Wednesday, May 14 Track D Security & Access Control · • Cross organization team was created ......
Transcript of Wednesday, May 14 Track D Security & Access Control · • Cross organization team was created ......
Wednesday, May 14
Track D Security & Access Control
Session: RFID & Access Use Cases
Time: 3:30 PM – 5:00 PM
Room: W204 D
Moderator: Zack Martin
Editor Avisian
Speakers:
Scott Shane Systems Engineer
Shane-Gelling Co.
Mark Duato SVP, Americas Sales
Bioscrypt, Inc.
Carolyn Loew Secure Badge Product Lead
The Boeing Company
Deon Ford Chief Technologist SI International
1
BOEING is a trademark of Boeing Management Company.Copyright © 2006 Boeing. All rights reserved.
The Boeing Company’sSecureBadge Story
Carolyn [email protected] 14, 2008
Boeing Technology | Information Technology
Copyright © 2006 Boeing. All rights reserved.
Boeing’s Global Reach
Companies that change and adapt in a rapidly evolving global economy will grow and prosper
Companies that change and adapt in a rapidly evolving global economy will grow and prosper
2006 revenue of $61.5 billion from customers in more than 90 countries– International sales accounted for 37 percent of total revenue
Direct employment of more than 150,000 people in 49 states and 70 countries
Contracts with 22,000 suppliers and vendors in more than 100 countries
Research, design and technology development centers and programs in multiple countries
Manufacturing, services and technology partnerships with companies around the world
One of the largest U.S. exporters
2006 revenue of $61.5 billion from customers in more than 90 countries– International sales accounted for 37 percent of total revenue
Direct employment of more than 150,000 people in 49 states and 70 countries
Contracts with 22,000 suppliers and vendors in more than 100 countries
Research, design and technology development centers and programs in multiple countries
Manufacturing, services and technology partnerships with companies around the world
One of the largest U.S. exporters
2
Boeing Technology | Information Technology
Copyright © 2006 Boeing. All rights reserved.
The Journey Began in November 2001
• Physical Access project and Logical Access projects were combined
• Executive mandate to deploy a common badge• Cross organization team was created
• Physical Security• Logical Security• Business Unit Representatives
Boeing Technology | Information Technology
Copyright © 2006 Boeing. All rights reserved.
Physical Access Expectations
• Create a single badge that could be used at all Boeing locations for physical and logical access
• Standard format for barcode and magnetic stripe• Update badge pictures • Update physical access readers to use proximity chip• Common badging system• Update applications that used barcode and magnetic
stripe to use new data format
3
Boeing Technology | Information Technology
Copyright © 2006 Boeing. All rights reserved.
Logical Access Expectations
• Strengthen authentication to two-factor• Eliminate user id and passwords• Reduce password reset costs• Provide secure mobile container for x.509 certificates• Payment or credit card• Replace One Time Password for Remote Access• Provide single sign on based on how user logged onto
Windows
Boeing Technology | Information Technology
Copyright © 2006 Boeing. All rights reserved.
Program Timeline
• Phase I• Establish enterprise standards• Develop Enterprise Badge System• Issue Proximity Badge with updated pictures
• Phase II• Adapt Physical Access Control Systems to read new badge• Adapt Downstream Legacy Systems to read new badge• Deploy Proximity Readers
• Phase III• Establish smart chip infrastructure & production processes• Implement initial smart chip applications• Pilot, then Deploy Smart Badge
2002 2003 2004 2005
Issue Proximity Badge Pilot Start
Production EnvironmentComplete
Pilot End
Image CaptureComplete
Release RFI
Program Start
Complete ReaderUpgrades
Contract Award Deployment Finish
StandardsEstablished
Release RFP
Deployment Start
4
Boeing Technology | Information Technology
Copyright © 2006 Boeing. All rights reserved.
SecureBadge Infrastructure
• SecureBadge• GemExpresso 64k Java Card from Gemalto• HID Prox Chip• Magstripe• Barcode
• Client• Gemsafe Libraries v5.1
• Smart Card Readers• Dell Laptops with built in reader• Keyboard readers for laptops• Gemplus PC Twin USB reader
• Smart Card Management System• Bell ID Andis
Boeing Technology | Information Technology
Copyright © 2006 Boeing. All rights reserved.
Where we are today
• 160,626 SecureBadges with smart chip have been distributed
• 16,123 smart chips have been initialized• 9,945 folks have active basic assurance certificates• All Boeing Employees have a SecureBadge with smart
chip• Blockpoint includes Gemsafe Client software• Laptops and Desktops have a smart card
5
Boeing Technology | Information Technology
Copyright © 2006 Boeing. All rights reserved.
SecureBadge Uses
Boeing Technology | Information Technology
Copyright © 2006 Boeing. All rights reserved.
Challenges
• First time use• Finding reader• Knowing how to insert badge
• End user acceptance • Scared they will leave badge in machine• They see PIN as another password
• No mandatory reason to use badge • Limited metrics available to measure success• Processes for lost and forgotten badges• International travel (export regulations)
• China• Russian Federation
• Client Middleware Interoperabiltiy
6
Boeing Technology | Information Technology
Copyright © 2006 Boeing. All rights reserved.
What we are working on
• VPN Access• Improve Usability
• First Time Users• Survey Users• Expiring certificate e-mail notification
• Shared Workstations / Kiosks
Boeing Technology | Information Technology
Copyright © 2006 Boeing. All rights reserved.
What you need for success
• Initial and ongoing executive support
• Strong program/project management and leadership
• Capable, dedicated, knowledgeable team members that include sustaining organizations
• Communication and strong collaboration between physical security, IT security organizations, business units and vendors
• Communication to user community
• Mandated use
1
Fort Hood Phantom Express
A Case Study inAutomated Vehicular Access Control
Presented to CTST 14 May 2008By Shane-Gelling Company
Shane-Gelling Company 2
Fort Hood Main Gate
Vehicles per Minute
0.00
10.00
20.00
30.00
40.00
50.00
5:15
5:30
5:45
6:00
6:15
6:30
6:45
7:00
7:15
7:30
7:45
8:00
8:15
8:30
8:45
9:00
9:15
2
Shane-Gelling Company 3
Automated Vehicular Transaction
Lane Controller
Shane-Gelling Company 4
Criteria for Success
• Don’t Reinvent the Wheel• Use the DoD CAC• Execute to Army Regulatory Requirements• Meet or Exceed Existing Physical Security
Standards• Keep up with Throughput• Make the System Maintainable• Make the System a Model for Army ACP• Save Money
3
Shane-Gelling Company 5
Initial Roadblocks
• Insufficient Conduit in PlaceGet to Army Corps Before Concrete is Poured
• Hand Jamming of Registration DataGet Data Dumps for Pre-LoadMachine Read Data from Credentials
• Cutover Effect on TrafficInstall Appropriate Signage
Shane-Gelling Company 6
System Components
4
Shane-Gelling Company 7
Network Overview
Visitor Center
ACP-3
ACP-1Permanent Party
Registration
Data Center
NMS
ACP-2
LE DBLE DBSiSi
SiSi
SiSi
PMO/DES/OPS
IP Video
LEO
Shane-Gelling Company 8
Installation Database
• Use DBIDS for Identity Management• Use Existing DBIDS Database Distribution
Model• Supplement Database to Include:
– RFID for Vehicle Identification– FASC-N for Driver Identification– Interface for a Lane Controller
5
Shane-Gelling Company 9
Data Entry - Registration
Visitor Control
Permanent Party
Installation Database
Harvest CAC
Harvest DL
Issue RFID
Issue Pass
Shane-Gelling Company 10
The Evolving DoD Credentials
• “Teslin” ID Card– 1D and 2D Barcode
• Common Access Card (CAC)– 1D and 2D Barcode
and Magstripe• Transitional CAC
– 1D and 2D Barcode and Magstripe and 14443 Contactless
6
Shane-Gelling Company 11
Data Entry - Authentication
DNVCDNVC
DMDC
Authenticate DoD Card HoldersCAC, RAPIDS
COPS-VRS
COPS-VRS
OPMG
Verify Vehicle Registration
DoD Decal
CICCIC
State/FBI
Check Visitor for Criminal History
Driver LicenseArmy
Installation
Shane-Gelling Company 12
Lane Access Control
7
Shane-Gelling Company 13
Build It
Shane-Gelling Company 14
Fort Hood Phantom Express
DBIDS - IDMSRegistration
Good To Go?
RFID
CACRAPIDS
14443FIPS-201
Identify Driver
Identify Vehicle
+
Yes
DODDecal
8
Shane-Gelling Company 15
Typical Automated Transaction
• Vehicle RFID Tag is Identified– Vehicle Data Retrieved and Displayed
• Driver is Identified – Driver Name and Photo Displayed– Driver Video and Rear Vehicle Snapshot
• Driver to Vehicle Association Checked– Decision Made
• Guard can Override on Suspicion
Shane-Gelling Company 16
Vehicle ID Subsystem
9
Shane-Gelling Company 17
Driver ID Subsystem
Shane-Gelling Company 18
Meet Criteria for Success?• Don’t Reinvent the Wheel
Based on Government Furnished DBIDS, Use COTS Equipment• Use the DoD CAC
Both Bar Code and 14443 Contactless Technologies• Execute to Army Regulatory Requirements
Identify Vehicle and Driver• Meet or Exceed Existing Physical Security Standards
Database Check of Vehicle Description and Driver by Photograph• Keep up with Throughput
Six to Eight Seconds per Vehicle• Make the System Maintainable
9,000,000+ Transactions, Minimal Equipment Failures• Make the System a Model for Army ACP
Foundation for on-going Army AIE Program• Save Money
Paid for Itself in Guard Reduction Savings
10
Shane-Gelling Company 19
Thank You
Dale Shane
Senior Engineer
Shane-Gelling Company
(516) 671-4797
Scott Shane
Systems Engineer
Shane-Gelling Company
(516) 671-4797
NOTES