FIPS 201 News
Identity as a service
Outsourcing identity and credentialing matures
By Zack Martin, Editor, AVISIAN Publications
So, you want to deploy a converged smart card system for logical and physical access control for your company?
You start taking inventory, looking at the operating systems in use, applications that would have to be enabled, public key infrastructure technology that would need to be deployed and physical access control infrastructure and try to figure out how to take all this and make it work with one smart card for each employee.
And then you quit.
All kidding aside, deploying a converged solution can be time consuming, costly and frustrating. This is leading some to look at using an identity as a service model which is similar to the software as a service model, says Mark Diodati, research director at the Burton Group.
There are many items to take into account when combining physical and logical access controls. “It’s really hard to do,” Diodati says. “Many organizations spend lots of money and projects are delayed.”
Much of the costs for a smart card system are incurred with the initial deployment. “If you want to stand up a smart card deployment you have a lot of costs right up front,” Diodati says.
But with ID as a service offerings, like other managed services, companies pay a subscription fee based on the number of users. ID as a service solutions differ, but most involve card or token issuance, integration into existing IT infrastructures, PKI and identity management.
IDonDemand, Gemalto and Verizon Business are offering identity as a service, Diodati says. Offering logical access control as a managed service is not new, he adds, but including physical access control in the mix is new.
This complete converged solution is where IDonDemand is trying to create its niche. The company offers a credential that enables physical and logical access for $50 per employee, says Jason Hart, CEO at IDonDemand.
“We looked at the average cost of deploying a product (in the traditional manner) and it started at a couple of million bucks,” Hart says. “It’s a big price tag.”
“It is a concept that developed when I was at ActivIdentity,” explains Hart when asked about the origins of the IDonDemand concept. “Trying to resolve how we get more sustainable revenue, deliver better service and take something from the government and make it usable for the commercial customer.”
IDonDemand’s solution can be delivered through the Web, Hart says. “It’s a smart card that can open up the front door, log them in, encrypt data and conduct e-commerce,” he says. “What a customer gets from us is a fully managed, end-to-end solution and the certificate authority with some level of public trust, be it cross certified to the Federal bridge or something else.”
But the physical access control piece is the differentiator. Hart says IDonDemand can produce cards that emulate 30 different types physical access control systems, including FIPS 201’s card authentication key, Mifare, PLAID and other ISO 14443 contactless smart card standards.
When a company is interested in deploying a smart card system with IDonDemand they start with a pilot involving a few employees, Hart says. It typically takes about 24-hours to provision the smart card infrastructure, set up the PKI and get them set up. This can be done remotely or at the customer site.
IDonDemand sets up a public and private key set in Active Directory for network login. They up digital signature functionality for email, a process Hart says is fairly straightforward with newer software systems, Hart says. “There’s a lot of native support built into products,” he adds. For older software packages IDonDemand has middleware to assist in the deployments.
The company also uses the Web to design the badge, figure out what types of certificates they want on the card and what physical access control systems the card should emulate, Hart says. The cards can be produced onsite if the company has a card printer with the necessary capabilities or done remotely at a central facility and shipped to the client. “The only infrastructure you need onsite is a Web browser,” he says. “Within 24 hours this one card will let them in the front door and log them on to the network.”
A year ago, IDonDemand thought its target market would be token replacement but the company has seen a lot of demand in the convergence arena, Hart says. It also thought the sweet spot for company size would be the five to 15,000 employee company but has found many Global 1000 companies interested in the solution. “A lot of these companies have tried to install systems in the past and found the infrastructure too complex,” he says. “We found that providing the skill set in a certified, audited bunker gives them more features and options.”
Using the managed service approach also lets companies deal with one vendor for a project, opposed to many if an organization decides to manage the deployment. “It’s one throat to choke for card supplies and certificates,” Hart says. “You don’t have to deal with a lot of different vendors.”
In addition to corporate settings, the company has seen interest in the ID as a service model from many different markets, including health care and state government for PIV-I, Hart says.
Gemalto has two different managed service offerings, says David Teo, marketing manager for online authentication at the company. The first is its Device Administration Service that uses smart card-based one-time password devices.
The solution is designed to complement Gemalto’s .NET smart card by providing organizations with a cost-effective and user-friendly service to perform card issuance and administration tasks. These tasks include card initialization, PIN change, key change, PIN unblock and card reset.
Device Administration Service is a fully hosted service targeting small-to-medium size businesses. It is made up of an administrator portal where the card is initialized before issuance, remote PINs can be unblocked and certificates loaded, Teo says.
There is also an online user portal where PINs can be reset thus eliminating help desk calls. The self-service portal automates basic tasks improving end user satisfaction, Teo says.
The Device Administration Service is much more cost effective than an on-premise system, Teo says. “The savings come from the pay-as-you-go pricing, no hardware maintenance and no need for costly deployment,” he says.
This solution can’t be directly compared with the full-scale card management systems that are typically targeted at large organizations. “They offer integration with identity management systems and provide fuller feature sets that are required for large organizations, but tend to be overkill for small and medium sized businesses,” he says.
For a comparison between the Device Administration Service and similar on-premise card administration systems–as opposed to card management systems–the cost to deploy a card administration system for a 500-employee organization is about $30,000 with three years of support, Teo says. “Contrast this with about $4,000 for the Device Administration Service over three years,” he says. “Customers can choose to buy an annual subscription, a two-year subscription, or three-year subscription upfront with significant discounts.”
Also using the ID as a service model, Gemalto offers Authentication as a Service. This is a cloud-based OTP server that enables organizations to implement OTP authentication for Virtual Private Networks, Outlook Web Access, internal Web applications and external Software as a Service. Organizations are offered a choice of a mobile OTP application for smart phones or a separate hardware token.
Authentication as a Service is designed for organizations looking for strong authentication solutions that are cost effective, easy to deploy, easy to use and easy to manage, Teo says.
The pay-as-you-go model enables organizations of any size to lower upfront investments and operational costs. This is a result of not having to maintain hardware servers as well as the overall lower subscription costs compared to on-premise server software. This service is under development and is expected to be available in the coming months.
Verizon Business has been involved in credentialing and identity in a variety of ways, says Mark Shapiro, senior marketing strategist for the company’s Identity as a Service business. The identity piece came to Verizon Business through its acquisition of Cybertrust.
The company has done a lot of work with first responders to set up PIV-I credentials, but also offers hosted two-factor authentication solutions for corporations as well as single sign-on and federated identity, Shapiro says. “We run managed services around PKI and OTP for a lot of corporations,” he says. “Basically an organization outsources its identity management infrastructure.”
As more companies are moving to cloud-based application, Verizon is seeing organizations change their identity infrastructure, Shapiro says. Even those with an existing infrastructure and tokens are switching, as more applications become cloud based. “They need to ramp it up and we’ll walk through it with them and evaluate the methods in place,” he says.
When a company brings in Verizon Business, they basically perform a takeover of the identity solutions, Shapiro says. Whether the organization is starting from scratch or has existing systems dictates what happens next. It also depends on what the organization is hoping to accomplish. “Is cost a driver or security a driver,” he asks, “or is it a combination of the two?”
While smart cards are popular in government, one-time password tokens and applications that can be used on smart phones for secure access are used more in corporate settings, Shapiro says. Running the OTP software on smart phones has become a popular way to secure access to applications. “In a lot of the cases they don’t want to distribute tokens,” he says. “They want to get out of the logistics and ease the use. They are becoming more aware of the costs and the headaches associated with the tokens.”
The traditional use for the token is access to corporate virtual private networks. But uses for these OTPs are growing as organizations add PKI and access to cloud-based applications, Shapiro says. “We’re seeing a hybrid with PKI and OTP,” he says. “When it comes to those types of deployments some people say they just can’t manage and it’s scaled better to have another organization do it.”
But the credential is just one piece of the identity puzzle that Verizon Business is seeing interest in from corporations. Adding federation and single sign-on is also becoming popular, says Shapiro, and it is tough for some organizations to crack.”
Adding federated identity is a challenge because it takes all the application and computer logins–local, remote and in the cloud–and makes them one. The idea is for there to be one login for everything. A sales person on the road would use the same login for the computer and be able to access cloud-based application, such as SalesForce.com. “We set ourselves up as a hub that sits in the middle and translates into the federation,” Shapiro says.
Is the future of identity outsourced?
As more organizations move applications to the cloud, there’s a need for greater security and two-factor authentication looks to play a role. Many organizations simply do not have the resources–manpower, expertise or capital–to roll out an identity and credentialing system on their own. For this growing number of organizations, a managed service offering may be the ideal way to fill that gap.