Identity Management in Physical Security World
From IIW
Identity Management in Physical Security World
Tuesday 2D
Convener: Rajesh Arukala
Notes-taker(s): Rajesh Arukala
Tags for the session - technology discussed/ideas considered:
Mobile Credential, Security Convergence, WebAuthn
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
- Discussion was focused primarily on how the User Identity physical security and access control systems world is different from IT and online Authentication and current state of Identity management in Access control systems.
- Discussion on how centralized identity providers should also focus on physical security and access control systems as well.
- While Authentication in IT world is moving towards using devices (smart phones ) and keys (U2F Keys) as a second factor, Physical security teams are considering replacing the physical badges with mobile credentials that can be stored in devices such as smart phones and can be used to authenticate with bluetooth/NFC enabled readers to gain access to facilities.
- Mobile Credential and WebAuthn share some similarities in-terms of How they work on exchange of pair of keys.
- Critical Infrastructure facilities such as Utilities, Nuclear Facilities, Date Centers, Banks require verifying the Access (Authenticating and Authorizing ) in incremental and layered approach: All the way from Access to physical perimeter to a configuration changes to a control systems within the facility.
- Discussed on various methods (User behavior analytics) and technologies (Density Sensors, Micro location targeting) that can be used to verify the identity where physical presence is mandatory to gain access to perform specific critical function.
- Discussed on various critical infrastructure breaches that resulted in loss of human lives.
- Expressed interest on forming a interest group to discuss on these topics further.