What is converged physical and logical access? Simply put - its the ability to use one credential (USB token, smart card, smart phone, etc..) to gain access to the buildings where we work, and also to computers and networks we use to do our job.
7 or 8 years ago, NIST defined a set of technical standards called PIV (also known as FIPS-201) to address the requirements detailed in Homeland Security Presidential Directive 12 (HSPD-12). The primary purpose of PIV was to define a "Policy for a Common Identification Standard for Federal Employees and Contractors." PIV defines the policies for how Government employees and contractors identify themselves in order to receive a PIV Card, as well as what information must be collected, and how it is formatted and stored on the card.
The Smart Card Alliance just published a draft document detailing the Commercial Identity Verification (CIV) standard. It is a first attempt at creating an equivalent PIV standard for the Enterprise. The document is entitled "The Commercial Identity Verification (CIV) Credential – Leveraging FIPS 201 and the PIV Specifications: Is the CIV Credential Right for You?". While there is a long way to go before CIV becomes an official standard, it will borrow heavily from the PIV technical specification. It will differ significantly on the policy elements, as it will be up to each organization to define policies to meet their business requirements.
The benefits to the Enterprise of adopting a CIV (or PIV):
- Broad based support for PIV. Drivers are built in to Windows 7, Windows Server 2008R2, Mac OSX 10.5+ and the Blackberry Smart Card Reader. OpenSC has a P11 interface that can be used for Mozilla and other applications.
- Increased logical security. Using a certificate is more secure than using a username and password for logging on to computers.
- Increased physical security. Most proximity based physical access control systems deployed today use technology that can be easily duplicated. PIV cards cannot be duplicated in the same way traditional proximity cards are today.
- Consolidated control over a user's access. Users are currently issued credentials from multiple systems (PACS, ActiveDirectory, etc...). Each of these credentials need to be managed using separate infrastructures and interfaces.
I encourage you to read the paper on CIV. If you have questions on any of these, please feel free to e-mail me.
