The Walt Disney Co. could be in need of a fairy godmother to help the House of Mouse out of a recent legal situation. Disney employees have filed a class-action lawsuit against the company, claiming that employee identification cards – issued to avoid security risks – actually expose the personnel to the risk of identity theft. A worker discovered that a smart phone app that reads barcodes was able to decipher his Social Security number, encoded in his ID card, simply by scanning the card. The lawsuit contends that encoding Social Security numbers violates California law. The codes can be read by most cellular phones, including the Apple iPhone and Android devices, according to employees.
Despite the negative light that the Disney situation is shining on identification cards, there is no doubt that the technology is increasingly accepted as the credential of choice for securely controlling physical access. Standards-based smart ID cards can be used to easily authenticate a person’s identity, determine the appropriate level of access, and physically admit the cardholder to a facility. Through the appropriate use of contact or contactless smart card technology in the overall physical access system design, you can implement the strongest possible security policies for any situation.
More than one access application can be carried on a single smart ID card, enabling users to access physical and logical resources without carrying multiple credentials. Security can change access rights dynamically, depending on perceived threat level, time of day, or other appropriate parameters. Smart card support for multiple applications allows organizations to expand card use to provide a compelling business case for the enterprise.
Smart cards not only secure access to physical or logical resources, they can store data about the cardholder, pay a fee or fare if required, certify transactions, and track ID holder activities for audit purposes. Because supporting system components can be networked, shared databases and inter-computer communication can allow separate functional areas in an organization to exchange and coordinate information automatically and instantly distribute accurate information over large geographic areas.
In January 2008, Datamonitor researched the state of passwords and smart cards in the enterprise, and published the results in a white paper that shows the ROI for enterprise smart cards. The research found that 62 percent of enterprises experienced problems with passwords and that 40 man-hours per week would be saved using smart cards and single sign-on. The analysis concluded that a 2,000-user company deploying smart cards could see a US$3.4 million savings over the course of three years.
Given those compelling numbers, it should come as no surprise that the smartcard market shipped more than four billion units in 2009; four billion smart cards shipped in 2010; and is forecast to be even more this year, according to ABI Research.
The key to generating these smart cards is having a printer, which CSOs say should be able to create multi-layered cards with embedded holograms, biometric characteristics, and trademarked logos all in an effort to prevent forgery or to at least make it more difficult. “ID cards have come a long way from consisting of a laminated Polaroid picture just 15 years ago,” says Karl Perman, the manager of infrastructure protection for a U.S. energy company.
Not only has the look of the ID card changed, but so has how and where the cards are printed. Outsourcing had been the only option for most companies when it came to their ID card needs. But the availability of affordable software and printers enabled companies the opportunity to make their own ID cards. The cost and quality of production provided a way for companies to improve their existing ID card system and have more control on production.
The cost of in-house printing may be high initially as companies need to invest in top quality printer and software. The fact is especially true if companies plan to make HID proximity cards.
When using the cards for access control, a larger investment in hardware and software is necessary, but pros say that the costs taper off with printing replacement cards and issuing cards for new employees.
Government Mandates Require Smart Cards
Federal agencies had until March 31 to have in place a standard secure ID that can be used across agencies, as required by the Homeland Security Presidential Directive-12, according to a draft Department of Homeland Security (DHS) memo. According to the draft memo, the DHS gave agencies just two months to implement a six-year old mandate to issue credentials that can be used for identification across agencies.
The DHS and General Services Administration (GSA) are partnering to implement the secure ID program, called the Federal Identity, Credential and Access Roadmap and Implementation Guidance (ICAM). Agency plans must include a strategy to ensure that all new systems under development use HSPD-12 credentials before being made operational.
It's been in limbo, yet once it's in place, existing physical and logical access control systems must be upgraded to use the secure ID cards. Agencies will accept and electronically verify secure ID cards issued by other agencies, according to the draft memo.
“While HSPDs apply only to the Executive Branch departments, these departments, like the Department of Homeland Security, can use them as broad policy guidance documents for crafting federal regulations that apply to critical infrastructure sectors, including transportation,” says Dennis Treece, Colonel, US Army (Ret.), director of Corporate Security for the Massachusetts Port Authority (Massport), which includes three airports. “Some have advocated, for instance, that pilots should have common access credentials at all airports they enter, but others believe this would be a disaster.”
Massport is moving towards an enterprise-wide ID card solution that features a three-factor access authentication system: An HID card that includes picture, pin number, and fingerprint biometric identifier to link the card to the individual. “The biometric ID is in the card itself so the access control reader is only looking for a match to the data in the card,” explains Col. Treece. “This three-factor authentication means that access requires something you have (the card), something you know (the PIN), and something you are (biometric). This way when someone accesses a portal, we can be certain who they are, what time they arrived and when they leave.”
Having a single ID and access system for a multiple physical enterprise like Massport reduces system complexity and achieves a level of hardware and software familiarity. Col. Treece says, “CSOs who want to have complete control over who has access to secure facilities will want a system like this.”
Like government workers, regulatory requirements for ID badge systems are being imposed on the healthcare industry by local, state and federal agencies to identify healthcare providers. In an effort to meet these myriad requirements, Carolinas HealthCare System (CHS) opted to implement its own smart card system. “Because our organization is expanding rapidly and we are constantly seeking opportunities for growth and innovation in the way that we provide services, it was logical to have our own ID badge system. That way, any changes we would need to make could occur fluidly and easily without involving the expense of a third party,” explains Bryan Warren, CHPA, CPO-I, director of corporate security for the healthcare organization.
The CHS organizations includes 33 affiliated hospitals and a network of 500 physician practices, surgical and rehabilitation centers, home health agencies, nursing homes and other facilities in North and South Carolina.
“Hospitals have a significant number of security sensitive areas and house some of the most vulnerable populations, making the environment very challenging because we have to strike a balance between convenience and security at all times,” says Warren. For instance, visitors want to visit at any time they please, often leaving their valuables unattended and unsecured in waiting rooms and lobbies.
CHS is using a proximity card ID badge, selected for its durability, ease of use, ease of programming, ability to remotely “kill” access in the event of the card being lost or stolen or the employee being terminated and scalability with future programming needs. All employees, students, vendors and volunteers are issued an ID badge with their photo, name, and department or company name when applicable. Each badge is programmed with the proper access rights for the person receiving it and its use is then tracked and can be mined for data (time and date of use, number of uses, etc.) should the need arise. The ID badges are also tied into a program that allows them to be used as a debit system, facilitating automatic payroll deduction at in house gift shops, canteens and cafeterias. “But most importantly, the badges assist us in identifying who should and should not be in the facility, especially after visiting hours,” says Warren.
But this renewed sense of security didn’t come without its programming challenges. Getting new photos taken for the thousands of personnel was ambitious, he says, requiring portable table-top sites throughout the organization for updating information and taking pictures. Anyone who didn’t have their information updated quickly found that their old badges didn’t allow them hospital access and quickly found the incentive to visit an ID badge location for restored access, says Warren.
Embedding Levels of Security
As more schools make headlines pertaining to gang riots, bullying and shootings, security ID badges have become just one tool in school boards’ arsenals around the country. Security officers, faculty, students, visitors and contract employees are all being issued these cards for easy visual inspection of their legibility on campus.
The Littleton, Colo. school district is no exception. With more than 2,000 employees, 16,000 students, and a significant number of volunteers and large substitute teacher pool, Guy Grace, director of Security and Emergency Planning for Littleton Public Schools (LPS), had his work cut out for him.
“One of the major problems in K-12 educational facilities can be identification,” he says. The ID cards not only access the building for authorized personnel, but they provide a basic form of identification for other staff and students. “We have found it is reassuring for parents and students to know that our district requires our staff to wear and display their personal ID badges when they are at work.”
LPS uses several Zebra Eltron printers and prints on HID proxy cards. Two other Zebra printers are also in use, and on average, the public school district prints 3,000 ID cards per year. All employees, volunteers and substitute teachers are required to wear and display ID badges. “The greatest benefit is that allows our staff, parents and students to know who is who,” explains Grace. “Our staff is trained to challenge people with whom they are not familiar.” An ID card will only work at the school the enrollee is assigned to, unless that employee has a need to access other buildings, providing accountability at all times.
Currently, 30 properties are under the umbrella of the access control system. On average, each elementary school has five external card readers; a middle school has eight external card readers and a high school has nine. The yearly cost to provide the school district with ID cards averages $7,000. “With that many readers, people and properties, it is important to have a good and reliable ID card printing solution. The employee, volunteer and substitute teacher pool is ever changing and we have to be able provide these people with a reliable system to fulfill their ID card system needs,” says Grace. “Most critical is that we have reduced the possibility of intruders blending into our school community.”
We well know that security threats don’t begin and end at the K-12 level. Considering the caliber of research projects at the University of Arizona, physical security is of paramount importance to ensure that only authorized users have access to restricted, protected, or sensitive areas. The CatCard is the official UA identification card. All students, faculty and staff affiliated with the university need to carry the CatCard for identification. The CatCard features a digitized photo, digitized signature, Contactless SmartChip, from SmartCentric, and magnetic stripe. The CatCard also allows a range of on-campus services such as meal plans, photocopying, printing and parking.
Though the CatCard is a multi-application card, DESFire (data encryption standard fast, innovative, reliable, and secure) contactless cards (also from SmartCentric) offer more functionality for gaining access to 12 buildings on campus. Individuals who receive these cards are being authorized for access into specific buildings and through specific doors, as well as for specific times of day or night, depending upon need. Authorization to receive these cards is stored in a separate database and verified at the time CatCards are issued. The cards are generated with NiSCA printers.
Individuals who require access to the 12 buildings present their cards within a few inches of one of the SmartID ISO 14443-4 card readers from Integrated Engineering. For level-one security, once the CatCard is read and validated using DSX access control software from Amer-X Security, access is simply granted. At the next access level, the system requires users to enter a four-digit PIN on the reader keypad. For buildings and doors requiring the highest level of security, the CatCard must be read, and a corresponding finger must be placed on the Integrated Engineering SmartTouch reader, for verification before granting access. Importantly, a unique template associated with each fingerprint is generated by an algorithm, and it is this template alone that is enrolled and stored only on that individual’s DESFire card. The storage of a proprietary template – and not the actual fingerprint – provides maximum privacy protection.
Interestingly, the contactless card technology proved to be cheaper than the contact/magnetic stripe technology; $8 versus $4 per card, respectively. The university has added new features and functionality to its CatCard program and has 75,000 active cardholders on the contactless smart card (a hologram lamination and a more versatile magnetic stripe have been added). Diane C. Tatterfield, assistant director of CatCard Services, says that she issues about 25,000 cards CatCards annually, 8,000 of which are replacement cards.
Tatterfield prides herself on staying on the leading edge of smart card technology and is looking forward to a time when the University of Arizona can acquire the card readers that read through latex gloves or read temperature as a biometric indicator. “We have a lot of research going on here and the chemicals our researchers use can literally erase their fingerprints,” she says. “I’m not looking for a system that the CIA would use, but a lower-level version that could accommodate diverse handicaps.”
While not every facility requires multiple layers of sophistication in its smart cards, the pros say that performing a security audit of the enterprise can help make that determination. “As a CSO, you must evaluate the environment you are trying to protect to determine how much or how little security you need from an enterprise-wide ID card and printer system,” says Perman. “Don’t make the solution so complex that you wind up implementing a solution that disables, rather than enables, the operations that you are protecting with your security initiatives.”
In other words, security gurus say not to go goofy with the intricacies, as Disney allegedly did with its ID cards. Rather, try determining what will fit your enterprise needs like a glass slipper.
In-House Printing Saves Time and Money
Atlanta-based Georgia-Pacific faces the same security challenges that most large organizations do: Standardizing technical security solutions, controlling access to a variety of unique facilities, responding to government directives, performing security risk assessments, and carrying out general investigations. However, the company was relying on two types of badges to meet these challenges. The building and consumer products company wanted to create an enterprise solution for access control system implementation using its existing 37-bit proximity badge format. Several of its facilities were migrating from barcode badges to a time and attendance system, which had the ability to use the proximity badges. “To eliminate the use of two badges, we proposed a move to the proximity format for these facilities,” says Andre W. Skeete, security specialist II for GP. One sticking point to this proposal was the fact that GP was outsourcing its printing services. “We needed a much more radical approach to handle the many sites that would be impacted by this change.”
Bringing the printing capabilities in house was a challenge because GP prints in high volumes. Ultimately, the company chose to use XID 580ie printers from Digital Identification Solutions (DIS). Using the DIS printers, GP developed badge designs that are easily visually recognized to identify if the wearer is an employee, contractor or visitor. “Before this, capability was non-existent or implemented on a very small scale at the facility level, but having a centralized ID card printing solution gives us a way to do this successfully,” he says.
Presently, about 90 percent of the GP facilities that print identification badges submit the wearer’s information via a proprietary in-house web application to one of the two XID machines in Atlanta. The second of the two printers is dedicated for producing employee, contractor, and visitor badges worn at headquarters. The larger GP facilities have enough demand to support their own printers; to date six GP facilities are using the same model XID that is used in Atlanta.
“The varied printing approaches are beneficial to all of the facilities,” says Skeete. “For the smaller facilities, creating the badges via the web application costs them less money. And, for those sites that can support the financial cost of the printer and keeping badges in stock, it eliminates time spent waiting for badges to be mailed to them.”
Since installation commenced in 2008, Skeete says that the result has been more consistent ID procedures, standard use of badges, and better access control. “Also, using similar models across our enterprise allows for easy installation, support and troubleshooting.”