As 2014 is well underway, there are a handful of core trends that I believe will have the greatest impact on the secure identity industry this year. These trends include:
The industry is quickly moving beyond static, proprietary access control architectures to more secure, open and adaptable solutions that support the customers’ desire for new products and technologies that enable their business.
As the security landscape continues to evolve in new and complex ways, progressive organizations and thought leaders are adopting a new attitude about change. Proactively making changes today will ensure that an organization’s access control solution can adapt to future threats and take advantage of opportunities and applications beyond access control. Future high-value applications might range from cashless vending, time and attendance, and secure print management to secure network logon as part of a fully interoperable, multi-layered security solution across company systems and facilities. By using solutions that are based on industry standards such as OSDP bidirectional communications, and incorporating dynamic rather than static technologies, security becomes independent of hardware and media, and the infrastructure can more easily evolve beyond current abilities with the adaptability to combat continuously changing threats.
Integrating physical access control with IT security will bring new benefits while changing how organizations operate.
Historically, physical and logical access control functions were mutually exclusive within an organization, and each was managed by different groups. Now, however, the lines between these groups are beginning to blur. Organizations want to provision physical access control system (PACS) and IT identities on a single card (or smartphone) that can be used to open doors and log on to computers, and for other applications. This will create a seamless user experience when securing doors, data and the cloud, and improve how organizations create, use and manage identities across many different applications on both smart cards and smartphones. Users will also soon be able to carry many types of access control credentials as well as one time password (OTP) tokens on a single microprocessor-based smart card or smartphone.
Strong authentication will continue to grow in importance in the face of a rapidly changing IT security threat environment – and will also move to the door.
The industry is moving beyond simple passwords to additional authentication factors including something the user has (such as a mobile or web token) and something the user is (via biometrics or behavior-metrics). While the industry is replacing hardware OTPs with software tokens that can be held on such user devices as mobile phones, tablets and browser-based tokens, there are security vulnerabilities with this approach. A far more secure strong authentication alternative is multi-application credentials that can be carried on smart cards or smartphones. Users will simply take the same card (or phone) they use for building access and tap it to a personal tablet or laptop for authenticating to a VPN, wireless network, corporate intranet, cloud- and web-based applications, single-sign-on (SSO) clients and other IT resources. We will also see increasing adoption of other authentication factors including biometrics as well as gesture technology.
Strong authentication will increasingly be implemented using a multi-layered strategy.
Today’s strong authentication solutions increasingly will be used to secure everything from the door, to data, to the cloud. They will deliver multifactor authentication capabilities for the most effective threat protection, as part of a multi-layered security strategy. In addition to multi-factor user authentication as the first layer of security, both inside the firewall and in the cloud, there are four other layers to implement, including authenticating the device, the channel, the transaction and the application. Effectively implementing these five security layers requires an integrated and versatile authentication platform with real-time threat detection capabilities. Used in online banking and ecommerce for some time, threat detection technology is expected to cross over into the corporate sector as a way to provide an additional layer of security for remote access use cases such as VPNs or Virtual Desktops, and in the healthcare space, for online records access.
Mobile access control will continue to roll out in stages.
During 2014, we expect to see the first phases of mobile access deployments in which smartphones will function similar to that of a card transaction today, with limitations due to technology and business ecosystems. In subsequent phases the phone’s on-board computing power and multimedia capabilities will be leveraged overcome limitations and provide a more functional and rich user transaction and experience. Looking forward further, the connectivity of smartphones will be used to perform most tasks that today are jointly executed by card readers and servers or panels in traditional access control systems. This includes verifying identity with rules such as whether the access request is within a permitted time and, using the phone’s GPS capability, whether the person is actually in the vicinity of the door. The user can then be validated using a cloud application and granted access via a trusted message over secure communication to the door.