Interview: How HID Is Securing Hospitals, Airports, Banks And Digital Identities
Expert Insights interviews Matthew Lewis, Director of Product Marketing at HID, a provider of digital and physical authentication tools and services.
Our identities—both physical and digital—are some of the most valuable assets for cybercriminals today. Numbers of data breaches are at an all-time high, driven by compromised credentials such as stolen passwords and successful phishing attacks. At the same time, the continued challenges posed by the pandemic are putting strain on physical authentication processes, particularly in healthcare organizations and in highly regulated industries where it’s critical to know which people are where, and if they should be there at all.
HID is a provider of authentication tools designed to enable organizations to improve their resilience against these risks. Expert Insights sat down with HID’s Director of Product Marketing for IAM-Workforce Identity Management, Matthew Lewis, to discuss how organizations can improve their resilience, both physically and digitally, against identity-based risks.
Can you give us an overview of the HID identity and access management solution suite, and what sets you apart in the IAM market?
Almost everything HID is doing as a company is related to security in some way, shape or form. A lot of what we do is around physical devices, such as door readers and controllers to let you enter a building, or RFID tags that are put into national ID cards. A lot of what HID do in this area focuses on hardware security and manufacturing a safe environment.
The IAMS (identity and access management solutions) group is very focused on software. Some of the software helps with that hardware and physical access side, normally around ensuring that people are who they say they are when getting access into a building. But our identity software also extends to securing your digital self. If, for example, we have used the CFO’s fingerprint to allow them access to your physical building, we also want to make sure it’s still the CFO when they log onto their digital financial systems.
Our solutions are really about increasing the level of trust that people are who they say that they are. And we do that through a myriad of technologies. This could be by using your face, your fingerprint, a card, or a USB key. Our cards use a little chip, which is super secure. Our USBs can be used with your phone, or your computer. And it’s all about increasing the level of trust that the person is who they say they are. And that’s physical, or digital, in today’s world.
For our business area, the division we’re in at HID, we have three focus areas. The first group is the one that I’m in, which is focused on securing access for employees, business partners, or a visitor to a business.
The second is focused on consumers, so securing banking applications or even governmental services.
And then finally we have a group that’s focused on machines. This includes putting a cryptographic certificate onto a device that allows you to have greater certainty in that device. And they’re also enabling technology for the rest of us here at HID.
When it comes to your business unit helping to secure employees’ access to an organization’s assets, who are the typical customers that you’re working with, and what are the major challenges they are facing today?
Let’s take this in a couple of ways. Our business unit has both a physical and a digital focus.
In the physical world, its normally larger organizations looking to understand their physical employee access to all of their buildings. Let’s take HID as an example. We’re globally distributed. Do our employees have access to every HID office across the world, and should they? There’s a conversation there. Once that is decided, employees each get a badge which allows them to get in and out of the front door.
This is used by any organization that has a footprint outside of just one building. In that way, it could be almost any enterprise of any size. Particularly financial services, energy, and utility companies, but anyone who is regulated and needs to control physical foot traffic through their premises and understand who is in their building. Any organization, for example, might need to know why somebody from in marketing is suddenly in the IT closet, if they have to adhere to regulatory compliance about access to areas.
A lot of the conversation right now around the physical space is in airports, as you can imagine. And it’s not just about you or I as a passenger; it’s about the barista at Starbucks, the people serving food in one of the cafés. It’s those individuals who are part of the whole airport’s topography of individuals and people.
Healthcare is another particularly interesting space. Unfortunately, here in the United States, there is a fair amount of workplace violence in healthcare. We have an emphasis on helping healthcare organizations to understand who’s coming in to see a patient, which doctors are visiting, what vendors are visiting, which business partners have been to the hospital.
Our solutions can positively identify who is visiting, and who they are here to see. We can check if they are on an approved list, and also run any background checks. So, if someone is here to visit someone at the newborn intensive care unit, we can check if they are allowed there, and if they have any flags against them. That’s making a really big impact on the safety of patients, and the safety of nurses and doctors and staff at a hospital.
We have a serious need for this in the US, it’s one of the more violent workplaces, unfortunately. And these applications are also helping those same hospitals stick to Track and Trace health mandates that were put in place through COVID. Because of that, they’ve seen dropping incidents and infection rates.
This is all on the physical side: understanding who is where, when, how, why they are there, and whether they should be there. On the digital side, it’s a lot of the same types of companies, particularly larger ones, who have a globally distributed footprint of some sort.
Thinking again of healthcare, doctors and nurses are logging in and out of machines, moving all over the place. In banking, you want to make sure that only the right people have access to machines. Retail has a need for this, for all sorts of different purposes. For the US Federal Government, we offer a “Common Access Card”, which people use for both physical access and logical access.
That’s another one of the things that make HID unique. We can present a card that has a multi-use credential on it, so you can get through the front door, and then you can use that same card at your computer login, and to get access into whatever business application you need. And there’s different form factors for that: you can use your fingerprint, facial recognition, or the key. So, we provide a lot of flexibility. A customer can take our solutions, fit them into the existing landscape, and evolve with them.
A lot of our customers want to move towards passwordless, but not everything, or everyone is ready. Not every application that a company has is ready to go passwordless. But you can take cards or keys or fingerprints that are much more resistant to phishing. You cannot phish one of our cards when it is literally not connected to the internet, and there’s no shared secret. So, organizations are able to use our solutions to push a greater percentage of their overall infrastructure towards passwordless.
Our solutions also provide a nicer user experience than say, getting a text message on your phone, and then having to get your phone out, unlock it, log into your authentication application and find the code they’ve sent you. A lot of our focus is on making sure that we’re not adding any friction for the person authenticating. Because, at the end of the day, I want to make it as easy on myself as possible. Good solutions should have the balance between security and user experience.
The importance of having strong security at the office front door might be taken as a given, but we find that digital identity controls often aren’t as robust. How important is it for organizations to have strong digital authentication processes in place; what are some of the risks you are seeing today?
Unfortunately, passwords are ubiquitous. And because of that, they’re hard to kill off. The entire ethos of the FIDO alliance was to kill the password. But the password remains the number one mechanism for account takeover, and thus any malicious act—whether that’s for a privileged account, or a normal employee account which they then use to move laterally in the organization to someone that has the goodies.
Attacks, more often than not, start with a stolen password. And so, being able to eliminate those passwords and actually see an increase in security is everyone’s goal. But the challenge there, and I mentioned it a little earlier, is that not all of the applications in an organization are ready for that yet. They still require a username and password.
If that’s the case, if you cannot truly move to a passwordless future where you are using, for example, a biometric as the actual login, then you should use it as a second factor or a third factor or however many factors you want to put in place. Because that’s what’s going to help. Try and implement multiple factors of authentication wherever possible, and balance it with the risk you have.
Some things might be okay with a one-time passcode for now. But make sure that you’re thinking about the calculus of risk of that application, and the data that’s stored in that application, in comparison to using a cheap mobile authenticator that you found on the internet. You might be fine, but you also might not be.
One of the big trends in the industry today when it comes to securing our digital identities is the move towards Zero Trust as a security framework. Where does HIDGlobal stand on the idea of Zero Trust, and how do your solutions fit into this framework?
I don’t want to speak for John Kindervag (the Forrester Research analyst who in 2010 coined the term “zero trust”) and what got him to the ultimate point of Zero Trust. But the whole point of it is to always verify that people are who they say they are. You’re never trusting, and you’re always verifying.
One of the core parts of Zero Trust is understanding what something is, as well as authenticating that they are who they say they are. There are layers to Zero Trust; many network security layers, but there’s also an identity layer. You have to start with that. You have to start with that understanding that your users are who they say they are and put the policies and tools in place to do that.
Maybe your current policy is, you only present users a second authentication factor every 96 hours. Well, maybe drop it down to 12 hours. Taking steps to either get to having a principle of least privilege in place, or at least a reduction in trust, is key. And make sure you put tools in place to make sure that it’s not hard for the person authenticating to do that.
That’s the beauty of our little USB keys and cards. I can tap it onto my computer, hit a button that releases the FIDO–credential, and I’m authenticated and on my way. I can pull it out at the end of the day and ensure that if my laptop gets stolen, nobody else can log in to it. This is central to Zero Trust.
Is it the only part of Zero Trust? Absolutely not. But I think it’s a very critical part; our solutions play a very critical part because they are focused on identity, on an assertion of the identity. Our solutions are all about asking, “Who do you trust, what do you trust, and how much do you trust them?”
People also ask, “Where does Zero Trust start, and where does it end?” I think Zero Trust also expands into the physical world. In highly regulated industries, if you give someone unfettered physical access to a machine, it’s very hard to have certainty around what is going on in that machine. Zero Trust really does extend to the physical world.
Many organizations have a mandate to control certain secure areas, and I think that should be part of the overall calculus for Zero Trust. Security is security. We can parse it as cybersecurity and physical security but, at the end of the day, the point is to increase the security of the organization and individuals, whether that’s employees, consumers or people doing business on behalf of that company. We’re about making sure that you have all the cybersecurity tools you need, but also making sure you have the physical security.
Finally, what advice would you give organizations on how they can improve their digital authentication resilience to avoid risks like account takeover?
The heart of where these compromises are starting is some form of stolen credential. That is your starting point. So how do you mitigate stolen credentials? You either get rid of them entirely and replace them with something better or require additional authentication factors to assess that a user is who they say they are.
You’re going to have to do that by looking at what you have within your organization and understanding the business process and applications that you have. Because you’re not going to be able to go passwordless cold turkey. And there is no silver bullet for security—I know that’s kind of a blasé and overused phrase—but there really isn’t!
The idea that Zero Trust and passwordless are just these things you can: will your organization into being is just not right. You will have to take steps; it is a journey to move there. You need to really look at what your organization has in place today, think about the risk that’s there, think about the user population, think about where you want to be, and for larger organizations your internal and external compliance requirements. That’s really your starting point.
You can find out more about HID here: https://www.hidglobal.com