Access for the Future
Written by Peter A. Buxbaum
The Pentagon Force Protection Agency is evaluating
high assurance and efficient throughput electronic
capabilities for physical access to the building.
A PACS is an information technology infrastructure that allows for the electronic verification of employees entering a facility with a physical credential such as the Department of Defense’s Common Access Card (CAC). A PACS is powered by a server database that includes a comprehensive compendium of the identities of CAC holders, their authentication data, and their levels of access privilege, as well as the capability of running a suite of authentication functionalities required by the PIV standard.
The Department of Defense has been issuing CACs to the defense community as the standard identification card for logical access to computer systems for some time. In 2004, the White House issued Homeland Security Presidential Directive (HSPD) 12, which required all federal agencies to begin a program of issuing high assurance verification cards to all employees for both logical access to federal computer systems and physical access to facilities. The requirements of HSPD 12 have been widely interpreted as requiring a biometric identifier, such as fingerprint or facial recognition or an iris scan.
DoD now uses the CAC as the exclusive mechanism for access to department computer systems. The idea now is to apply the CAC to physical access to the Pentagon. Numerous DoD facilities both stateside and around the world have already made that transition or are in the process of doing so.
The department has issued two versions of the CAC thus far, neither of which are fully PIV compliant. The key feature added to the updated card, known as CAC-Next Generation (CAC-NG), was the ability to be read in a contactless environment, through wireless transmission, as opposed to a physical swipe through a reader. A significant proportion of Pentagon employees still use the original CAC, so the Pentagon’s PACS system will need to support both legacy CAC usage as well as the fully PIV-compliant CAC, termed CAC-End Point (CAC-EP), once that is issued.
The PACS system the Pentagon is seeking would be configurable to allow administrators to upgrade lower assurance verification techniques, such as a two-factor authentication consisting of a personal identification number (PIN) and biometric verification, to higher confidence, additional authentication mechanisms as needed. Additional authentication factors may include entering a PIN or public key infrastructure certificate authentication to further substantiate the card and cardholder identity, authenticity and privilege status.
“We are focusing on the highest level of assurance we can obtain while maintaining throughput that allows over 20,000 people to enter the building on a daily basis,” said Scott Bailey, acting chief of the PFPA’s Access Control Division.
“We have gone to industry to determine what capabilities are out there, who is integrating with what, what services organizations are able to provide, and what level of expertise they demonstrate,” he added.
The PFPA received answers in late December 2008 and is now in the process of scoring them in an effort to determine which organizations can provide the services it is looking for. “Eventually, we will be putting products on a bench to test them with the infrastructure we have at the Pentagon,” said Bailey. “We want to see if they are successful once we put them in a live environment.”
BIOMETRIC VERIFICATION
Bailey foresees an eventual Pentagon entry system that will include some form of biometric verification in addition to the presentation of the CAC. “Biometric technologies provide faster throughput and have been shown to be over 99 percent accurate,” he said. “They are also less obtrusive to the customer. They don’t have to do a lot of fumbling when they come into the Pentagon.”
For the moment, the PFPA appears to be favoring iris scanning as the biometric component of entry authentication, although it is also considering hand-scanning and face-recognition systems. “Iris-detection technology can sense an eye 4 to 6 feet away,” Bailey said.
The PFPA would also prefer technologies that work within its existing infrastructure. “But that doesn’t have to be the case,” Bailey added. “We want to see how fast we can get people in with assurance. If we can’t do that with our present infrastructure, we will work through that problem. But right now we are focusing on the money we’ve already invested in our systems.”
One advantage of the Pentagon’s proposed system is that it can use the cards already issued for logical access for physical access purposes. “New data can be encoded to the card to provide physical access to the registered card holder,” said Lars Suneborn, director of government programs at Hirsch Electronics.
Hirsch manufactures card readers that have already been installed to read PIV-compliant identity cards at several DoD installations, including Wright-Patterson Air Force Base, Ohio, where more than 100 readers have been installed, as well as several locations in Hawaii, including Pearl Harbor Naval Base.
The transition of the DoD CAC from logical access to include physical access—and more so, the implementation of PACS that facilitates that process—involves several shifts to the existing security paradigm. One is that entry credentials are verified electronically, instead of a visual inspection by a security guard as the cardholder flashes a CAC upon entry.
“On many military bases even today, you show a card that is not digitally authenticated, or you have a decal on your car,” said Robert Brandewie, senior vice president of identity and security solutions at Telos. “Digital authentication makes sure that it is a proper card, that the registered cardholder has valid privileges, and that the person who is presenting the card is the registered user of that card.”
Another aspect of the security paradigm shift is that the use of a common credential involves an enterprise solution to the problem of identity verification. “Many facilities still issue installation passes,” said Brandewie. “That is not an enterprise approach to access.”
Yet another change that comes with electronic verification is the ability to set multilayered access privileges. “Just because you have a CAC doesn’t mean you have access to every facility in DoD or every building on a base,” said Brandewie. “With electronic verification systems you can grant privileges at a granular level, and that is big leap from the current situation.”
Because a PACS is configurable, the system could establish “concentric circles of security,” explained Paul Townsend, director of defense and intelligence programs at CoreStreet. “At the entry point, the system might verify that the card is valid and not compromised. Further in, the system could check the card’s control certification and perform a biometric verification. At an even higher level of security, the system might require the entry of a personal identification number to get into the most sensitive areas of a building.”
SECURITY CONVERGENCE
The introduction of the use of CACs for physical access involves the convergence of the physical and logical security worlds. “In many environments, these two aspects of security exist in two separate worlds,” said Todd Freyman, vice president and general manager of physical access products for CoreStreet, a developer of credential infrastructures and applications. “Logical access is handled by the IT community and physical access is handled by a whole separate organization. What we are seeing now is a convergence between the logical and physical security concepts, and we will be seeing benefits of the two coming together.”
One of the benefits of this convergence is that organizations can more easily develop an enterprise perspective on risk management, added Freyman.
Another benefit is that strong identity validation and high assurance of card legitimacy will be brought to bear for the physical access to DoD facilities. Even in some facilities that have electronic access controls, all that is done is that a reader matches the card serial number with a database of legitimate card numbers. “That is by no means strong authentication,” said Freyman.
The consolidation of the physical and logical access functions in one master system could also bring about the coordination of physical and logical access privileges. These capabilities have not been brought to the marketplace yet, said Suneborn, but should be available in the near future.
“Entry into a building with electronic verification could automatically send out a unique identifier to the logical access system so that person can log on,” he explained. “When that person leaves the building, the account would be disabled and an external account enabled.”
Such a scheme would also prevent someone who legitimately entered a building with his own card to access another person’s computer using that person’s card, if the second person is not present in the facility.
In another vein, electronic access systems could also reduce manpower costs, according to Brandewie. “The introduction of automated gates to recognize these credentials could reduce the required dedicated manpower stationed at those gates while keeping security high,” he said. “I envision a system in which a person pulls up to a gate, the system reads the data wirelessly on the CAC chip, and asks the user for a PIN. Upon entry of the PIN, the gate opens without a guard necessarily having to be involved.”
ELECTRONIC ELEMENTS
Any PACS the Pentagon might acquire would have to include or interact with a number of key electronic elements. One is the Defense Biometrics ID System (DBIDS), which Telos is under contract to help implement. “DBIDS helps jumpstart the change in paradigm by facilitating digital multifactor authentication,” said Brandewie. “It has been widely deployed in DoD.”
DBIDS is the largest physical access system in DoD, providing theaterwide physical access for nearly 2 million base workers and visitors in Europe and Asia. The system is soon to be deployed at 4,700 bases worldwide.
“DBIDS uses existing DoD-issued identification credentials, including digital photos and digital fingerprints, drawing on some of the largest stores of biometrics data used in the department,” said Brandewie. “It is scalable to cover a building, installation or entire theater of operations. It is a rules-driven system that is configurable by local authorities to meet their business rules for access, allowing the level of authentication to vary by threat level or at the local commander’s discretion.”
The PACS would also need to be equipped with software that makes possible the validation of cards and cardholders and their privileges. CoreStreet develops software libraries of this kind, which it licenses to leading manufacturers of physical access systems. CoreStreet has also developed a handheld device that is being used to validate CACs, both the legacy card and next generation variety.Mp> PACS has been deployed in commercial environments, but systems to be implemented by DoD must meet more stringent standards. “The systems we see in the government are designed with a robustness seldom seen on the commercial side,” said Suneborn. “The system must be hardened and self supervising, to detect attempts of covert manipulation to surreptitiously obtain physical access.”
To be deployed in a DoD environment, the PACS application must also be able to adequately protect personnel and other information stored and maintained within the PACS itself. “This means it must operate on servers hardened and locked down to satisfy DoD and Federal Information Security Management Act policy,” said Suneborn. “This includes completion of a scored certification and accreditation process. Commercial systems are usually not exposed to these requirements.”
The PACS system must be able to process multiple credential formats, Suneborn added, as well as perform different multifactor authentication processes such as presentation of the card and entry of a PIN or presentation of the card with biometric verification. Although the CAC is not yet fully PIV compliant, Townsend noted, “DoD is far ahead of the rest of the government simply because it has smart cards out there already that are mandated for logical access.”
FUTURE CARD TECHNOLOGY
A fully PIV-compliant CAC is currently under beta testing and is expected to be issued soon by the Defense Manpower Data Center (DMDC). CAC-EP will have the same functionality and visual and electronic data elements—biometrics, digital certificates and related data containers—as the CAC-NG, but will also be fully interoperable with all federal agencies. The CAC-NG can be field updated to contain the PIV Authentication Certificate and key pair and other functionality to be included in the CAC-EP.
“Future card technology will allow continuing improvements to the verification systems and allow planners a lot more options,” said Brandewie. “The introduction of biometrics in multifactor authentication and coupling the cards with other technologies like radio frequency identification to make for contactless card reading will make the future physical access systems much more sophisticated than legacy systems and will improve the efficiency of base access.”
“Soon PACS will be connected to agency central card and ID management systems as well,” said Suneborn. “This will provide a high level of confidence that the person requesting access to physical or logical assets is indeed presenting a valid and authentic ID credential.”
As far as work on the Pentagon’s future system goes, that is still a “work in progress,” according to PFPA’s Bailey.
“The timelines are still open, but we intend to make some notable progress this year,” he added. “We are still transitioning from the existing building pass to the CAC for physical access. As the CAC is being ramped up to accommodate biometrics, we’ll have to see if we can make these new developments interoperable with our existing system or whether we are going to have to purchase a new system. It will all be based on throughput and performance.” ♦