Transcription
Single SecureCredential toAccess Facilitiesand IT ResourcesHID PIV Solutions
Securing access to premises,applications and networksOrganizational ChallengesOrganizations that want to secure access totheir premises, applications and networksrun into significant challenges: Passwords are insecure and costlyto manage Physical and IT access are often silo’ed Users’ digital identities are often not offboarded when leaving the organization Organizations typically have multipleuser populations with different needsGovernment and regulated industriessee security mandates and regulationstightening as the reporting of breachesincrease. Unfortunately, the technology toaddress these issues can sometimes requireproducts from up to 12 different vendors.A Comprehensive Solution to Meet YourIdentity and Access NeedsThe HID PIV (Personal Identity Verification)solution addresses all those challenges byleveraging the same government-strengthsecurity solution that has already beendeployed to more than seven million peopleacross the world. Organizations benefitfrom the ecosystem created by this largefootprint, with many applications, operatingsystems, and devices supporting natively thePIV credentials.Customers can implement the HID PIVsolution to be fully compliant with stringentmandates like PIV or PIV-Interoperable(PIV-I). If strict compliance to governmentmandates is not required, HID offers alighter deployment model that still offers theincreased security and interoperability of thePIV ecosystem.Your organization benefits from a secureand reliable credential in the form of a smartcard that can be used for visual identification,to protect access to facilities and access ITsystems. Other form factor options are alsoavailable, including USB key, virtual smart cardand derived credentials for mobile devices.HID PIV Solutions Deliver: Trusted Identity - HID PIV providesyour users with an identity that istrusted within your organization andcan optionally be automatically trustedby other organizations you do businesswith. Comprehensive Security – HID PIVleverages the established strength ofthis existing standard and extends itto systems, networks, and applicationsresulting in a better security position foryour organization. Simplified User Experience – Byincorporating more capabilities intoa single smart card or USB key, usershave fewer credentials to remember ormanage in order to get access to whatthey need to do their jobs, and are lesslikely to circumvent your controls. Easier Deployment and Management –The components of HID PIV are designedto work seamlessly together, so it is fasterto get up and running, and easier tomanage over time. A Complete System – HID PIV Enterpriseencapsulates the entire PIV managementprocess from establishing identity,to credential creation and issuance,synchronization of connected systems,and credential revocation.HID PIV Solutions Trusted IdentityComprehensive SecuritySimplified User ExperienceEasier Deployment andManagement A Complete Solution
Sponsor Enroll Vet01 02establishcreate Visual Verification Physical Access IT AccessAuthenticateValidateDigitally SignDecrypt0403usemanageuse sh and Managethe CredentialEstablishing the Identity – Root of TrustWhat is PIV / PIV-I / HSPD-12 / FIPS201 Compliance?The US Federal government ismandated by Homeland SecurityPresidential Directive 12 (HSPD-12)that all federal employees and onsite contractors have a standard,secure, reliable form of identification.This form of identification is thePersonal Identity Verification (PIV)card. PIV Interoperable (PIV-I) isa variation of that standard fornon US Federal organizations thatis still trusted by the US Federalgovernment. FIPS 201 is the technicalstandard covering the processesto obtain such a card as well asthe interoperability of such a card,including certification processes andlisting the products approved by theUS Federal Government. DerivedCredentials also extend the PIV/PIV-Iidentity to mobile devices where theuse of the card may be impractical.Providing strong authentication starts byestablishing the identity of the person thatwill receive the secure credential.HID PIV Solutions can streamlinethis process by:1. Integrating with authoritative sourcessuch as HR or contractor managementsystems for automated sponsorship2. Performing identity proofing (verifyingand capturing approved state or nationalID)3. Enrolling the user fingerprint or iris dataso that subsequent interaction with thesystem can be verified electronicallywithout requiring the ID of the applicant4. Connecting to external backgroundcheck systems, including the UnitedStates Office of Personnel ManagementFederal Investigative Services5. Adjudicating the application to determineif the applicant should receive thecredential or notHID PIV solutions provide a customizableHID PIV IDMS (Identity ManagementSystem) that is FIPS 201 compliant.Organizations that don’t need to complywith PIV or PIV-I can configure the HID PIVsolution to skip any of the above steps.Credential Issuance & LifecycleManagementOnce an applicant has been approvedto get a credential, HID PIV solution willsecurely issue that credential and manageits lifecycle. The credential itself canbe in the form of a FIPS 140-2 certifiedsmart card or USB key with embeddedsecure element. The smart card can becontact-only or dual interface (contactand contactless), which can be printedusing an HID Fargo printer to include afacial image, personal information and/or organization logo. In addition to issuingand managing smart cards and USB keys,HID PIV can manage virtual and softwarecredentials which are better suited formobile computing devices such as tabletsand smart phones. The credential typicallycontains digital certificates and thecorresponding private keys, user data andan optional one-time password generatorfor legacy applications.An additional component of HID PIV isActivID Credential Management System,which securely manages the lifecycle of thecredential, including PIN unlock, certificateupdates, credential lost/stolen/replacement,and termination. All updates can be doneremotely in a highly secure fashion so thatbranch offices, remote or traveling employeesand partners are serviced without requiringthem to be physically present.
Credentials for Physical and ITSystems AccessPhysical AccessThe credential, when in a card form factor,can be used to access the organizationpremises.Organizations typically have 2 options: Those that need full compliance withthe PIV or PIV-I mandate: the card chipis accessible both via the contact andthe contactless interface (also knownas dual interface) and enables PKIauthentication at the doorThose that don’t need full compliancewith PIV or PIV-I but want to leveragetheir existing physical access system(PACS) and don’t plan to deploy PKIauthentication at the door: thoseorganizations can use a combo cardwith the smart card contact chipfor IT authentication and the PACScontactless chip for physical accessOrganizations can also step up the securityof specific doors by requiring 2 and 3 factorauthentication including card presence,card presence PIN entry or card presence PIN entry fingerprint validation.HID PIV Enterprise can provide PhysicalIdentity & Access Management (PIAM) toautomatically provision and de-provisionuser access into your organization’sPACS. HID PIV Enterprise supportssystems from many popular vendors sothat large organizations that have manysites can manage the provisioning andde-provisioning of the users’ identity andaccess privileges across the organization.IT Systems AccessThe same credential can be used to replacepasswords with stronger authentication inmany IT applications, including MicrosoftWindows Active Directory, most VPNproducts, web sites, cloud applications, andmore.The user simply inserts his/her card into thesmart card reader (or USB key) and typeshis/her PIN code to login for multi factorauthentication. It will also lock itself aftertoo many wrong attempts. The result isbetter security and better user convenienceby eliminating complex, constantlychanging passwords that are difficult toremember.Mobile devices can also benefit from theseamless, improved security via virtualsmart cards and derived credentials. Legacyapplications that are not PKI enabled canoften be supported using a One TimePassword generated from the smart cardand authenticated by an ActivID Applianceand then integrated into the applicationusing protocols like RADIUS or SAML.
Deployment OptionsHID PIV comes in two editions: HID PIV Express is a customizable,easy to deploy, PIV compliant solutionthat does not require complexintegration between point products HID PIV Enterprise has all of thefeatures of HID PIV Express butadds Physical Identity and AccessManagement (PIAM) capabilities. Theseadvanced capabilities allow users tocreate a central PIV identity repository,automate access requirements basedon policy rules that are enforced withinyour PACS systems. Additionally, HIDPIV Enterprise includes enhancedprocess reporting to monitor andmanage your credential workflows.Advanced Use CasesUsers can also use their same credential todigital sign emails or documents, decryptemails or files, protect their laptop withfull disk encryption and boot protection,protect print jobs with secure printing andmany other functions.Organizations can optionally use IdenTrust digital certificates so that their user’scredentials are automatically trusted byvirtually anybody that has a PC or mobiledevice.For maximum ease of procurement,deployment and maintenance, customerscan take advantage of the full HID solutionor leverage existing third party componentsto maximize existing investments.HID PIV solutions helps organizationsimprove their security posture, comply withmandates, improve the user experience, andis easier to procure, deploy and maintain.For more information about HID PIVExpress and Enterprise, please visit:hidglobal.com/hidpiv
North America: 1 512 776 9000 Toll Free: 1 800 237 7769Europe, Middle East, Africa: 44 1440 714 850Asia Pacific: 852 3160 9800 Latin America: 52 55 5081 1650 2017 HID Global Corporation/ASSA ABLOY AB. All rights reserved. HID, HID Global, the HID Blue Brick logo, theChain Design, Genuine HID, iCLASS, PIV Enterprise and PIV Express are trademarks or registered trademarks ofHID Global or its licensor(s)/supplier(s) in the US and other countries and may not be used without permission. Allother trademarks, service marks, and product or service names are trademarks or registered trademarks of theirrespective owners.2017-11-15-iam-hidpiv-solutions-br-en PLT-03132An ASSA ABLOY Group brandhidglobal.com
Credential Issuance & Lifecycle Management Once an applicant has been approved to get a credential, HID PIV solution will securely issue that credential and manage its lifecycle. The credential itself can be in the form of a FIPS 140-2 certified smart card or USB key with embedded secure element. The smart card can be
