May 2018

ymassard@hidglobal.com's picture

The Securing Federal Identity event will take place in Washington, D.C. on June 5-6, 2018. This event is a great opportunity to hear from government and industry experts about the latest trends in digital identities and how they affect Federal Agencies.

HID Global is privileged to again be a Platinum sponsor for this event. HID will have experts on hand to walk you through our industry-leading secure identity solutions, and offer a sneak- preview of some newer solutions that are still under wraps.

Some of the topics we will cover include:

  • FIPS201 compliance, including Derived Credentials so mobile users can securely access applications
  • How to implement support for Department of Homeland Security’s (DHS) Continuous Diagnostic and Mitigation (CDM) including the recently defined BOUND-P capability
  • How to deploy enterprise visitor management, including with innovative visitor cards that behave like a PIV card, but that don’t require issuance infrastructure
  • How agencies can provide secure, convenient and cost effective authentication solutions to citizens and comply with SP800-63
  • Trusted individual certificates as well as medium device hardware assurance so you can securely interact with people that are not eligible to receive a PIV card

We will also preview and demonstrate upcoming innovative solutions that can augment or replace PIV cards:

  • Mobile credentials with the breadth of capabilities of a PIV card, but that can be consumed over a convenient Bluetooth connection
  • Continuous Behavioral Authentication that can ensure in real time that the right person is accessing your applications
  • FIDO 2 authenticators and the result of our partnership with Microsoft

Register now, and visit us to see our demos.

And if you’re not going to Securing Federal Identities this year, we’re sad to miss you, but we will be posting on Facebook, LinkedIn and Twitter throughout the show, so stay tuned! You can also find more information about our identity management solutions here.   

harrehed's picture

As the General Data Protection Regulation (GDPR) takes affect this week (May 25), we reflect on how mobile access customers, who enable users to use their phones as a “key” to unlock doors, have been adapting and becoming compliant-ready for months.  User data is, of course, utilized in cloud services-based mobile access to connect individuals’ phones (and their identities) to the back-end of the physical access control system.

Considering the fact that millions of doors are opened every hour in every country, mobile access is one of the most relevant innovations of the connected world of the digitized 21st century.  It provides the highest security with a high level of convenience associated with a mobile-first lifestyle, already adopted by millions of people all over the world.   

At the center of the connected architecture, enterprise customers are increasingly demanding that data is securely collected, stored, retrieved and “forgotten” when requested. Therefore, it is important to ensure that the mobile access service in use is GDPR-ready, including attaining Privacy Shield certification for data transfer to the U.S. 

Users now require access to secure, reliable and consistent services where only best practices in information security and privacy apply.  Over the years, we have invested a lot of time, effort and resources to ensure that we have the right processes and procedures needed to take the HID Mobile Access service to this level.  This blog post is aimed towards simplifying the connection between mobile access and GDPR and to provide useful, relevant information. 

As a leader in mobile access, HID Global has identified four major things that existing customers and future customers need to know. But we don’t just talk the talk; we also walk the walk, figuratively speaking.  We are taking steps to ensure that HID Mobile Access meets the European Union (EU) GDPR requirements.

[1] Mandate for Personal Data Transfer from the EU to the U.S.

GDPR requires that an adequate transfer mechanism is in place in order to facilitate the transatlantic transfer of personal data from the EU to the United States for commercial purposes. 

To meet this requirement, HID Mobile Access is certified with the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield Framework(s), designed by the U.S. Department of Commerce and the European Commission and Swiss Administration. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/ or see HID’s Privacy Shield Statement.

[2] Privacy Must Be Protected

GDPR enables EU residents to exercise greater control over how their data is used and how they raise complaints, even if the data subjects are not in the country where their data is being stored or processed.  Along this line, the privacy practices that the HID Mobile Access service employs have been updated to align with GDPR and Privacy Shield Frameworks. 

Available on the HID Mobile Access portal, the new policy has been in effect since February 2018 and was recently updated to further simplify the language and make it easier to understand what personal information we may collect, why it is collected, and your rights with regard to that information. Furthermore, we performed a Data Protection Impact Assessment of the Mobile Access solution to identify and mitigate privacy risks.

[3] Customer Data Must Be Secured

Keeping customer data secure is of the highest priority.  HID conducted a Mobile Access Data Inventory for the protection of all collected data elements, including roles and responsibilities, data retention periods and implemented security controls. 

Over the last year, we have updated our Security Incident Management Process as well as implemented new Alerts and Notification procedures, and new routines around HID Mobile Access Portal Administrator accounts maintenance.  Furthermore, the HID Mobile Access application and the HID Mobile Access Portal are penetration-tested every year.  Just like any leading technology company, we will continue to conduct risk assessments and improve the confidentiality, integrity and availability of our mobile access service.

[4] The Right to be Forgotten

Under GDPR, individuals have the right to request the deletion or removal of personal data when there is no longer a compelling reason for its continued processing.  To ensure that our HID Mobile Access customers are in control of the personal data we process on their behalf, we have updated procedures to better assist our customers in complying with data subject requests. 

Taking these steps toward meeting the requirements of the GDPR demonstrates our commitment to providing secure, reliable and consistent services to our customers.

For more information about HID Mobile Access, click here.

kwalker's picture

It has been clear for years that passwords alone are not enough to protect your company’s assets, networks, applications and data.  In fact, Verizon did an analysis in 2017 that determined 81% of data breaches globally involved the misuse or stolen or weak passwords.  With the number of breaches increasing every year, and the cost and consequences of those breaches also on the rise, the time to act is now.

Multi-factor authentication is essential in today’s environment.  It increases security by combining one or more “factors” to verify that the person who is asking for access is who they say they are.  These factors include something you have (a smart card or a mobile credential carried on a smartphone or other mobile device); something you know (such as a PIN), and something you are (biometrics).

More and more companies are subject to compliance regulations, and strong authentication with the corresponding audit trails are popular requirements.  The European Union’s PSD2 regulations for financial institutions and GDPR privacy requirements for citizens are two examples.  But other parts of the world are not immune.  Most companies will be affected by GDPR, and their own government initiatives, such as HIPAA for Healthcare in the US.     

One steadfast method of deploying multi-factor authentication for employees is the hardware token.  For the employee, this is often a small, handheld hardware device that calculates a time-bound string of numbers that can be used as a one-time password (OTP).   The user then enters this passcode (something they have) plus a PIN (something they know) to prove their identity to the asset they want to access.  Behind the scenes, this value is compared to the value calculated on a back-end authentication platform using the same techniques and inputs, including clock and event counters, authentication keys, and algorithms.  If the OTPs match, the user gains access, and that event is logged in the platform’s audit trail.

Hardware tokens have been around for over a decade, and they are still a popular choice for many organizations.  It’s a familiar user experience for the workforce, and the tokens themselves last a long time.  Tokens have also evolved beyond the standard keyfob form factor.  There are also options that can fit in a wallet, are robust enough for field operations, and can accommodate and assist the visually impaired.  But there is more to it than that.        

Want to learn more?  We recently released an infographic that outlines some of the reasons why tokens are still a popular choice in 2018.  Download that here.  For more information about our token portfolio, visit: our product page.