45S m a r t C a r d T e c h n o l o g y I n t e r n a t i o n a l | I D C R E D E N T I A L S

ww

w.glo

bals

mart.

com

Identity-as-a-Service – a new approach for smart card-based security systems

By Terry Gold,

Vice President, VP of Sales, North America, for idOnDemand

For many years now, smart cards have proved theireffectiveness as secure credentials for the IT environment.

The chip on a smart card essentially is a microcomputer thatis purpose-built to protect the security key that is unique onevery card and which never leaves the card in anytransaction. When used for IT security, a smart card canauthenticate a user to a computer either at the OS level orpre-boot with disk encryption to the network, to applications,to perform email signing and encryption, and for other usessuch as digitally signing documents. Increasingly, smart cardsare also being used for physical access, providing a muchhigher degree of security than mere photo badges orproximity cards.

Why is the physical access market also turning to smart cards?Because at least 90% of building access security card

implementations are so fraught with basic security flaws that an in-person attack of identity fraud can be executedfor under $100 and under 15 minutes of searching online. After that, about 5 seconds each time an imposterwants to impersonate a valid user and walk around wherethe user is authorized to do so. By using a smart card as an employee ID, the secure element in the card is leveragedto strengthen building security systems as well. Increasingly,organizations are setting their sights on integrated, orconverged systems, where one smart card credential is usedboth for physical access and IT access. The beauty of thisapproach is that there is only one credential to manage foreach user, making it easier and less costly to issue, revoke orrenew credentials or levels of authorization should anemployee’s status change.

But until recently, implementing a converged ID securitysystem was very costly and complex and could take monthsor even years. In large part this is due to the fact that nearlyevery organization already has some sort of legacy system, orsystems, in place. Due to the fact that the building securitymarket has been largely without interoperable industrystandards, customers become “locked in” to their vendorsonce they have implemented a physical security system.Legacy vendor implementations tend to be restrictive becausethey are proprietarily built to not play well with other systemsand force their customer to keep coming back to them formore cards and readers. For organizations that want tocreate a converged system for physical access and access toinformation-based systems, this has generally meant eitherswapping out their entire systems and starting over, or trying

to add on elements that weren’t designed for compatibility,requiring a great deal of time and money. However there isan awakening going on today as organizations are beginningto envision what it would mean if they had similaropportunities for vendor choice and integration that their ITcounterparts have enjoyed. In part this is due to the modeldemonstrated by the U.S. government, which is implementingits own converged security system across all federal agencies,based on standards set forth by the National Institute ofStandards and Technology (NIST).

A NEW PARADIGM FOR SIMPLICITY

Recently, new options have become available forimplementing smart card-based systems in the form of aservice model. That is, where an external party builds andhosts the credentialing infrastructure “in the cloud” and eitherprovides access to it, or performs functions on the customer’sbehalf. This model is commonly referred to as “SaaS”(Software-as-a- Service), “IaaS” (Infrastructure-as-a-Service),or more specifically, “IDaaS “(Identity-as-a-Service). IDaaSvendors provide the enterprise-class infrastructure, peopleresources and services needed to implement a smart card-based system, so that this burden is lifted from theorganization, costs are lower – often dramatically – and thetime line for implementation is shortened – often from yearsto weeks. An IDaaS vendor can help an organization buildnew capabilities on top of the legacy infrastructure already inplace and even repurpose existing components, so that pastinvestment is not lost. The service model approach alsoallows an organization to transition to a more secure andintegrated system as gradually as they like.

Sound good? Implementing the Identity-as-a-Service modelcan yield tremendous benefits, but as with any approach it isimportant to know what questions to ask to help determinewhether IDaaS – and which vendor, is right for yourorganization. Unique to the identity management space,IDaaS vendors have diverse backgrounds and how theyapproach a solution reflects their primary experience in eitherphysical or logical access, or ideally, both. Thus, there is agreat deal of variance between focus, features andcompleteness of their solutions. As organizations evaluate therespective capabilities of IDaaS vendors, it is critical to mapthe capabilities of each to the organization’s requirements. Itis equally important to determine which processes theorganization is best suited to manage in-house compared tothose that are desirable to outsource. Areas such as policystill need to be crafted to align with compliance or internalneeds, workflows that support defined lifecycle processes, andeven defining which features to enable.

Below are some key points for vendor consideration in thecore capability areas of IDaaS vendors.

Bureau

Personalization: Increasingly, IDaaS vendors offer a way

for organizations to “outsource” the mass personalization oftheir ID badges to a vendor where they print, encode, etc.This is particularly useful where scaling equipment, resourcesand time itself is a prominent factor. Considering the internalcosts, it can actually be less expensive with higher quality.

Consideration: Decide if an initial one-time batch is requiredor an ongoing full service, e.g., for remote users where thevendor mails the credential on the organization’s behalf.

Encoding: Regardless of who personalizes the card, theproper building codes need to be programmed. Somevendors have this capability across a wide variety of vendorformats, while some are limited.

Consideration: It is recommended to investigate if thevendor has all of an organization’s required formats.Additionally, since most organizations rent office suites, gothrough acquisitions and inherit infrastructures and formatsalong with them, it is recommended to qualify that a vendorhas intentions and capability to offer new formats should theneed arise. A service will not make sense if it is not flexible,compatible or locks in the customer.

Interface: Organizations need to think about how users willbe enrolled, and how attributes will be provided to the servicevendor.

Consideration: If it is just a one-time batch, various methodscan be undertaken that are acceptable to both parties. If it isongoing, then efficient workflows and assurances to securetransfer and storage must be confirmed.

Hybrid Services: Does the IDaaS vendor offer additionalflexibility to produce credentials onsite?

Consideration: Some hosted bureau services can bothpersonalize cards at their location as well as offer on-siteprinting becoming a full virtualized solution that provides fullservice and on-demand capabilities.

Logical Access

Hosted or managed on-site: What pieces will beinstalled onsite or at the vendor’s?

Consideration: It can be nearly all or a mix of either.

Multi-tenant or dedicated: Will your data be on thesame servers as the vendor’s other customers? This is notnecessarily a security consideration if data is properlysecured.

Consideration: Shared models are much less expensive asother customers help share the cost. Dedicated instances aregenerally more expensive but may provide additional flexibilityfor features, management and have the ability to be “owned”if inclined to move it onsite later.

46 I D C R E D E N T I A L S | S m a r t C a r d T e c h n o l o g y I n t e r n a t i o n a l

ww

w.glo

bals

mart.

com

Software: At a minimum some client, applet, or othersoftware may be required for devices. Will the vendor providethis as part of the service?

Consideration: Some devices do not require software butmanagement processes may.

Authoritative source: Since physical and logical systemshave been disparate, a decision will need to be made as towhich is the most appropriate to pull user data from.

Consideration: Physical access systems may have many usersin their system that do not have computer access, or may beusing a nickname that does not align with IT systems.Conversely, IT has many remote users that may not even havebuilding access. Generally, IT is more ideally suited as identityis far more structured, managed and able to be technicallyintegrated into another application as they have with others foryears. Ultimately, an organization will need to decide who ownsidentity and be prepared for many not knowing that answer.

Integration: Applications, computers, CertificationAuthorities, directories and IDMS’s may be in scope.

Considerations: Does the vendor provide integration for thesystem that you have, and does that integration support thefunctions that you require?

Life-cycle Management: Capability for addressing lostor locked cards, secure remote activation processes, PINresets, bulk importing tools of user data for efficiency are allitems to address.

Considerations: It is most effective to first understandcapabilities and scale that is required, then look at policy anduse cases.

Certification Authority: Performing certificate-basedauthentication requires PKI certificates to be issued through acertification authority which is highly complex for even mostsophisticated organizations.

Considerations: Will the vendor provide the CA andcertificates as part of the cost, will it be hosted, or will youneed to build your own and integrate into their service?Regardless, certificate profiles, the ability to change them oreven own the OCSP may be a requirement.

Key Management: All smart cards have keys andsometimes different ones. Having keys that are unique, secureand can be recovered requires a high degree of expertise andcannot be taken lightly.

Considerations: Which keys are managed, are they securelystored in a certified HSM (Hardware Security Module), arestandards such as GlobalPlatform used, are certificatesescrowed, how is key history handled? Are they manufacturerkeys, or is a key ceremony being performed?

Aside from these core components that may be included in aservice, there are other important considerations:

l Security & Compliance: It is still up to you to ensurehow the vendor maintains and implements proper controls of their environment. What type of trans-parency do they offer regarding their processes,policies, personnel, and architecture?

l Compliance: Will they allow your organization to beaudited to assist with compliance reports?

l Certifications: Have they obtained any recognizedcertifications like SAS70 or others?

l Standards: Do they conform to any recognized standards generated from independent bodies?

l Assurance Levels: Do they produce a credential thatwill meet the auditability requirements that you need toadhere to such as PIV, PIV-I, Medium Hardware or acustomization of that based on those standards?

l Authentication: Will authentication still happen insideyour infrastructure or in the service environment?

l Logs and events: What events will you need to track,and are you able to access reports that are useful?

l Service Level Agreements: What is the uptimeguarantee and measures for disaster recovery?

l Data Center: Are they hosting from their office or aproper full scale operation? Is there sufficient controls,multiple power lines and backup for contingencies inplace?

l Pedigree: Ultimately, what is the background of themanagement and personnel? Have they done thisbefore and this is just an evolving SaaS model for them or is this a new technology venture for them?

The market for Identity-as-a-Service is still early in its evolutionbut there are already a wide variety of vendors with excellentcapabilities. Some even provide collectively more capabilitiesthan that of an in-house solution and certainly a more“complete” offering. Selecting the right solution will dependon whether their scope of capabilities, philosophy aboutsecurity and credential management, and pedigree are theright fit for your organization.

For further information email tgold@idondemand.com orvisit www.idondemand.com

47S m a r t C a r d T e c h n o l o g y I n t e r n a t i o n a l | I D C R E D E N T I A L S

ww

w.glo

bals

mart.

com