FIPS 201 News
Physical access control goes to the cloud
Government and enterprises want centralized security management
Zack Martin, Editor, Avisian Publications
Mike Leete doesn’t like computer servers. The General Services Admintration’s project manager at the Neil Smith Federal Building in Des Moines, Iowa doesn’t care for the resources it takes to operate and maintain a server room.
So when the 10-story, 40,000 square-foot building needed to update its physical access control system he sought options that would relieve the need for him to maintain servers. “If you have a server farm somewhere else that I can put one in, it’s an advantage for me,” Leete explains, adding that tech support for servers has always been problematic.
The solution? Take it to the cloud.
The Neil Smith Federal Building may be among the first federal buildings to deploy a cloud-based physical access control system, but it certainly won’t be the last. Moving physical access to a centralized server that can communicate with multiple agencies or office locations is a trend many industry insiders are seeing.
While this may not be the public cloud that consumers are used to hearing about, government agencies and enterprises are migrating systems to private clouds, linking various locations via servers held in centralized, remote data centers.
Organizations are also moving away from proprietary physical access control technology to systems that use open standards. The U.S. government’s FIPS 201 specification is a driver for these standards-based systems, explains John Piccininni, vice president of business development at the Identive Group. “Access control systems have been highly-proprietary, but we’re moving away from that to open-source environments,” he adds.
The U.S. government is facilitating this move to standards-based, enterprise systems, says Kevin Kozlowski, vice president at Xtec. The White House Office of Management and Budget Memorandum M-11-11 mandates that federal agencies start using issued PIV badges for logical and physical access. Additionally, the growing availability of FIPS 201-based physical access systems is offering another option for enterprises seeking standardized solutions.
In Des Moines the switch to the new physical access system was facilitated by both M-11-11 and the need to update an existing system that was 10-years-old, Leete says. GSA officials at the building discussed it for almost a year before deciding they wanted a physical access system that would be remotely hosted.
Leete found such a system from BridgePoint Systems. However, the company’s solution had not been certified by the GSA for use in federal buildings or on the GSA network.
BridgePoint worked with the GSA to get approval for the system, says Tom Corder, president and CEO at the company. The system went through vulnerability testing and was approved for use on the GSA network. “In the true world of cloud, it will never truly be Software as a Service, you have to have some hardware where you do enrollment,” he explains. But it met Leete’s desire to minimize server deployment.
The system is run on a GSA server in Kansas City, Mo. The system can issue new PIV credentials and can also enroll existing credentials into the local system, Corder says. Once enrollment is complete, the data goes to the cloud and privileges for access are downloaded to the building’s network of controllers and door readers. BridgePoint enrolls the signature from the PKI certificate on the credential, and during authentication verifies that enrolled certificate with the one on the presented card.
Before the system could be installed all 800 employees and 100 contractors working in the building had to be enrolled, Leete says. That started with many finally receiving their initial PIV credential. “Every agency was different, some had PIV cards, some had never gotten them and few were actually using them,” he says.
If employees already had a PIV card, enrolling in the system consisted of entering their PIN, phone number and agency. For employees that knew their PIN, the process took just 90 seconds. “Almost all had to have PIN resets,” explains Leete, a process that added time and complexity.
Once the user base was enrolled in the local system, the larger solution could be deployed. A new head controller had to be installed along with networking for that piece of hardware to the security office. Other than that, the existing wiring infrastructure was able to work with the new system. For the new smart card readers - contact, contactless, and PIN pads–BridgePoint made a special plug to connect the new readers to the existing wiring, Leete says.
The installation was done over two weeks, Leete says. The physical access control system required installation of 23 readers on parking gates, elevator controls and automated doors. “We did the elevators first to make sure we didn’t have any unforeseen problems,” he adds. All the work was done in the evening after normal work hours so employees weren’t inconvenienced.
Employees typically just use the contactless interface on the card for access to the elevators and other areas, Leete says. There are contact readers and PIN pads as well that can be used in situations requiring heightened security. Perimeter doors are equipped to read the chip’s contact interface and require a PIN for access outside normal business hours.
Issuance and enrollment challenges
Deploying and using the system was relatively easy, but communicating and coordinating with all 45 agencies was a more difficult task, Leete says. Simply obtaining the lists of individuals who had to be issued PIV credentials and enrolled in the system took a lot of time.
The first day the new system was turned on there were 50 people who still hadn’t come in to enroll in the local physical access system. Others had neglected to turn in old badges. “We had to tell the public service officers not to let people in with old badges,” Leete adds.
The building also houses offices for two senators whose staffs are not eligible to receive PIV credentials. HSPD-12 only mandates PIV credentials for executive branch employees and the senate staffers are legislative employees. For these individuals, Leete and his team created a different credential that would work with the new system.
While the Neil Smith building is the first GSA facility to deploy the cloud-based system, it’s open to others. “Any of those GSA buildings in the Kansas City region can basically jump on our system, and they can do it at a lower cost,” says Corder. “And they don’t have to bid out or evaluate other systems.”
The local building would need only purchase an enrollment system and the proper controllers, and could have it up and running easily, Corder says. BridgePoint is fielding questions from other government agencies on the cloud-based system but has no other federal deployments.
Since the cloud-based system was deployed last summer, there have been only a couple of problems when there was server maintenance at the Kansas City facility, Leete says. Those issues have since been remedied.
Corporate enterprise finds value too
Corporations are also recognizing benefits that come from migrating separate systems for multiple locations to a single managed service solution. “They want one offering that is more robust,” says Dave Adams, senior director of Product Marketing for HID Global. “They don’t want the physical access control server to sit in a closet somewhere with one person in the control.”
The move to a cloud-based solution is in concert with the emergence of near field communication for physical access too, Adams says. “In the future our ability to connect a trusted source to that cloud-based system and deliver identities directly to a handset will reconfigure how physical access systems work,” he says.
Brivo Systems is also seeing corporate clients wanting to move physical access control to the cloud, says John Szczygal, executive vice president at the company. “On the enterprise side, corporations want to get away from their own personal investments and leverage another infrastructure,” he adds.
Brivo says physical access from the cloud can be as simple as installing a panel and a new system can be installed overnight, says Szczygal.
From proprietary to standards based
Other than cloud based physical access system, the other trend is the move from proprietary technology to standards-based systems. One of the drivers behind this is FIPS 201 and federal officials using PIV credentials for physical access control, says Szczygal.
The GSA manages many federal buildings–like the Neil Smith Building–that house multiple agencies. The GSA operates the perimeter security for these buildings but then the agencies typically have their own security within. This often led to buildings having multiple physical access control system, Szczygal says. “The typical federal building would have 15 to 30 different access control systems and many different types of credentials,” he adds.
Issuing PIV credentials has helped because the credentials use the same standard and appearance but agencies are still deploying different physical access control systems, Szczygal says. This is starting to change.
When corporate enterprises are looking to upgrade their physical access systems, Brivo encourages them to look at the Federal Identity, Credential and Access Road map for guidance and FIPS 201 as well, Szczygal says. “It provides an excellent framework, a great process for credential issuance and it also considers the lifecycle of the credentials … something that is lacking elsewhere,” he says.
Standardized technology increases end user options. “Multiple vendors can provide technology and the flexibility to add other applications,” Piccininni says.
This is a change for the physical access control vendors, says Xtec’s Kozlowski. “Legacy physical access control systems are based on secrets,” he says. “New systems are moving into a standard environment not based on secrets but sound, robust security.”
These new systems are also breaking down the barrier between security personnel and IT staff, Kozlowski explains. The two departments haven’t communicated, but since physical access systems are starting to run on the same network this is changing. “Now that they’re utilizing a common infrastructure they need to work together,” he says.
The white whale for physical access control vendors is a converged credential, one that is used for both physical and logical access. Convergence has been discussed for many years, and while FIPS 201 is a converged credential few use it for both purposes.
In the corporate world the use is even less but some are taking smaller steps to convergence that take advantage of network-based physical access systems, Piccininni says. He points to the IF Map protocol, which publishes access control logs to a server. Other servers can subscribe to that log and restrict access based on events. For example, if an individual tries to login to the network from inside the building and they haven’t swiped in via the physical access system, they won’t be allowed to access network resources.
The next step is to use that same credential for login to the network, but even taking this one step can reduce potential intrusions. “This has cut down some hack attempts by half,” Piccininni says.
With networks increasingly becoming the target of hackers it goes beyond good public relations to increase the security of the logical assets as well as the physical, says Szczygal. “Corporations are taking the credential a lot more seriously,” he adds.
Enterprise physical access at Denver school
Prior to 1999 Laradon, a Denver-based school for children and adults with developmental disabilities, didn’t have any physical access control system on its 15 building campus.
“The buildings were just open and people could come and go as they please,” says Annie Green, deputy director at Laradon. Established in the late 1940s, Laradon is a charitable organization in the Rocky Mountain region offering support, education, and training to children with developmental disabilities. Today, Laradon offers 12 different programs to more than 600 children and adults at their eight-acre campus in northwest Denver.
After school shootings at Columbine and other locations, Laradon rethought this open policy. Initially it started checking in everyone who entered the campus but then another shooting at a nearby recreation center caused the school to further tighten security.
In 2007 officials decided to deploy a cloud-based physical access control system that uses contactless smart cards, Green says. The school now has access control readers on 15 interior doors and three entrance gates to the campus. Key-Rite Security was the systems integrator for the project that uses technology from Brivo Systems.
The system gave Laradon a Web interface so that the 200 employees could be categorized and provided appropriate levels of access, Green says. For example, all the directors have 24-hour access while managers and teachers are only given access depending on when they’re scheduled to work. Access can also be changed via the Web interface so if someone forgets something in a classroom they can be given a temporary window of access to retrieve the item.
The system also enables officials to monitor contract work done on the premises. “We recently had some electrical and heat system work done and we programmed Brivo to provide the workers a three-hour window in only that building, and we could monitor how long they actually worked,” Green says.