Physical Security Identity & Access Technology Report - Product Image

Physical Security Identity & Access Technology Report

  • ID: 4520749
  • Report
  • Region: Global
  • D6 Research
1 of 3

This body of research is intended for Global 2000 end-users who are charged with the responsibility to define and operate physical security organizations to acquire the capability to successfully execute self-assessments, build detailed requirements, cross-map vendor selections and communicate projected outcomes to their management with clarity. Acquiring these capabilities enables organizations to take a more active role in the process resulting in improved effectiveness of their security program and the longevity of the investments they choose to make.

The technology scope of the report is divided into four areas:

1. Traditional physical token credentials
2. Virtual, mobile, biometric credentials, and new concepts that leverage attribute data
3. Readers and client devices (traditional readers and IOT augmentation)
4. Infrastructure and dependencies that can inhibit interoperability and deployment (such as controllers, proxies, network and relative configurations, standards and capabilities) and therefore need to be considered

Every organization has assets, facilities that contain them and doors to serve as a barrier to protect them. A few decades ago, a mass migration from keyed locks to magnetic stripe card readers took hold. Eventually, the availability of contactless RFID proved more convenient and rose to prominence.

While today access cards are generally thought of as a security function, their original objective was to reduce costs associated with replacing locks when keys went missing. In fact, at a design level, security was not even considered. Placed in the context of physical security applications their resilience to defend from either unintended use or bad actors has proven to be extraordinarily weak due to their susceptibility to the simplest of exploitations and the lack of controls.

As customer expectations transitioned from providing access cards (in place of traditional keys) to “security badges”, vendors applied layers of measures that enabled them to market existing access cards as security credentials without fundamentally changing the technology itself. Unfortunately, such layers were built on a foundation incapable of being secure resulting in measures that weak and generally compromising a customer’s entire card population from the point of initial deployment.

Newer technologies based on the 13.56 MHz frequency endeavored to build on a platform that was capable of security, however by and large, the techniques applied were rooted in obscurity violating core security principles and lacked validation 3rd party inspection and validation to confirm the viability of vnedors claims. While most of the earlier 13.56 MHz technologies have since been compromised, newer ones are embracing improved development practices and are much more secure.

However, as applied to physical security, the industry still lacks standards for RFID technology (as an example, all technologies that have greater than 1% market share are proprietary). This presents customers with a significant challenge; due to the pervasive proprietary approach vendors had originally employed to maintain channel loyalty and lock end users into their supply chain, customers’ environments had become terribly siloed resulting in multiple cards and readers that were incompatible and costly to maintain. Newer technologies that possess deeper and more technical layers make this equation more complex for customers to overcome.

This research has identified primary contributing factors in a systemic industry-wide deficiency pertaining to organizations failing to define better strategies, more detailed requirements and make technology choices that result in mature security programs. Traditionally, end users defer to manufacturers and channel integrators for technical advisory. Those parties are specialists but commonly only within their established domains of building and deploying products. The vast majority lack the experience of building, operating and maintaining organizational programs (as their customers are tasked) as their domains are limited to a specific scope to effectively support growing their core revenue streams at scale. Above all else, this approach requires repeatability and as a result too often advisory from these audiences is repurposed from one set of clients to another and therefore anecdotal rather than bespoke to each of their clients unique business model, operations and specific threats that attackers may choose to execute in targeting them.

Further, service channels also limit themselves to a finite number of vendors they offer and support in any solution category (arguably to allow them to specialize) and vendors are more than keen to incent them to support fewer and become more exclusive. For these reasons, channels that follow this common model within the industry are ineffective in meeting demands of customers that desire a best-of-breed approach that require evaluating the full spectrum of solutions to find the best-fit (not just those their channels offer and are most familiar).

Note: Product cover images may vary from those shown
2 of 3

1 Executive Summary and Overview

  • Introduction
  • Current State of Physical Security Industry
  • Road Ahead
  • Objectives or Report
  • Function of the Report
  • Audience
  • Scope
  • Methodology
  • Approach
  • Sources
  • Measurements
  • Validation
  • Inclusion Criteria

2 Core Fundamental Concepts

  • Identity vs Identification
  • Identity Management vs. Attribute Management
  • Use Cases
  • IP and connected devices vs. Internet of Things
  • Identity vs. Security
  • Certification vs. security
  • Standards vs Specification

3 Core Challenges

  • Challenges
  • End User Drivers for Significant Change
  • Business Drivers
  • Business Enablement
  • Neutrality
  • Operational Efficiencies
  • Economic: Budgets, capitalization & OpEx
  • Risk & Impact to Business
  • Technical Drivers Risk Assessment Evolution
  • Security Improvements
  • Functional
  • Standards
  • Facing Pressure to Change
  • Vendors
  • Channel
  • Outlook and predictions
  • Introduction to the Maturity Model Approach
  • New Players
  • Commoditization and Value Cycle

4 Technology: How it Works

  • Summary
  • Electronic Access control Ecosystem Core Concepts
  • Primary Components
  • Credential Fundamentals
  • Transport
  • Frequency (125, 13.56, UHF)
  • Modulations (ASK, PSK, FSK)
  • Data Models and Formats
  • Encoding Schemes
  • Authentication Models
  • Readers
  • Controller
  • Applications (cloud, WRLs)
  • Form Factors
  • Card Types
  • Fob Types
  • Tags
  • Wearables (single purpose)
  • Mobile Devices
  • Wearables (multi-purpose)
  • Biometrics
  • Use Cases
  • Traditional Use Cases
  • Expanded Use Cases
  • Advanced Use Cases
  • Readers
  • Considerations
  • Environment
  • Connections, Protocols and Wiring
  • Technology Support
  • Performance
  • Resistance Obsolescence
  • Upgradability
  • Security
  • Vendor programming, confidentiality of keys and custodianship
  • Operations
  • Configuration and Polling
  • Device Management
  • Deployment Models
  • Migration Enablement
  • Updates
  • Controllers
  • Defining the role of the controller in the next generation program
  • Limitations of traditional controllers
  • Vulnerabilities and hacking techniques that compromise security
  • Standards (OSDP, etc.)
  • IP and IP Bridges
  • Infrastructure, versioning and Limitations
  • Cost / benefit analysis of upgrades
  • Pitfalls and Best Practices

5 Primer of Core Technology Security Models

  • Hardware Layer
  • Transport Layer
  • Application Layer
  • Encryption
  • Key Management
  • Pitfalls and misconceptions affecting security
  • Threat Model Overview
  • Organizational Impact of Attack

6 Credential Technologies Review

  • Technologies Reviewed
  • magnetic stripe
  • Bar Codes
  • Mifare Classic and Plus
  • Mifare Ultralight
  • Mifare DESFire (legacy)
  • HID iClass
  • Mifare DESFire EV1
  • Mifare DESFire EV2
  • HID SEOS (and SIO model)
  • Opacity
  • PKI
  • QR Codes
  • One-Time Password (OTP)
  • Understanding each technology (elements under review)
  • Benefits
  • Level of Security
  • Use Case Attainment
  • Implementation choices
  • Sourcing
  • Limitations & Constraints
  • Maturity Model Application

7 Identity Ecosystem

  • Badging vs Identity Management
  • Identity of People
  • Users (Full time, contractor, visitors)
  • Operators
  • Administrators
  • Service Accounts
  • Visitors
  • IOT and the "Identity of Things"
  • Group Policy
  • RBAC
  • Identity Lifecycle Operations
  • Convergence
  • Conceptual Use Cases
  • Perceived value and outcomes
  • Analysis of past and present attempts
  • Outcomes and value attainment
  • Pitfalls
  • Best Practices

8 Mobile Technology

  • Platform overview
  • Capability overview
  • Opportunities and Risks
  • Architectures
  • User Lifecycle
  • Client distribution models
  • Security
  • Policy
  • Governance
  • Integration, Expansion & compatibility
  • Operational differences from tradition credentials
  • License models and cost of ownership
  • Maturity Cycle
  • Impact of Mobile on End User and Vendor Market
  • Maturity Outlook

9 Next Generation Demands of Enterprise Segment

  • Fulfillment of Advanced Maturity Model Category
  • Alignment with Business
  • Alignment with Information Security and IT Operations
  • Conformance to established governance & best practice
  • Gap Analysis of Current State and Alignment Goals
  • Impact to Effective Programs
  • Advanced Capabilities
  • Applied Models
  • Operating and Integrating Advanced Models
  • Current Market Limitations
  • Outlook
  • Advisory

10 Standards and Specifications Review

  • Elements Reviewed
  • Review
  • OSDP
  • IP and IOT
  • BLE
  • NFC
  • ICAM, PIV and 18F
  • PLAI
  • Opacity

11 Requirements

  • End-user Requirement Formation
  • Global Program Perspective
  • Objectives
  • Mandates vs. Discretionary
  • Stakeholders Inputs
  • Business Alignment
  • Program Vision
  • Projected Outcomes
  • Methodology
  • Legacy vs. New Paradigm
  • New Paradigm Approach
  • Asset Assessment
  • Threat Model Weighting
  • Threat Mitigation & Controls
  • Policy Development
  • Functional Technology Demand
  • Solution Definition
  • Process
  • Outcomes
  • Metrics
  • Evaluation Process and application
  • Selection Notes
  • Contract Advisory

12 Upgrade Planning & Migration

  • Planning
  • Infrastructure
  • Dependencies
  • Impact
  • Mitigation

13 IDaaS: Identification-as-a-Service

  • Migration
  • Lifecycle Operations
  • Key considerations
  • IDaaS Models
  • Security & Custodianship
  • Governance
  • Contractual Advisory
  • Implementation
  • Cost Metrics
  • Vendor Assessment Checklist
  • Migrating away from IDaaS (or to another IDaaS provider)

14 Building Business Case for Next Generation Upgrades

  • Budget and Forecasting Models
  • Formula elements
  • Investment Metrics
  • TCO Tools
  • ROI contributions
  • Sourcing Optimization
  • Measuring cost vs value
  • Case Template

15 Application Security Concepts and Analysis

  • Best Practice Vs Common Practice
  • An Industry of Security Failures
  • Evolution of Security Practices
  • Attack surface
  • Expanded Threat Models (Beyond Credentials)
  • Cryptography Concepts
  • Application Security
  • Hardware Security
  • Social Engineering
  • Determine the right levels of Security
  • Remediation techniques for existing infrastructure

16 Security Assessment and Validation

  • Requirements Self Assessment Checklist
  • Vendor Assurances & Validation
  • Validation Methods
  • Governance & Compliance
  • Deployment Models
  • Maturity Model Alignment
  • Vendor Assessment Checklist

17 End-user Survey Results Analysis

  • By Industry
  • By Role
  • By Goals
  • By Outcomes

18 Vendor Landscape

  • Major Sections
  • Physical Credentials
  • Cards
  • Fobs
  • Wearables (single-purpose)
  • Virtual
  • Mobile Phone
  • Wearables
  • High Assurance vs. low assurance
  • Biometric
  • Readers
  • Traditional
  • IP and IOT (Internet of Things)
  • Connected Locks
  • Controllers
  • IDaaS (Identification-as-a-Service)
  • Maturity models 1-5 classification
  • Maturity Models
  • Latent
  • Current
  • Visionary
  • Defining Success Criteria
  • Applying vendor solutions to maturity models
  • Solution Stack with best-of-breed components
  • Heat map improvement
  • Capability analysis
  • Cross Compatibility Analysis
  • Primary Vendor Analysis (by Vendor)
  • Vision
  • Focus
  • Impact to of vision to market objectives
  • Value Statement and Attainment
  • View of Market
  • Product Direction
  • Execution and Attainment
  • Global Organizational Customer enablement
  • Maturity Model Alignment and Achievement
  • Secondary Vendor Analysis
  • Edge Cases
  • Complimentary approached (remote office, integrations)
  • Commoditization model
  • Center vs edge
  • Elements driving disruption
  • New players and approaches
  • Predictions on disruption, impact to landscape
  • Implications for end-users
Note: Product cover images may vary from those shown
3 of 3


4 of 3
Note: Product cover images may vary from those shown