and in transit, the IT industry has already tackled the challenge. In particular the 100+ member
Trusted Computing Group has developed an open architecture and suite of protocols designed to allow
high levels of interoperability, yet increase the security of data and protect the operational integrity of
the devices that are connected to the IP network. The architecture is referred to as the Trusted
Network Connect (TNC). Among its protocols, the IF-MAP (interface for Metadata Access Point) provides
a secure, open and flexible approach for communicating or sharing data between trusted applications,
devices and systems.
IF-MAP has several components that provide both standards-based interoperability and high degrees of
trust, all of which are widely embraced by the IT industry. Specifically, this protocol suite includes:
• Mutual Certificate-Based Authentication - establishes trust between devices / systems
that share information
• Encrypted Communications (protects data while in transit)
• Simple Object Access Protocol Bindings - SOAP is a protocol specification for
exchanging structured information in the implementation of Web Services in computer
networks. In other words, it provides a basic messaging framework upon which web
5. services can be built. It relies on eXtensible Markup Language (XML) as its message
format
• XML Metadata Exchange - a widely used and endorsed schema for communicating
data between devices and applications in a common manner. XML based protocol
consists of three parts: an envelope - which defines what is in the message and how to
process it - a set of encoding rules for expressing instances of application-defined
datatypes, and a convention for representing procedure calls and responses
More specifically, IF-MAP defines a protocol and associated database used by applications and systems
to publish information, subscribe to changes in information and interest, and search for relevant data.
This publish, subscribe and search model allows compliant devices to seamlessly share information
without requiring individual, custom integration efforts. All compliant devices publish events and status
to the Metadata server, and other compliant devices can choose which information and systems they
wish to subscribe to. This is very much like social media for networks. In essence, we go from a
complex, brittle and expensive myriad of point to point custom integrations that ends up looking
something like this:
To a more streamlined, efficient and effective network environment that allows various network
components to share date with others, even though those relationships and data may be unstructured.
The IF-MAP protocol provides such an environment, which looks more like this:
6. Images Courtesy of Infoblox
IF-MAP Converges Physical and Cyber Access Control
Physical access control systems like those provided by Hirsch typically control movements through
doors, parking gates, and other physical portals and barriers. Authorized personnel authenticate
themselves at those portals using a credential, which may be an access card, a PIN number, a biometric
element (finger, iris, etc), or some combination of those components. These systems protect physical
assets like buildings, equipment, personnel by insuring that only the right people access sensitive areas,
and assist with governance and compliance activities through role-based permission assignment and by
building an audit trail of all activities.
Recognizing the impact of physical security on the cyber and IT security worlds, Hirsch is a member of
the Trusted Computing Group and has adopted the IF-MAP communications protocol as an option for
their Velocity™ physical access control system. Hirsch has labeled their IF-MAP enabled communications
option the Hirsch PACE™ Gateway.
Threats to an organization include network and cyber attacks, which force organizations to implement
highly restrictive network environments and processes that make it difficult and inefficient for trusted
users to gain access to network assets that may be critical for them to complete their tasks. The Hirsch
Velocity PACE IF-MAP implementation solves this problem by giving organizations the ability to have a
dynamic and flexible network access control policy (NAC) based on “presence” in an area.
One of the initial use cases of Hirsch PACE Gateway is the linking of physical presence in an area or
facility to network access privileges. In this case, Hirsch Electronics, Infoblox and Enterasys teamed to
provide end to end physical and network access control integration. The Hirsch Velocity™ Physical
7. Access Control Ssystem (PACS)
processes access control entry and exit
transactions and publishes those events
(including person and location
metadata) to the Infoblox IF-MAP
Server. That person’s location status
becomes one of the parameters the
Enterasys Network Access Controller
considers before granting that person
access to network resources. If that
person should leave the area, local
privileges may be disabled, etc.
A similar network access control
solution is available with Juniper
Networks Universal Network Access
Control products.
The security benefits of such a convergence include:
Enhance the physical security environment
o Minimize the likelihood of physical access “tailgating” at doors. Persons who neglect to
present their credential to designated door entry readers may be denied access to all or
selected network resources
o Encourage the use of “EXIT” readers. While we cannot lock people inside of areas, it is
often desirable to know which persons are actually in which areas at any time. If all
persons badge “in” and “out” of areas or buildings, we can get an accurate accounting
of who is where, which can be helpful when arming alarm systems and in emergency
evacuation situations. With the IF-MAP network security integration, leaving an area
and using an exit reader can disable local network privileges and enable remote VPN
access privileges.
Enhance the network security environment
o Minimize the likelihood of internal password hacks. Even if a co-worker compromises a
fellow employees’ password, that password would not work if that target employee was
not physically in the area or building
o Minimize the possibility of downloads of controlled information by unauthorized
individuals
o Eliminate simultaneous network connections from multiple locations
o Enforce log-off policies. While most organizational policies require employees to log off
their desktops when they leave their area, not all do. If the employee uses his access
card at another reader or at an exit reader, the NAC controller will pick that up and auto
log off that user
8. o Increase remote access security. Persons who have badged in the building can be denied
remote, VPN or even wireless access
Enhance compliance efforts.
o This type of integration can help organizations comply with separation of duties and
desktop security requirements under Sarbanes Oxley, HIPAA privacy regulations, DCID
and ICD secure facility specifications, GLBA privacy concerns and more. More
importantly, as part of an overall policy-driven enterprise security program, measures
like this can be effective in preventing the kinds of data breaches than can ruin an
organization’s reputation and credibility
o Ensure consistent de-provisioning in network and physical security environments upon
employee separation
An especially compelling feature of this kind of integration is that it does not care what type of
credential is used to identify persons, so does not require rebadging of employees or the introduction of
a PKI infrastructure. Proximity cards, PIN codes, biometrics – whatever the organization is using now for
physical security purposes can still be used. User name and password may still be used at the desktop,
etc.
The above applications tend to rely on physical presence of an individual as becoming a policy for
network access or denial. A next-step logical expansion of this application is to have the Hirsch physical
access control system subscribe to events and perform actions based on activity published by other IF-
MAP compliant systems and devices on the network. For example, Hirsch Velocity could subscribe to
Active Directory events (disable, enable, delete, lock) and, accordingly, create/enable/disable and delete
physical credentials and privileges, insuring complete and accurate physical/logical and network access
provisioning and de-provisioning. As additional TCG members adopt the IF-MAP standard, there will be
other applications and opportunities for PACE, including integration with wireless access controllers,
SCADA and network security and event management (SIEM) systems.
Summary
As the threat organizations face becomes more sophisticated, and budgets tighten, organizations must
take creative and effective measures to protect their people, their assets and their data. The lines
between physical security, identity management, provisioning, network security and logical security are
blurring, and managing risk is now a C-Level imperative.
By adopting IF-MAP, Hirsch has placed itself squarely in the IT camp that is driving trusted, scalable,
standards-based interoperability and data sharing not just in the security space, but throughout the IT
ecosystem.
InfoBlox, Enterasys Systems, Juniper Networks and Hirsch are all members of the Trusted Computing
Group. http://www.trustedcomputinggroup.org.
For more information on the Hirsch PACE Gateway, please visit http://www.hirsch-
identive.com/products-services/converged-security/pac-nac-integration.