Guangdong Zecheng Intelligent Technology Co., Ltd

quentin@zecheng.com.cn

86-0769-39020536

Rumah> Blog> Enterprise Security Applications: Self-contained Terminals and Mobile Access Control [Full Text]

Enterprise Security Applications: Self-contained Terminals and Mobile Access Control [Full Text]

August 02, 2023
China Security Exhibition Reuters-owned terminal has a number of advantages, especially the staff of the smartphone can become a carrier, hosting a growing number of enterprises in the kind of access and desktop logon credentials and key card. The upcoming new generation of mobile access control solutions will provide greater convenience and management flexibility while ensuring that between smartphones, computers and network resources, access control systems, and infrastructure for delivering identity information in the cloud and air, Safely handle data. With the access control and computer desktop login applications turning to self-contained smart phones, the use of self-provided terminals will become more popular.

Smartphones and Access Control

Access control features have only recently been added to smartphones. In the simplest application scenario, to implement mobile access control, you only need to replace the plastic card with the virtual credential card software running on the smart phone and copy the card-based access control rules. The system still needs to make access control decisions between the reader and the central hardware control panel (or server) of the storage access rules. In this case, the reader is still connected to the central access control system.

Today's smartphones can also generate one-time dynamic passwords (OTPs) to securely log in to another mobile or desktop computer and access the Internet. In addition, a smartphone with a virtual credential card can be used to purchase items, such as buying food in a company canteen, and also to use the printing device safely.

Taking into account that self-provisioned smart phones have such a wealth of capabilities, more and more employees are starting to use their mobile phones to access systems, data, and company facilities. IT departments should actively develop related solutions to better protect these resources. The mobile access control system must smoothly and safely co-exist with existing access control systems and traditional plastic access cards, which needs to meet several requirements. First of all, from smart phones to access control readers, there must be a data communication method. This kind of data communication can be achieved with a handset that supports near field communication (NFC) and/or an NFC-enabled add-on device. For example, a microSD card is an additional device that ensures that devices that do not support NFC can also be safely upgraded.

Second, there must be an ecosystem of card readers, door locks, and other hardware that can read the virtual credential card and respond with appropriate actions such as unlocking the door or allowing access to computers and networks. . Currently, more than 650,000 hotels have installed door locks that can be opened with NFC-enabled smartphones. Similarly, interoperable online access readers, electromechanical door locks, and card readers connected to desktop computers or PCs are also being deployed, and third-party vendors are also developing hardware solutions that support NFC, including biometric devices. Attendance terminal and electric car charging station and so on.

Finally, there must be a way to establish and manage virtual keys and virtual credential cards used on smartphones. This not only requires a new way to describe the identity information, but also requires that such identity information be described within a reliable identity authentication framework so that the self-contained smartphone can be safely used in the access control network. .

This description of identity information must support a variety of encrypted data models related to secure identity information, including biometric data, attendance data, and so on. A reliable authentication framework ensures that there is a secure communication channel between the verified terminals. The technology used to confirm the safety and reliability of a self-contained terminal requires the use of a mobile phone's security component, which is usually an embedded circuit or a plug-in module, often referred to as a Subscriber Identity Module (SIM).

By establishing an ecosystem of secure and reliable terminals, self-contained smart phones can be effectively managed in the access control system. In this way, the identity information between mobile phones, card readers and door locks can be configured/deconfigured and all other information. Processing becomes safe and reliable. This framework, combined with proven and reliable smartphone technology, can create an extremely secure mobile authentication environment.

With this framework, companies can issue virtual credential cards and virtual keys to mobile devices regardless of their location or connectivity. One way is through the Internet, similar to the traditional way of purchasing plastic credential cards, but connecting the self-contained terminal via USB or a Wi-Fi-enabled connector. Alternatively, the virtual credential card may be transmitted over the air by the service provider, similar to the way that today's smart phone users download applications and songs. In order to obtain a virtual credential card over the air, NFC-enabled smart phones need to communicate with the Trusted Service Manager (TSM) and then either directly connect to the mobile network operator or connect to their TSM so that the virtual credential card can SIM card provided to smart phone. Depending on the company's information security policy, users can share virtual credentials and virtual keys with authorized users through an NFC "tap-n-give" configuration.

The secure mobile configuration model eliminates the traditional risk of plastic cards being copied and makes it easier to issue temporary credential cards, to revoke credential cards when they are lost or stolen, and, where necessary, for information security, for example. When the threat level rises, it is easier to monitor and modify security parameters. The system administrator can use the management service to cancel the configuration of the virtual credential card over the air or remove the access right from the access control system database. Businesses can also be dynamically set based on background conditions, such as revoking two-factor verification, and companies can even support variable information security levels and use additional data elements. For example, when a security threat is escalated, two-factor authentication can be dynamically cancelled, and can be pushed to an application on the handset, requiring the user to enter a 4-digit PIN code, or requesting a swipe gesture before the phone sends a message to open the door.

Computer desktop login and smart phone

With the access control and computer desktop sign-in applications turning to self-contained smartphones, there are several issues that need to be addressed. First, to protect personal privacy while protecting the company from personal applications that can cause damage, all applications and other ID credential cards must be limited to use between individuals and businesses. Another challenge is how to use virtual keys and virtual credential cards for other applications. For example, let the application support PIN entry so that the key can be “unlocked” to complete the verification or signing process. In addition, the middleware API must be standardized so that the ID credential function can be applied.

In addition, it may be necessary to support derivative voucher cards, such as those derived from Personal Identity Verification (PIV) cards of U.S. federal workers. The combination of this use and the derived credential card between companies and individuals also creates the need for hierarchical lifecycle management. For example, if the mobile device is lost, then all certificates can be cancelled by using the hierarchical lifecycle management. Card, and if the personal authentication card is cancelled, the mobile ID credential used only for the work environment is automatically cancelled. Perhaps the most challenging part of the self-contained terminal model is the multidimensional management of mobile ID.

Access control and computer desktop login functions must coexist on a self-contained smart phone, and you need to ensure the security of cloud storage. There are 4 possible ways. The first is to use an open access model on the public Internet. In this model, the username and password are managed by SaaS vendors. Although this method is easy to use, the data protection capabilities provided are the weakest. The second is the use of a Virtual Private Network (VPN) and requires remote users to verify the virtual private network before entering the username and password (most likely through a one-time dynamic password solution). However, the virtual private network is inconvenient for the user and does not scale well to accommodate the self-contained device because the virtual private network requires the installation of virtual private network clients and personal applications on many different devices, and the virtual private network is not targeted. Internet security threats provide additional protection.

The third method is powerful native verification, which is also inconvenient because each application requires a unique, unique security solution. The fourth, and best, method is federated identity management, in which users authenticate against a central portal to access multiple applications. This approach supports many different authentication methods, eliminating the need to install anything on the end user's device, and centrally providing audit records for any accessed application, thus meeting regulatory compliance requirements. This approach can also withstand advanced security threats (Advanced Persistent Threats, APTs), specialized hacker attacks, malicious behavior of former employees, and employee fraud and other internal security threats. Federated identity management also applies to internal applications stored elsewhere, allowing users to easily access applications in one place. However, regardless of the method chosen, there may be other policies and adoption issues that need to be resolved for both the enterprise side and the owner terminal owner. Companies want to bring their terminal owners to give up certain rights so that they can use their mobile phones to open doors and log on to their desktops, while self-provided terminal owners do not want to use certain features because they fear disclosure of privacy.

About own terminal

Bring Your Own Device (BYOD), which allows businesses to retain their mobile phones when employees leave, is becoming increasingly popular. With more and more smart phones nowadays, we can not only use our mobile phones to access computers, networks and related information, but also use mobile phones to open doors and enter safe areas. Deploying such network access and access control applications in a self-contained terminal environment requires the deployment of relevant infrastructure, proper technology, and security assessment and proper planning.
Hubungi Kami

Author:

Ms. Yanjun Chen

Phone/WhatsApp:

+8613602572892

Produk popular
You may also like
Related Categories

E-mel kepada pembekal ini

Subjek:
E-mel:
Mesej:

Your message must be betwwen 20-8000 characters

Rumah

Product

Phone

Tentang kita

Siasatan

We will contact you immediately

Fill in more information so that we can get in touch with you faster

Privacy statement: Your privacy is very important to Us. Our company promises not to disclose your personal information to any external company with out your explicit permission.

Menghantar