Overall, there has been a growing sentiment for including newer technologies among security professionals looking to upgrade (or completely restructure) their existing access controls. I was recently able to catch up with Terry Gold, founder of D6 Research, and we chatted about the evolution of mobile access credentials, and the current benefits they offer, and where there is still room for them to grow. Below is a portion of a discussion we had. Read on to get an expert’s top-down view of this emerging technology.
Q: Moving onto mobile access credentials as a solution to replace traditional physical cards, are they secure enough considering existing concerns about cybersecurity?
A: “Completely? Not yet. But it’s an uneven playing field across vendor offerings at the moment. D6 Research has done significant research for an upcoming report on this topic, we’ve reviewed most of the vendor offerings in the market through a lens of cybersecurity, and most would fail an enterprise information security assessment – however a small portion would pass. This is mainly due to the fact that physical security vendors have had little exposure to enterprise-class cybersecurity scrutiny, aside from network configuration, perhaps, and therefore many of the barriers are being disclosed to them after they try and go from a supported pilot to production (then it becomes visible to IT and they own the mobile device policy). The ones that are succeeding, are generally vendors that come from the IT side and are new to physical security.”
“However, this is changing rapidly as vendors face barriers and become more defined. The vendors that are focused on large enterprise are the ones poised to close the gaps sooner. The vendors focused on small- to mid-market aren’t facing much scrutiny and have less awareness of these issues.”
“My talk at the Total Security Summit will go through highlights in the upcoming research report that is due for release in July 2018. It will disclose a fairly expansive assessment criteria for end users to self-assess security for mobile credentials and infrastructure.”
Q: Do you think that mobile access credential technology is mature enough to implement today or wait?
A: “There are a couple of vendors that I would implement today if I were an end user. However, I think most end users are getting it wrong with requirements. If the requirements call for it, and provide a lot of value, then go for it – just run it through the assessment and the cyber maturity model. This is an area that is evolving quicker than any other technology area in the history of physical security. Mainly because it’s app-based so it can iterate as quickly as vendors update the app and their service. So you can wait just a little and a lot will change (unlike other areas).”
Conversely, there are different architecture models, and if you choose one that is highly proprietary and dependent on specific hardware readers and Bluetooth implementations, you’ll be hijacked by that vendor and taken along for the ride wherever they’re heading (or not). So for me, personally, the larger my organization is, I’d choose a vendor that doesn’t force me into that model so I don’t have to rip-and-replace my infrastructure just to change mobile credential vendors. They’re all proprietary right now, but a few are more open than others. This will be part of the evolution (to see more open implementations).
Q: Can Mobile Access Credentials completely replace physical credentials for all of my users?
A: “Let’s start off by saying that this is not an all or nothing equation. Nearly all my clients end up realizing that mobile credentials will not entirely replace physical credentials for all users – at least not yet … or maybe never. Unfortunately, vendors over-sell or aren’t aware of the complexities of their assertions. Generally, three factors need to be considered.”
- “Organizations have some use cases where the mobile technology will not (yet) work. Typically expanded use cases with other systems where they already integrated their physical cards yet the mobile provider has not (café, elevators, garage, time and attendance, secure print, etc.). Essentially where the scope of mobile can’t meet the same use footprint of their physical credentials. In this scenario, people would carry both (which to me makes little sense for standard issuance).”
- “Specific environments that do not allow mobile devices, or users that do not have mobile devices. This can be a high security environment where policy restricts it (some datacenters, R&D labs, fulfillment centers, SCIFs, etc.). Some users just don’t have them (service badge users, guests, or they are unmanaged).”
- Policy and process. A pervasive policy for most organizations is that all users need to wear a physical ID badge. Wearing a mobile device and projecting that image (and trusting the integrity of the digital image) is problematic. Therefore, if this policy remains in force, there are really only three options. 1) Change the policy, 2) issue mobile credential users ID badge only to wear (no access technology), or 3) ban mobile credentials. There are other policies that can conflict with mobile credentials, and this has more to do with IT policy and how the vendor designed it where IT would not allow for the device to use that technology until it complies. D6 has found this to be the case with most vendor solutions, currently, and is the more serious issue for introducing into an environment that has a “medium or higher” information security maturity model.
Q: Can mobile credentials be integrated into organizations that have pre-existing infrastructures or do customers need to reinvest in core systems to accommodate them?
A: This comes up all the time. Unfortunately, it depends on several factors:
- The mobile credential vendor’s design choices in their product. Most are highly proprietary and require upgrading readers and even the control system – while some don’t and can fit right into existing legacy infrastructure. So understand the impact and choose wisely before making selection.
- Customer’s existing infrastructure. If customers aren’t looking to change their infrastructure, then they need to restrict choices to certain architecture models that will fit. Personally, I like these models better anyhow for a variety of reasons, but they should be evaluated on a case by case basis.
- Existing process and policy. For the most part, outside of physical security policy (anything having to do with IT that owns the mobile device policy corporate wide) will not change – the solution would need to change. In general, this is a deal breaker. Unfortunately, this is the last area that customers investigate (or not at all) and waste a lot of time on evaluation and pilots only to find out that IT won’t allow it. This should be the FIRST area to investigate even before functionality. Period. This is also going to tell you A LOT about its security, how its architected and whether the vendor really understands cyber security. Generally, if their product isn’t designed to meet a standard mobile device policy with best practices on the IT side, you should disqualify them until they demonstrate how and why.
- Use cases intended for the candidate technology. This comes down to compatibility. While Bluetooth Low Energy and NFC are standard protocols, unfortunately nearly all vendors in this industry have made their authentication data payload schemes that are sent over the protocol layer proprietary. There is no technical need for this other than locking customers into their ecosystem. The impact is that other applications don’t know how to talk to it and therefore would need to be upgraded either at the firmware or hardware level. First, if they don’t have any BLE or NFC, it won’t read them at all. Second, firmware distribution in physical security is poor and not an option for larger organizations. Third, hardware upgrades may involve a module from the mobile vendor to embed into the candidate host – which usually happens in the design phase, not after market. There is one vendor that has a clever workaround for all of this, but I’m not in the business of promotion, so will just leave it there for now but its covered in the research report in-depth.
Q: Would you wait?
A: Well, I might. I would depend on what I was looking to do and how much value that gets me. There are a couple solutions that we have modeled where it wasn’t the access (opening doors) part that had a lot of value but other capabilities that would save my clients millions ion operational expenses and really improve security. The question is, how much value, time to value, cost and can I migrater to another solution without having to make infrastructure changes again? Keep in mind that your physical access control systems will be there for about 15 years but mobile is really an IT product that will only have a life of 3-5 years (at best). So even with best intentions to be loyal to the selected vendor, you will be making at least two changes to this mobile platform before your physical access control system is amortized and ready for refresh. So, you need to make sure you aren’t caught in a dead-end.
|Terry Gold is the founder of D6 Research, where he drives the core research pipeline, methodology, and client interaction. For the past decade, he has specialized in Identity Management, Credentialing and Authentication across both information and physical security where he has focused on advising Fortune 500 companies approach complex full lifecycle initiatives. Terry’s experience spans across a variety of industries; Technology, Financial Services, Telco, Entertainment, Energy and Healthcare.|