Post on 09-Feb-2022
transcript
Logical and Physical Access Convergence Using Smart Cards
Best Practices and Lessons Learned
•Bryan Ichikawa•Vice-President, Federal Systems•Unisys Corp.
About Unisys
• U.S. Federal Government is a key customer• 30,000+ Global workforce and majority are home office based• Needed to standardize on multi-factor authentication for remote access• No common SSO solution in use• Long-term vision had included smart card readers on Unisys procured
laptops for past 3 years• Needed a solution that supported the increases information security
landscape:– SAS70 Audits– Sarbanes-Oxley– PCI
Before Convergence
• 14 different physical access systems –moving toward HID Corporate 1000 dual technology access cards
– Each using a single purpose photo ID badge– With either magnetic strip or proximity
interface for physical facility access
• Global Microsoft domain infrastructure, one forest
• Global RADIUS authentication for remote access
• Dozen(s) of user account / password pairs
Convergence Business Drivers
• Physical Security:– Single global platform – Lenel– Standard look for corporate badges
• IT, Audit:– Dual factor authentication– Workforce mobility
• User experience:– Plethora of access credentials
What Does Convergence Mean?
• Single, multi-technology credential
• Works with current building access systems
• Supports magstripe, contact smartcard, iClass, prox
• Works with standard card reader/writer on PCs
Page 5
Technology suppliers•Aladdin Knowledge Systems – smartcardchipset, authenticator and eToken devices
•Microsoft – Certificate Authority and ILM (Identity Lifecycle Manager) Registration Authority
•HID – physical cards with two onboard proximity technologies plus magnetic stripe
General Approach
• Establish an operational capability quickly so cards start rolling out
• Do North America first year– Corporate headquarters (quick win), major facilities– Mobile, teleworkers
• Do rest-of-world second year
• Support MS domain first; don’t break anything
• Cover remote access next
• Avoid distraction from fringe details– It will take 2 years to physically deploy cards – there’s time to work the
problems
• Force use for remote access at end of second year
• Coordinate with already-planned changes in technology domains (remote access, PC platforms, domain infrastructure)
Governance and Sponsorship
•Enthusiasm at the top: Executive Sponsorship
•Long-term vision, near-term commitment
•2 Types of Governance– Approve Budget and Guarantee Organizational Support –
Business and Management Committee– Ensure Extensibility and Availability – Technical and Advisory
Committee
•Who owns it? – If not Information Security, then who?
•Architecture Team
•Stakeholders– Physical Security - Human Resources– Information Technology - Information Security– Finance - Audit
Key Stakeholders – Managing Expectations
•Executive Sponsor•Sponsor•Program Manager•Technical Lead•Physical Security System•HR•Contractor Management•IT •Audit• Information Security•Service Desk•Desktop Services
Major Tasks: Major Tasks:- Physical Security - IT
• Procure and deploy badge printers – where, when
• Agree on badge template, FIPS-201 – WSJ endorsement
• Generate Lenel card holder records; coordinate with PeopleSoft
• Pictures – collect, convert, move to Lenel
• Badge production
• Distribution – user activation and information website, emails
• MS domain integration– PKI certificate definition– AD objects
• Self enrollment
• Workstation software - installation– Smartcard reader/writer– Dell, Microsoft patches– Aladdin middleware
• Remote access– Integration/transition– Mask extra account/password pair
• Support structures
PKI
• Start by writing the PKI governingdocuments– the corporate Certificate Policy (CP)– a Certification Practice Statement (CPS) to implement the CP
• Choose an appropriate policy model: FBCP, ETSI to enable trust in consortiums
• Design organizational trust hierarchy– determine business drivers – project future needs
• Design and operate exactly one PKI in a corporation
• Annual external audit
• Build it and they will come!
PKI Architecture
• Array of Microsoft Windows Certification Authorities (CAs)– Unisys Root & Intermediate CAs offline for protection– Issuing CAs integrated into Unisys corporate AD forest– eToken authentication to CAs
• Hybrid trust model: certified for S/MIME and SSL by commercial PKI provider– Develops trust for external parties email– Extends web security presence
Mature Enterprise PKI in Place
• Secure email – S/MIME
• Encrypting File System -- EFS
• Web server identity & encryption
• Client authentication
• Software signing
• Computer identification
• Smartcard for domain and VPN
Ordering the Cards – What a Circus!
Order SW &
Support
Order Blank Card
w/Coils &
Mag Stripe
Engineering Memory Map
for Smartcard
Card Art
Work
Make Physical
Card
Embed ChipOS & SW Load for
Smartcard
Program Coils
Ship to Customer
Ship
Ship
Ship
Card Manufacturer
SW Vendor
Chip VAR
Strong Authentication leads to RSO / SSO
• Assets have access controls– Identity – established by username– Authentication – validates identity– Authorization – what you are allowed
to do once authenticated
• We previously made up for the weakness with quantity – eachapplication with its own accountdata/structure– Employees complain bitterly
about multiple accounts and password update requirements
– Auditors complain thatusernames and passwords aloneare weak controls
Application Authentication
• Application front ends– confirm user is authenticated to AD & has an
activated smart card– passes off to
• modified front end process which accepts employee-id as parameter, or…
• manual logon page if user is not yet smart card-enabled– serve three heterogeneous environments
• Siebel– alternate authentication web pages for user who has smart card– using their AD security adapter paired with our web front end
• Webtime / Webtrex– Webtime is Apache server / Oracle hits the IIS front end– Webtrex is IIS server
• WebIntelligence – Business Objects– no front end is required– direct authentication with AD forest
• Peoplesoft– WebLogics web server
The Model – RSO/SSO Enabled by ILM
AD
ILM
Webtrex
Webtime
Siebel
BusinessObjects Business
Objects
Webtime
«Software»Siebel
«Software»PeopleSoft
PeopleSoft
Webtrex
ILM
ActiveDirectory
WebFrontEnd
ClientWorkstation
WIA
Important Lessons
• Work with Facilities / Security organization and build on the card access system in place
• It is not practical to have one credential for your mobile workforce and a different one (non Smartcard) for statically located workers.
• Pay attention to the card construction process, which can be complex– Card design (!!)– Fabrication– Chip embedding– Initialization– Personalization
• Consider use of a VAR to help coordinate it, especially internationally.
• Publicity leads to buy-in
Important Lessons, Cont’
• Don’t turn on the “force smartcard logon” bit in Active Directory until you have investigated implications.
• Need stick as well as carrot: slow (20%) smart card activation for SSO benefit, before requiring card usage
• Be prepared to run parallel environments for a while, and communicate with your users early and often.
• Expect organizational complexity in the implementation – use business process modeling
• European privacy accommodations
• 3500 phantoms
Questions?
Bryan K. IchikawaVice-President, Identity SolutionsUnisys Corporation
bryan.ichikawa@unisys.com
Thank You!