Logical and Physical Access Convergence Using Smart Cards

Best Practices and Lessons Learned

•Bryan Ichikawa•Vice-President, Federal Systems•Unisys Corp.

About Unisys

• U.S. Federal Government is a key customer• 30,000+ Global workforce and majority are home office based• Needed to standardize on multi-factor authentication for remote access• No common SSO solution in use• Long-term vision had included smart card readers on Unisys procured

laptops for past 3 years• Needed a solution that supported the increases information security

landscape:– SAS70 Audits– Sarbanes-Oxley– PCI

Before Convergence

• 14 different physical access systems –moving toward HID Corporate 1000 dual technology access cards

– Each using a single purpose photo ID badge– With either magnetic strip or proximity

interface for physical facility access

• Global Microsoft domain infrastructure, one forest

• Global RADIUS authentication for remote access

• Dozen(s) of user account / password pairs

Convergence Business Drivers

• Physical Security:– Single global platform – Lenel– Standard look for corporate badges

• IT, Audit:– Dual factor authentication– Workforce mobility

• User experience:– Plethora of access credentials

What Does Convergence Mean?

• Single, multi-technology credential

• Works with current building access systems

• Supports magstripe, contact smartcard, iClass, prox

• Works with standard card reader/writer on PCs

Page 5

Technology suppliers•Aladdin Knowledge Systems – smartcardchipset, authenticator and eToken devices

•Microsoft – Certificate Authority and ILM (Identity Lifecycle Manager) Registration Authority

•HID – physical cards with two onboard proximity technologies plus magnetic stripe

General Approach

• Establish an operational capability quickly so cards start rolling out

• Do North America first year– Corporate headquarters (quick win), major facilities– Mobile, teleworkers

• Do rest-of-world second year

• Support MS domain first; don’t break anything

• Cover remote access next

• Avoid distraction from fringe details– It will take 2 years to physically deploy cards – there’s time to work the

problems

• Force use for remote access at end of second year

• Coordinate with already-planned changes in technology domains (remote access, PC platforms, domain infrastructure)

Governance and Sponsorship

•Enthusiasm at the top: Executive Sponsorship

•Long-term vision, near-term commitment

•2 Types of Governance– Approve Budget and Guarantee Organizational Support –

Business and Management Committee– Ensure Extensibility and Availability – Technical and Advisory

Committee

•Who owns it? – If not Information Security, then who?

•Architecture Team

•Stakeholders– Physical Security - Human Resources– Information Technology - Information Security– Finance - Audit

Key Stakeholders – Managing Expectations

•Executive Sponsor•Sponsor•Program Manager•Technical Lead•Physical Security System•HR•Contractor Management•IT •Audit• Information Security•Service Desk•Desktop Services

Major Tasks: Major Tasks:- Physical Security - IT

• Procure and deploy badge printers – where, when

• Agree on badge template, FIPS-201 – WSJ endorsement

• Generate Lenel card holder records; coordinate with PeopleSoft

• Pictures – collect, convert, move to Lenel

• Badge production

• Distribution – user activation and information website, emails

• MS domain integration– PKI certificate definition– AD objects

• Self enrollment

• Workstation software - installation– Smartcard reader/writer– Dell, Microsoft patches– Aladdin middleware

• Remote access– Integration/transition– Mask extra account/password pair

• Support structures

PKI

• Start by writing the PKI governingdocuments– the corporate Certificate Policy (CP)– a Certification Practice Statement (CPS) to implement the CP

• Choose an appropriate policy model: FBCP, ETSI to enable trust in consortiums

• Design organizational trust hierarchy– determine business drivers – project future needs

• Design and operate exactly one PKI in a corporation

• Annual external audit

• Build it and they will come!

PKI Architecture

• Array of Microsoft Windows Certification Authorities (CAs)– Unisys Root & Intermediate CAs offline for protection– Issuing CAs integrated into Unisys corporate AD forest– eToken authentication to CAs

• Hybrid trust model: certified for S/MIME and SSL by commercial PKI provider– Develops trust for external parties email– Extends web security presence

Mature Enterprise PKI in Place

• Secure email – S/MIME

• Encrypting File System -- EFS

• Web server identity & encryption

• Client authentication

• Software signing

• Computer identification

• Smartcard for domain and VPN

Ordering the Cards – What a Circus!

Order SW &

Support

Order Blank Card

w/Coils &

Mag Stripe

Engineering Memory Map

for Smartcard

Card Art

Work

Make Physical

Card

Embed ChipOS & SW Load for

Smartcard

Program Coils

Ship to Customer

Ship

Ship

Ship

Card Manufacturer

SW Vendor

Chip VAR

Strong Authentication leads to RSO / SSO

• Assets have access controls– Identity – established by username– Authentication – validates identity– Authorization – what you are allowed

to do once authenticated

• We previously made up for the weakness with quantity – eachapplication with its own accountdata/structure– Employees complain bitterly

about multiple accounts and password update requirements

– Auditors complain thatusernames and passwords aloneare weak controls

Application Authentication

• Application front ends– confirm user is authenticated to AD & has an

activated smart card– passes off to

• modified front end process which accepts employee-id as parameter, or…

• manual logon page if user is not yet smart card-enabled– serve three heterogeneous environments

• Siebel– alternate authentication web pages for user who has smart card– using their AD security adapter paired with our web front end

• Webtime / Webtrex– Webtime is Apache server / Oracle hits the IIS front end– Webtrex is IIS server

• WebIntelligence – Business Objects– no front end is required– direct authentication with AD forest

• Peoplesoft– WebLogics web server

The Model – RSO/SSO Enabled by ILM

AD

ILM

Webtrex

Webtime

Siebel

BusinessObjects Business

Objects

Webtime

«Software»Siebel

«Software»PeopleSoft

PeopleSoft

Webtrex

ILM

ActiveDirectory

WebFrontEnd

ClientWorkstation

WIA

Important Lessons

• Work with Facilities / Security organization and build on the card access system in place

• It is not practical to have one credential for your mobile workforce and a different one (non Smartcard) for statically located workers.

• Pay attention to the card construction process, which can be complex– Card design (!!)– Fabrication– Chip embedding– Initialization– Personalization

• Consider use of a VAR to help coordinate it, especially internationally.

• Publicity leads to buy-in

Important Lessons, Cont’

• Don’t turn on the “force smartcard logon” bit in Active Directory until you have investigated implications.

• Need stick as well as carrot: slow (20%) smart card activation for SSO benefit, before requiring card usage

• Be prepared to run parallel environments for a while, and communicate with your users early and often.

• Expect organizational complexity in the implementation – use business process modeling

• European privacy accommodations

• 3500 phantoms

Questions?

Bryan K. IchikawaVice-President, Identity SolutionsUnisys Corporation

bryan.ichikawa@unisys.com

Thank You!