Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

Transcription

1 Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop Total Operational Security Roger Roehr Executive Director, Roehr Consulting 8 th Annual Smart Cards in Government Conference Washington Dc Convention Center October 27 30, 2009

2 9/11 Commission As we detail in our report, this was a failure of policy, management, capability, and above all a failure of imagination. Public Statement Release of 9/11 Commission Report The Hon. Thomas H. Kean and the Hon. Lee H. Hamilton July 22, 2004

3 The Long War War Defined War is thus a process of continuous mutual adaptation, of give and take, move and countermove Al Gray, Warfighting Time Seven years between the first and second attacks on the World Trade Center Most change is evolutionary not revolutionary Remember this is a constant struggle with a passionate enemy!

4 Think Like The Wolf Do not under estimate the enemy! The enemy path of least resistance may not be yours Layer of security are key Exception may very well be the easy route Read the hacker blogs Red Team your own system Also use staff outside security department

5 Education is the Key Most of the attacks are going involve some amount of social engineering Privilege Granting System designers need to remember that cylinder of excellence lead to people filling the gaps. PACS

6 Education is the Key continued Security personnel need to understand how security solutions work Digital signature can not verified in the printed format. Design system with the security built in

7 Two Over Often Overlooked Vulnerabilities Door hard ware Does the hardware match the door security? PACS back end process Does the privileging process follow the guidelines for enrollment? How system changes and acknowledgements are verified User Name & Password PKI digital signature

8 Door Hardware Out reader? Door Contact Fail Safe Lockset REX Location Hinges Fail Secure Lockset Anti tailgate & Piggybacking

9 Back End Security Authoritative Database, Sponsor and Adjudicators. System administrators Credential Production Cross Certifiers Privilege Granting Alarm Acknowledgement Credential privileging Area Access Parking Transport Reimbursement

10 Integration Road Map For Privileges Access Control Building and Door Access, Parking Lots and Spot, Logical SP Authorization Sponsor, Background Check, Security Clearance Accounts Physical Access, Logical Access, Visitor Escort, Parking, Authorizing Agent Credentials PIV, Building pass, Visitor pass Social Security, Birth Certificate, Driver Licenses Vehicle Hang Tags Identity Name, DOB, Place of Birth, Mother & Father Name, Biometrics SP800-73,-78,-79,-87,-103, HSPD-12, FIPS-201 SP SP800-73,-78,-79,-87,- 103 Audit & Investigations 1 0

11 Define Your Process Visitor is sponsored PIV card holder? No Collect Biometric & Breeder Document Yes Privilege for Escorted Access Does Credential Holder know the PIN? Yes No Collect Biometric & Verify Certificate Enter PIN Verify Biometric & Verify Certificate Privilege for Unescorted Access

12 Privilege Management System Architecture Authoritative Data Sources Privilege Provisioning Data Collection and Adjudication PIV information Collection Sponsorship Visitor information Biometrics capture Provisioned Systems Law Enforcement Databases Terrorist Watch Lists Biometric database FBI IAFIS PKI Breeder Document Authentication Privilege Provisioning Database Server Privilege person database Blacklist Process Systems 1:N Biometric Search Card Issuance PKI verification Sponsor verification Physical Access Control System(s) Logical Access Control Systems 1 2

13 Privileging Architecture PACS Privilege Database PIV Data capture Kiosks Visitor Management Workstation Business Process Server Mobil Data Terminal Sponsor pick up Kiosks Visitor Kiosks sever Internet PKI responder All connections are TCP/IP Ethernet 1 3

14 PACS Administration Secure access to PACS application PKI Log On PKI log to application directly PKI log on to OS Every user requires Domain account Single Sign On PKI on to the OS and Password on application

15 PACS Administration continued Events Require digital signature of events Middle ware will be required for most Operating Systems Storing events will events will take more space Signing Acknowledgment Acknowledgment + Log entry Acknowledgment + Log entry + fingerprint match score

16 Books

17 Book Continued

18 Final Thought Don t Ever Give Up!

19 Speaker Contact Information Roger Roehr Roehr Consulting Phone: (703)