Unified Physical and Logical Access Using Industry Standards and Protocols
Physical access and logical access have historically been two separate (and likely unequal) silos within an organization. IT has their password access mechanisms; with some modern improvements. Physical security has their proximity cards, Wiegand wiring, life/safety physical standards, and an ever-increasing smattering of computer and networking standards and protocols. Logical access is under increased scrutiny to make it easier, safer, better integrated with business processes, and more frictionless when it comes to passwords.
Physical security, with its decade-sized installation lifetimes, limitations due to safety issues, and historically low priority, has, over the last decade, been forced to consider more integration with other business processes. Organizations are looking for logical and physical access to be unified. They want one set of business processes using one, or at least a harmonized, if not unified set of Identity and Access Management (IAM) infrastructure components, to control networks, computers, doors, garage gates, and everything else.
These organizations also want unified access based on unified credentials and unified solutions. This is not hard -- in theory. Both logical and physical solutions have the same basic components -- a back-end database, processing for onboarding and offboarding access decision mechanisms and credentials. They both have the same goal: managed access in support of the organization. They both have the same business drivers, which can be as simple as letting the boss into their office to access their computer and don't get sued because a hacker snuck in through some device connected to the public internet.
The Path to Unification through Standards
Computer and networked systems have evolved over time to leverage standards. The entire Internet revolution happened in part because the marketplace was able to embrace a set of communication standards that allowed information to flow on a large scale. Logical access continues to evolve but in its most basic form uses passphrases and in more sophisticated configurations uses dual-key cryptography, challenge/response technologies, and biometrics to control access. In many cases, these mechanisms use standards to facilitate interoperability among disparate equipment. A modern IT environment will have some sort of IAM infrastructure to integrate logical access with business logic to control access on a more fine-grained basis than simple login.
Physical security has followed a different path. From its roots over a century ago in primitive circuit-signaling based on the telegraph, physical security technology has evolved with a focus towards defending physical assets including people. This evolution has moved physical security into the internet age at a slower pace since most typical systems last for many years, leaving past end users to hang on to their legacy technology. Shifting to the present systems landscape, computers, network equipment and the public internet are now common technologies within physical security solutions. Modern physical security environments end up with their own IAM infrastructure; sometimes completely parallel to the equivalent on the logical side.
Many organizations have or are investigating unifying these two major infrastructure components. Business conditions and market forces are driving this. These forces include similar computer and networking solutions in logical and physical access; increasing use of public internet or Cloud network and computing services; increasing availability of new, innovative, and disruptive IoT devices being attached to the business infrastructure. Unifying logical and physical access is a step that you probably need to take to address these issues and standards can help.
Standards: From Where and Why
Technology lives and dies by standards. The technology market uses standards to deliver flexible, scaled, innovative solutions. The logical access world has long since embraced this. The physical security world is catching up. Standards develop as a technology matures. It is generally a sign of well-established solutions when standards are applied in a manner that doesn’t negatively impact growth or migration.
Standards apply to both processes and technologies. Some examples include:
- How BICSI specifies you should lay down wiring in a cable tray;
- How NIST SP-800-53 specifies you should apply security controls to your deployment;
- How IETF RFC 791 specifies an IPv4 packet header will be populated;
- How an IEC 60320 type C5 connector is wired (that power cable is not named after a Disney character). Integrators often carry a spare ("IEC") power cable with a 60320 Type C13 connector.
There are many standards from many organizations both public and private. They evolve, sometimes they are updated, retired, abandoned, or hacked. The technology used in our world has evolved standardized processes and mechanisms to facilitate the solutions we use today. Standards organizations have been around for a long time. The International Electrotechnical Commission (IEC) was founded in 1914 and modeled after earlier organizations. The Internet Engineering Task Force (IETF) and Institute of Electrical and Electronics Engineers (IEEE) each trace their roots back to the 1960s and earlier organizations. OnVIF, Wi-Fi Alliance, Bluetooth Consortium are all younger but well established. We use standards from these various organizations in both logical and physical access solutions. Historically, these standards have been used in parallel since IT and security both buy Cat-5 cabling for their workstations.
For logical access, we have standards for processes (i.e., NIST SP800-53 - security controls), standards for physical devices (i.e., ANSI/TIA-568 - Cat 5 connectors), and standards for communications protocols (i.e., IETF RFC 791 - IPv4). Standards are a well-understood part of the “IT” world. Physical access is more challenging. There are many standards around safety. Standards organizations around the world monitor issues in fire-safety, emergency egress, etc. Some computer and networking standards apply. Physical security-specific standards include SIA’s Wiegand-format standard, IEC 60839-11-5 (OSDP), as well as various consortia standards like OnVIF.
Unifying Physical and Logical Access
Today, the physical and logical worlds have converged on myriad fronts. The technology has converged, the business processes have converged, and the threats have converged. This means that now it is possible to look at access in a unified manner. We can use computers and networks to access doors just like you can with a prox card. You can log into a computer with the same smart card you present to the door. The back-end systems that onboard members of your team utilize can now facilitate the entire process from tax paperwork through granting badge access to the front door.
On the logical side, passwords are not the only solution. There are a variety of other mechanisms that can be used to grant access, from multi-factor tokens to phone messages, to biometrics. These solutions can and should be built on standards-based mechanisms. The marketplace has evolved standards for this, including low-level protocols (RADIUS, SAML), credential formats (X.509, JSON), and infrastructure solutions (LDAP, DNS, 802.1X). These are used in the logical (IT) marketplace to facilitate logical access for people, devices, and network services. At the low-level, IEEE 802.3 defines the electrical signal sent over cables that usually have an ANSI/TIA-568 (Cat- 5) connector. Imagine a world where every device had a different ethernet cable and every business featured an incompatible email system. Before the Internet revolution, that was exactly the situation. It was the migration towards open standards that powered this revolution.
On the physical side, we have 26-bit Wiegand and lots of fire codes. Many organizations use more sophisticated mechanisms but most of the technology out there has been historically based on a card recognizing a short number to identify people. Some companies use stronger ID mechanisms, however, an embarrassingly large number of both private sector and public sector organizations still employ prox, magstripe and other access mechanisms that are at risk of trivial compromise. While these systems may be able to address life/safety issues like UL 297, they may or may not be well positioned to interconnect to today’s business network infrastructure.
On the back end, physical systems have evolved from primitive beginnings that saw hand-soldered wires inside an access card to computer systems that were just as archaic using flat files and eventually stand-alone databases. These solutions evolved to enterprise-scale access control systems with a set of interconnections to other systems, ranging from logical access to building integration and eventually duty-of-care emergency-response systems. These physical security systems are, at their core, now using the same kind of solutions (certificates, SAML, X.509/TLS, JSON, IPv4/IPv6) that solve logical access challenges.
The solutions are unifying. The requirements are unifying. Users are asking for more capabilities, often with fewer passwords, frictionless access and leveraging of ubiquitous mobile technologies.
Consequences and Benefits
What happens if you don't employ standards? There are other paths. You can use confidential proprietary schemes. You can wrap your processes in intellectual property protection mechanisms or use patents to exclude others from following your conventions. While these schemes sometimes provide a competitive advantage and/or profit, they don't promote interoperability, innovation or security.
And the lack of fallback standards may lead to bigger problems if other issues arise. For instance, what if the only factory that makes your widget is in Minnesota when there are blizzards that shut down the roads? What if the vendor facility that maintains your crypto keys is in a flood plain in Texas? What if a bridge fails in California and your container ship full of imported proprietary connectors is stuck waiting to get into the harbor? Interoperability means you must have multiple vendor options. A healthy supply chain would have several alternative sources for goods.
Innovation can be inhibited if you don't use standards. If you don't have multiple teams looking at using a standard solution, you're much less likely to generate new features, better processes and identify potential product or production flaws. Though venture capitalists may realize short-term benefits from a lack of standards, the marketplace will ultimately suffer. Some worry that standards will inhibit innovation among vendors, but in reality, well-designed standards will support improved processes and solutions.
Standards also support security. Third parties, security vendors and researchers, both of whom provide valuable input to the marketplace, can analyze standards-based solutions and provide feedback about potential issues. The feedback often identifies issues in implementing the standards, like the recently identified attack against Transport Layer Security (TLS) version 1.3 (CVE-2018-12404). This isn't a TLS problem, it's an implementation problem. When vendors maintain closed proprietary implementations there is significantly less (if any) security review of their protocols - until they are examined in the wild. History has shown us that so-called closed protocols can still be reverse engineered by third parties, creating a greater likelihood of a vulnerability being exposed if not exploited.
Standards are good and help the marketplace, vendors and customers. As we work towards unifying logical and physical access, the use of standards will make this process go smoother, cost less and ensure a greater chance of succeeding. So, what should you do to unify access with standards? Select standards-based solutions if possible. Make sure there are diverse implementations so you can maintain a healthy vendor supply chain. And check to ensure your vendors follow the standards, with a demonstrated understanding of the relevant standards process and demonstrated interoperability.
About the author: Rodney Thayer is a Convergence Engineer at Smithee Solutions LLC., based in Berkeley, California. He is a Subject Matter Expert in networking use in physical security and infrastructure deployments. Specialties include cybersecurity, cryptography and networking protocols.