Card access control, especially newer multi-functional approaches, can do more than secure a door or provide entry to a parking garage.
Today, a card, sometimes branded to the issuing organization, opens up a world of financial services, computer networks, meals from the cafeteria, buying a bag of chips at a vending machine, purchasing a textbook, and, by the way, providing secured access to a building.
For some enterprise security executives, multi-functional cards not only provide personal identification of employees, visitors, students, healthcare workers and others but also can act as a bridge among distinct systems that may handle magnetic stripe, proximity, barcode and other technologies.
Michael Clemens of IDenticard Systems knows that many enterprises want certain people to wear a photo identification card or badge as a level of security. But there are plenty of uses beyond that, especially with one credential with multiple technologies on it, ranging from elevator control to taking a book out of the library, he says.
Then there is the single sign on approach used in the military, at certain government agencies and in healthcare. Single sign-on (SSO) is a session/user authentication process that permits a user to present a card or enter one name and password in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications during a particular session. Nowadays, single sign-on can work through a smart card as well as other methods.
One Credential for all Purposes
It’s a solution that mirrors past physical security card access situations in which an employee had to carry a number of cards related to different facilities or applications.
Smart cards are a natural way to expand access control beyond a door.
David Cullen, president, ISI - Intelligence Security International, and who has worked with corporate security management in the past, sees growing use of smart cards in financial services, healthcare, transportation and computer access.
A smart card is a device that includes an embedded integrated circuit chip that can be either a secure microcontroller or equivalent intelligence with internal memory or a memory chip alone, he says. The card connects to a reader with direct physical contact or with a remote contactless radio frequency interface. With an embedded microcontroller, smart cards have the ability to store large amounts of data, carry out their own on-card functions (e.g., encryption and mutual authentication) and interact intelligently with a smart card reader. Smart card technology can be in plastic cards, fobs, subscriber identification modules used in GSM mobile phones, and USB-based tokens.
According to the Smart Card Alliance, smart cards are increasingly accepted as a credential for securely controlling physical access. Standards-based smart ID cards can be used to easily authenticate a person’s identity, determine the appropriate level of access, and physically admit the cardholder to a facility.
More than one access application can be carried on a single smart ID card, enabling users to access physical and logical resources. Security can change access rights dynamically, depending on perceived threat level, time of day, or other appropriate parameters. Smart card support for multiple applications allows organizations to expand card use to provide a compelling business case for the enterprise.
Smart cards not only secure access to physical or logical resources, they can store data about the cardholder, pay a fee or fare if required, certify transactions, and track ID holder activities for audit purposes. Because supporting system components can be networked, shared databases and inter-computer communication can allow separate functional areas in an organization to exchange and coordinate information automatically and instantly distribute accurate information over large geographic areas.
There are two general categories of smart cards: contact and contactless.
A contact smart card must be inserted into a smart card reader with a direct connection to a conductive contact plate on the surface of the card (typically gold plated). Transmission of commands, data and card status takes place over these physical contact points.
Smart Card Advantages
A contactless card requires only close proximity to a reader. Both the reader and the card have antennae, and the two communicate using radio frequencies over this contactless link. Most contactless cards also derive power for the internal chip from this electromagnetic signal. The range is typically one-half to three inches for non-battery-powered cards, ideal for applications such as building entry and payment that require a very fast card interface.
Of course, expansion of applications or the design of an access control system across myriad enterprise departments or locations can be achieved through software, as Mark Hart, director of security and environmental safety for Christus Santa Rosa Health System, has discovered. His operation now relies on Bethesda, Md.-based Brivo access control for improved security at five of its hospital campuses spread throughout South-Central Texas. INET Security and Surveillance is the integrator for this large and on-going project implementation.
Christus Santa Rosa Health System, a faith-based, not-for-profit health system, and a part of Christus Health, is comprised of more than 40 hospitals, inpatient and long-term care facilities as well as dozens of clinics, physician offices and healthcare services in more than 70 cities in Texas, Arkansas, Louisiana, Oklahoma, Utah and Mexico. To date, the solution has been installed in the downtown San Antonio Christus Santa Rosa Hospital – City Centre, Christus Santa Rosa Children’s Hospital, Christus Santa Rosa Hospital – Westover Hills, Christus Santa Rosa Hospital – Medical Center, and Christus Santa Rosa Hospital – New Braunfels. The five hospitals combined have a total of 1,128 beds, nearly 3,900 associates and 2,000 physicians. The system manages approximately 210 doors spread among the five hospital campuses.
Hart, a seasoned professional, had a quality working relationship with Steven Ballard of INET, and called him in for a consultation on upgrading access technology.
The initial installation was at the newest hospital campus, where the system’s servers are located, and then rolled out to other hospital campuses. “We did not want to manage two different access control databases,” Hart says. He was able to move from a successful initial installation to the other targeted facilities “by selling management a plan that enabled us to keep all data and all access management under the one system, operated with a single graphical user interface.”
The on-going installation requires an extraordinary amount of coordination with the multiple departments involved and the different security and access needs of each department. It meets the level of control required to manage the multiple needs of all the departments served and to organize the nearly 9,000 users into an impressive 127 groups, all with different privileges in terms of locations, days and time periods of access.
Storing Data on a Card
In addition, Hart and Ballard have been heavily involved in the on-going STRAC (Southwest Texas Regional Advisory Council) Version 2 access control system upgrade. This Version 2 Universal ID Card is a credit card-sized FIPS-201-compliant (PIV-interoperable) smart card. It stores the physician’s personal digital identity and can only be accessed by the physician. The card is useful to physicians who visit many different locations such as hospitals, pharmacies, labs, designated physician parking areas, secure locations in certain buildings and their own offices. Many of these access points require an ID card for access. The STRAC Universal ID card consolidates all of a physician’s separate digital identities onto one card. This card also provides physicians the ability to use a portion of their badge for convenient access at all Christus Santa Rosa Health System facilities.
Colleges and universities are also at the forefront of squeezing more out of identity management tools. Some firms partner with educational institutions. One source is the Student Advantage card from CBORD as well as IP-based door access control technology tailored specifically for the unique needs of campus security systems.
Gary Conley, facilities and systems engineer in the office of business operations at the University of Virginia, Charlottesville, is using the new Schlage AD-Series locks in a beta test. In addition, the University of Virginia Identification (ID) Card – available to students, employees and some others – combines many features all on one card including:
• Library circulation privileges
• Building access
• Meal plans
• Student health facilities
• Access to recreational facilities
• Charge privileges at university bookstore locations
• Admission to athletic events
• University transit
• Access to student legal services
The new electronic locks at the university provide options to customize the access control solution. As business needs change, so can access control to new credential technologies, a variety of network protocols, increased security levels and system expansions.
When it comes to uses of card access control, enterprise security leaders “are only limited by their imagination,” points out Jerod Zakson of RF IDeas, a firm he describes as technology agnostic.
Office Printers Involved
In one example, he suggests that corporate multi-function office document printers can include a card reader so that an employee can wave his or her card at the printer to activate printing that may be in line. There is no waste of paper from print jobs that just stack up waiting for pickup. There’s better security of sensitive documents and an audit trail of jobs printed, he says.
In another example, a Texas medical center affiliated with a university had a department with weekly meeting comprising 200 doctors and needed to record their attendance. They were having problems reading the signatures and having to type the names in a database. Now users just walk past the proximity reader and are registered for the class.
An interesting tool from RF IDeas and aimed at end users and systems integrators who are looking for integration of myriad cards and card-based application is card analyzers, intelligent portable tools for determining the manufacturer and/or card technology and optionally analyzing the card’s data and format of virtually any type of proximity and contactless smart card.
Roger Berk with ScreenCheck North America and a PKI/logical access/multi-application card expert, points out that cards can perform myriad duties but that a centralized database can be essential to working various applications. “Card applications can be endless,” Berk says, but in many ways there needs to be increased security. ID card software can then include plug-ins for turnkey mifare and iClass encoding and biometric capture.
There also is public key infrastructure (PKI), a set of hardware, software, people, policies and procedures needed to create, manage, distribute, use, store and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique within each CA domain. The binding is established through the registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the Registration Authority (RA). For each user, the user identity, the public key, their binding, validity conditions and other attributes are made unforgeable in public key certificates issued by the CA.