![<?echo $_SERVER['SERVER_NAME'];?>](/template/twentyseventeen/skin/images/header.jpg)
Bring Your Own Device (Bring Your Own Device, BYOD for short), that is, enterprises allow employees to keep their mobile phones when they leave their jobs, is becoming increasingly popular. Nowadays, smartphones have more and more functions. Not only can we use our mobile phones to access computers, networks and related information materials, we can also use our mobile phones to open doors and enter safe areas. Deploying such network access and access control applications in a self-contained terminal environment requires configuration of relevant infrastructure, proper technology, and security assessment and appropriate planning.
The access control function has only recently been added to smartphones. In the simplest application case, to achieve mobile access control, just replace the plastic card with the virtual credential card software running on the smartphone and copy the card-based access control rules. The system still needs to make access control decisions between the card reader and the central hardware control panel (or server) that stores the access control rules. In this case, the card reader is still connected to the central access control system.
Today's smartphones can also generate One-Time Dynamic Password (OTP) to securely log in to another mobile device or desktop computer and access the network. In addition, smartphones with virtual voucher cards can be used to purchase items, such as buying meals in company cafeterias, and can also be used to safely use printing equipment. Considering that the self-supplied smartphone has such rich functions, more and more employees begin to use their mobile phones to access the system, data and company facilities. The IT department should actively develop related solutions to better protect these resources. The mobile access control system must coexist smoothly and safely with the existing access control system and the traditional plastic access control card, which needs to meet several requirements. First, there must be a data communication method from the smartphone to the access control card reader. This kind of data communication can be achieved with a mobile phone that supports Near Field Communication (Near Field CommunicaTIons, NFC for short) and / or an additional device that supports NFC. For example, a microSD card is such an additional device to ensure that devices that do not support NFC are also safe upgrade.
Second, there must be an ecosystem of card readers, door locks, and other hardware. These ecosystem components can read the virtual credential card and respond with appropriate actions, such as opening the door lock, or allowing access to computers and networks. . Currently, more than 650,000 hotels have installed door locks that can be opened with NFC-enabled smartphones. Similarly, interoperable online access card readers, electromechanical door locks, and card readers connected to desktop computers or PCs are also being deployed, and third-party vendors are also developing hardware solutions that support NFC, including biometric devices, Time and attendance terminals and electric vehicle charging stations, etc.
Finally, there must be a way to establish and manage virtual keys and virtual credential cards used on smartphones. This not only requires a new way to describe identity information, but also requires the description of this identity information to be carried out within a reliable identity authentication framework, so that self-provided smartphones can be safely used in access control networks .
This description of identity information must support a variety of encrypted data models related to secure identity information, including biometric data and attendance data. A reliable identity authentication framework ensures a secure communication channel between the terminals being verified. The technology used to confirm the safety and reliability of self-provided terminals requires the use of a mobile phone's security component, which is usually an embedded circuit or a plug-in module, often referred to as a subscriber identification module (SIM).
By establishing an ecosystem consisting of safe and reliable terminals, self-provided smartphones can be effectively managed in the access control system. In this way, the identity information configuration / deconfiguration between the mobile phone, card reader and door lock and all other information Processing becomes safe and reliable. The framework combined with mature and reliable smartphone technology can establish an extremely secure mobile authentication environment.
With this framework, no matter where mobile devices are located and how they are connected, enterprises can issue virtual credentials and virtual keys to these mobile devices. One way is through the Internet, which is similar to the traditional model of buying plastic credential cards, but connects to your own terminal through a USB or Wi-Fi-enabled connector. Alternatively, the virtual credential card can be transmitted over the air by the service provider, similar to the way smartphone users today download applications and songs. In order to obtain a virtual credential card over the air, NFC-enabled smartphones need to communicate with the Trusted Service Manager (TSM) and then either directly connect to the mobile network operator or connect to its TSM, such a virtual credential card You can provide a SIM card for your smartphone. Depending on the enterprise's information security policy, users can share virtual credential cards and virtual keys with authorized users through NFC "tap-n-give" configuration.
The secure mobile configuration model eliminates the traditional risk that plastic cards may be copied, and makes it easier to issue temporary credential cards and revoke them when they are lost or stolen. At the same time, when needed, such as for information security When the threat level increases, it is easier to monitor and modify security parameters. The system administrator can use the management service to cancel the configuration of the virtual credential card over the air, or delete the access right in the database of the access control system. Enterprises can also set dynamically and based on context, such as revoking two-factor authentication, and companies can even support variable information security levels and use additional data elements. For example, when a security threat is escalated, two-factor authentication can be cancelled dynamically, and an application can be pushed to the mobile phone, requiring the user to enter a 4-digit PIN code, or requesting a card swipe gesture before the phone sends a message to open the door.
As access control and computer desktop login applications shift to self-supplied smartphones, there are several issues that need to be resolved. First, to protect personal privacy and protect the enterprise from the personal applications that cause damage, all applications and other ID credential cards must be limited to use between individuals and enterprises. Another challenge is how to use the virtual key and virtual credential card to achieve other applications. For example, let the application support PIN code input to "unlock" the key to complete the verification or signing process. In addition, the middleware API must be standardized so that the ID credential card function can be applied.
In addition, it may be necessary to support derivative credential cards, such as those derived from the personal identification verification (Personal IdenTIty VerificaTIon, PIV) card of US federal staff. The combination of this usage method and derivative voucher cards, limited to enterprises and individuals, will also promote the need for hierarchical lifecycle management. For example, if the mobile device is lost, then with the hierarchical lifecycle management, all the vouchers can be cancelled Card, and if the personal identification verification card is canceled, the mobile ID credential card used only in the working environment will be automatically canceled. Perhaps the multi-dimensional management of mobile ID is the most challenging part of the self-provided terminal model.
If access control and computer desktop login function coexist on your own smartphone, you need to ensure the security of cloud storage. There are 4 possible methods. The first is to adopt an open access model on the public Internet. In this model, the user name and password are managed by a software-as-a-service (SaaS) provider. Although this method is easy to adopt, the data protection capabilities provided are the weakest. The second is to use a virtual private network (Virtual Private Network, referred to as VPN), and require remote users to verify the virtual private network before entering the user name and password (most likely through a one-time dynamic password solution) . However, the virtual private network is not convenient for users and cannot be well extended to accommodate their own equipment, because the virtual private network requires the installation of virtual private network clients and personal applications on many different devices, and the virtual private network has no Internet security threats provide additional protection.
The third method is strong local authentication. This method is not convenient because each application requires a unique and unique security solution. The fourth and best method is joint identity management. In this method, users authenticate with a central portal to access multiple applications. This method supports many different verification methods, does not require anything to be installed on the end user ’s device, and can provide audit records for any accessed applications, so it can meet regulatory compliance requirements. This method can also withstand internal security threats such as Advanced Persistent Threats (APTs), specialized hacking attacks, malicious behaviors of former employees, and employee fraud. Federated identity management is also suitable for internal applications stored elsewhere, allowing users to easily access various applications in one location. However, no matter which method is chosen, there may be other policies and adoption issues that need to be resolved for both the enterprise side and the owner-owned terminal owner side. Enterprises want owners of self-provided terminals to give up certain rights so that they can use their mobile phones to open doors and log on to computer desktops, while owners of self-provided terminals do not want to use certain functions because they are afraid to disclose privacy.
The self-provided terminal has a lot of advantages, especially the employee ’s smartphone can become a carrier, depositing an increasing number of access control and computer desktop login keys and credential cards in the enterprise. The upcoming new generation of mobile access control solutions will provide greater convenience and management flexibility, while ensuring that smart phones, computers and network resources, access control systems and infrastructure for delivering identity information in the cloud and in the air, Process data safely.
Dongguan V1 Environmental Technology Co., Ltd. , https://www.v1airpurifier.com