Business & Marketing
Using BYOD smart phones for converged access control
By Tam Hulusi
The bring your own device (BYOD) mobility deployment phenomenon — where you’re allowed to use your smartphone for work — is growing in popularity as today’s smartphones simultaneously grow in capabilities. We can use our phones to access computers, networks and associated information assets and to open doors and enter secured areas. Deploying these applications in a BYOD environment requires security assessment, proper planning and the right technology and provisioning infrastructure.
By Tam Hulusi
Physical access control is among the most recent capabilities added to today’s smartphones. This requires a new identity representation that operates within a trusted boundary so that BYOD devices and their transactions can be trusted within the access-control managed network. The boundary provides a secure communications channel for transferring information between NFC-enabled phones, subscriber identity module (SIM) cards and other secure media and devices.
Using this framework, organizations can issue digital cards and keys to mobile devices via an Internet portal (similar to the traditional model for purchasing plastic credentials, but connecting the BYOD via a USB or Wi-Fi-enabled connector), or from an over-the-air from a service provider (akin to how today’s smartphone users download apps and songs). Digital ID’s representing cards and keys can also be shared with authorized users via NFC “tap-n-give” provisioning, depending on the organization’s security policies.
This secure mobile provisioning model eliminates the traditional risk of plastic card copying and makes it easier to issue temporary credentials, revoke or cancel credentials when they are lost or stolen, and monitor and modify security parameters if required, such as when the threat level increases. Organizations also can offer dynamic, context-based rule-setting, such as invoking two-factor authentication, and they can support variable security levels and use additional data elements. For instance, two-factor authentication could be dynamically invoked when there is an elevated threat level, and an application could be pushed to the phone that requires the user to enter a four-digit pin or to gesture-swipe before it sends the message to open the door.
Smart phones can also generate One Time Password (OTP) soft tokens for securely logging on to another mobile device or desktop computers for accessing the network. As physical and logical access control applications move to BYOD smart phones, there are several issues to address. First, all applications and other ID credentials must be containerized between personal and enterprise use. Apps also must be enabled for use with digital keys and cards (i.e., to support PIN entry to “unlock” key usage for authentication or signing). Additionally, middleware APIs must be standardized so that ID credential functionality can be exposed to the application.
It may also be necessary to support derived credentials, such as those derived from personal identity verification (PIV) cards for federal workers. The combination of containerization and derived credentials will also create the need for hierarchical lifecycle management. Also, there must be adequate cloud storage security so BYODs can be used for network and application logon. There are four possible approaches, with the best being federated identity management, in which the user authenticates to a central portal to access multiple applications.
The coming generation of BYOD mobile access control solutions will deliver improved convenience and management flexibility while ensuring highly secure transactions between smart phones, computer and networking resources, the physical access control system, and new Cloud-based and over-the-air identity delivery infrastructure.
Tam Hulusi is senior vice-president, strategic innovation and intellectual property for HID Global.