by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : October 2015
SPONSORED REPORT to unlock a given door should happen within a few seconds. This requires PACS provisioning for the PIV card and any specific access authorizations (add/ change/deletes) for certain doors be done in advance—not on the fly. The As-Is state of physical access privilege management today is often to manually enroll credentials and manually assign ever-changing access privileges to each person. This comes at high cost associated with such manual processes, coupled with high risk of human error. Current coping mechanisms include creating a more manageable number of “door groups” or “access levels.” There may be ten, twenty or more doors grouped together in a door group. If a person needs access to only one of those doors, the adminis- trator will just assign the whole door group. This may give an individual greater access than he needs, which obviously increases risk. With millions of combinations of people and their ever-changing access requirements, security personnel can only achieve the fine-grained least priv- ilege target state through automation. In order to successfully manage each person’s minimum privilege (PRIV), the three other DHS-specified factors TRUST, CRED and BEHAV provide the needed input to qualify what access a given individual has earned. TARGET STATE TO ACHIEVE PHASE 2 The PACS Privilege Management System must align with the FICAM segment architecture. It is important to connect the authoritative identity data sources to a policy-based decision and enforcement system. This must con- stantly update the numerous disparate PACS on a continuous basis, via one or both of these automation paradigms: Policy Automation: Access policy will include a combination of user attributes, which come from TRUST, CRED and BEHAVE functions. These can be automatically enforced. If someone achieves a certain certifica- tion or security clearance level, for example, they may automatically gain additional access authorizations to specific doors or facilities. In Phase 2 if someone currently has access authorization for a specific door, but loses their required training creden- tial or has been reported as showing questionable behavior, this will be reported as a defect. In Phase 3, the result could automatically terminate that specific access authorization without human intervention and provide appropriate notifications to stakeholders. Process Automation: One or more human approvals are often required to gain physical access to an area. It is im- portant to convert this largely manual process into an electronically automat- ed process that is auditable and enforc- es policy with proof of compliance. The government defined model for achiev- ing this target state is more fully fleshed out in the FICAM Roadmap, Chapter 4, which the CDM program fully embraces and leverages in its requirements. MOVING TO PHASE 3 DHS defines three new areas in Phase 3, focusing on event management and boundary protection, employing tech- nologies for forensic analysis and data loss prevention, among other goals: BOUND-N – Network (not endpoint) focused protection BOUND-E – Encryption for data in transit and at rest BOUND-P – Enterprise PACS Centralized Management and Control DHS is still developing its Phase 3 requirements. There is a strong indi- cation that BOUND -P will explicitly require integration of all disparate PACS into a centralized PACS Man- agement System at the D/A level. This PACS Management System will per- form the following critical functions: Centralize PIV card provision- ing and associated fine-grained access privileges into hundreds of disparate PACS simultaneously as indicated in Phase 2. This will also require con- nections to authoritative identity data sources, such as a PIV card database (CRED) or training database (BEHAVE) and any additional data (TRUST) to assure policy-based decisions. Collect and analyze all current software and/or firmware versions for controller panels, card readers and other components. Compare the “as is” state to current GSA approved and/or other current secure versions for each component. Then provide a report of any defects to both the local and Federal Dashboard for mitigation. Collect and analyze the behavior of each person’s physical access activity for anomalous behavior. Such behavior can include badge fishing, tailgating, odd comings and goings, and badging in at more than one site at the same time. Then integrate this data with logical systems to detect a login from a site where the PACS was not accessed, or logical access and physical access patterns that don’t make sense. All this data can be aggregated into Indicators of Compromise (IOCs), which help identify and score risk at a fine grained level for mitigation. SUMMARY The CDM program demonstrates the importance of managing risk holistically in both the physical and logical domains to achieve high security. This is going to require greater cooperation between the IT (CISOs) and facilities security (CSO) practices within government organizations. The DHS CDM program provides robust support to D/As to help accomplish this goal. For more information, please visit: www.quantumsecure.com/safe-government
September 30, 2015
November and December 2015