HID: Access control best practice starts with the right credentials

New Zealand Security Magazine - Update

HID

Released in January, HID’s PACS Security Guidelines executive brief highlights multifactor authentication and mobile credentials as access control best practices.


It’s one of the strange ironies of security risk management that the very security controls designed to keep a site protected from threats such as unauthorised entry can also be points of vulnerability that can be exploited or overcome by malicious actors.

Take a site’s physical access control system for instance. Armed with a 125 KHz RFID card reader, criminals can easily skim information stored on a card with an outdated credential technology, and clone it. What was intended to protect the site from unauthorised access becomes a point of security failure.

“Cards or credentials are carried by users and are normally the first step in authentication and authorisation processes,” states HID’s PACS Security Guidelines. “As a result, attempts to gain unauthorised access are usually directed at the readers and credentials.”

For this reason, the Guidelines document focuses primarily on reader and credential recommendations, delivering seven practical, no nonsense pages of best security practices for readers, credentials and key management.

“There’s no point delaying an investment in new credentials or reader upgrades if your existing components are no longer fit for purpose.”

Select the Appropriate Credential

The reality is that some organisations, particularly those that operate within a low security threat environment, or those that have other protective measures in place as part of a layered approach to their security, may be comfortable with continuing their use of legacy technologies.

“Upgrading readers or purchasing new credentials comes at a cost,” states the Guidelines, “and some organisations postpone such investments based on their own timelines and budgetary constraints.”

It makes sense. But whatever the security or fiscal context of an organisation, it also makes good sense that its security measures are reviewed periodically to ensure that they are addressing changes to its threat environment and operations.

There’s no point delaying an investment in new credentials or reader upgrades if your existing components are no longer fit for purpose. Management tends to be more receptive to security upgrades after a security breach, but by then they’re paying for both the upgrade and the cost of the breach.

Utilise Modern Physical Credentials

Modern credential technologies, such as HID® Seos® and MIFARE® DESFire® EV3, contain security-bolstering technologies, adopting proven and standardised cryptographic techniques recommended by international standards bodies. The Guidelines recommend that – where appropriate – users of legacy credentials upgrade to these higher security credentials.

Many HID products, such as iCLASS SE®, multiCLASS SE® and Signo™ readers can operate in a ‘migration mode’,  which smooths the path to upgrade.

This mode permits more than one credential type to be used, allowing modern, high-security credentials to be phased in to existing legacy deployments. This means that some readers can be configured to accept new modern credentials while also accepting legacy credentials at the same time.

Importantly, the Guidelines recommend that migration mode “is accompanied by a hard cut-off date that is communicated to credential holders, and that legacy credential support is disabled immediately once the migration process has been completed.”

HID further points out that organisations that don’t participate in the HID Elite™ Program (which provides end-user customers with unique and restricted authentication and encryption keys) should use restricted or tracked formats unless necessary for compatibility.

Multi-Factor Authentication (MFA) for Sensitive Entry Locations

Site and building perimeters are typically an organisation’s physical first line of defence. High fences and security enhanced doors both deter would-be attackers and delay (or disrupt) determined attackers… and that’s exactly what MFA readers achieve.

“An access control best practice is to require additional factors of authentication (such as a personal identification number [PIN] or biometrics) to be used at perimeter readers,” states the Guidelines. “Additional factors make the use of emulated or even potentially cloned credentials more difficult.”

For sensitive entry locations, the lack of MFA can turn an access control system from a security solution to a potential security vulnerability.

Additional Security and Convenience with Mobile Credentials

HID Mobile Access® app-based and wallet-based credentials feature customer-specific encryption keys and are protected by HID Seos and Secure Identity Object™ (SIO™) technology. But with mobile credentials, additional security features are just the start.

Easier to manage and revoke at scale compared to physical cards and fobs, mobile credentials can be issued in bulk, allowing organisations to deploy mobile credentials quickly and efficiently. When a user moves on, remote revocation helps remove old credentials from circulation.

For users, this means no more queueing up at the security office to be issued a physical credential, and for organisations it means no more having to deal with the logistics of physical card issuance. For personnel heavy organisations this can result in significant savings.

HID Origo™, for example, enables organisations to issue and revoke credentials in an automated manner, allowing integration with existing workflows to help ensure that credentials are automatically issued, revoked and removed at appropriate times.

It’s no wonder that, according to the Guidelines, “HID recommends considering mobile credentials whenever possible.”

RiskNZ