In enterprise-wide identification card access systems, which came first – the card or the printer? In this twist on the chicken and egg, the card came first. Before barcodes, magnetic stripes, Wiegand, proximity, employee photographs and smart card chips, some organizations issued an enterprise-wide ID card or badge worn while at work.
Then came the ability of cards and badges to open secured doors – some now called them credentials – and what followed are myriad technologies encoded and embedded in and printed on the card. Establishing a robust identity management framework within an enterprise requires both the implementation of new business processes and the selection of appropriate credentialing technology. A next step: use of the identity card to get into the enterprise computer network.
A ROBUST IDENTITY FRAMEWORKStill, in the U.S. and worldwide, most corporate enterprises require employees to carry cards or badges that verify the employee’s identity and allow the employee to access enterprise resources. However, changes in both the regulatory environment and the amount of risk that enterprises face from unauthorized access are driving security leaders to reevaluate their identity management practices.
While there are many approaches to enterprise identity management, industry and government have worked for years to develop both a standardized identification process within the government and specifications for proving an individual’s identity and providing individuals with a secure identity credential. The process and technical specifications, which are now implemented throughout the federal arena, are documented as Federal Information Processing Standard Publication 201 (FIPS 201), Personal Identity Verification (PIV) of federal employees and contractors.
SMART CARDS NEXT STEP?An increasing number of government organizations and some corporate enterprises are now using smart cards as their employee identity credentials. A smart card-based identity credential stores the employee’s identity information securely. This information can include personal information (for example, a biometric or signed digital photo) or privileges (such as an electronic purse or digital certificates that allow computer logon). Additionally, because a smart card has computing power, it can require the user to provide authentication in the form of a PIN or, in some cases, a biometric before the card communicates with the interrogating system.
CARD THROUGHPUTWhen considering enterprise card printer solutions, also consider how many cards will be printed per year. Then there is the lifecycle of a corporate card. Card replacement can be a major factor in a large enterprise. Abrasive activities like swiping barcode or magnetic stripe card readers can wear on a card in a short period of time. There are some ways to extend the life of a card. Overlays are an extra panel on the printer ribbon that gets laid down on top of the card. The overlay can be clear or be printed with a security pattern or hologram. An overlay offers only minimal protection and will usually extend the life of the card one additional year. Lamination is an application of vinyl to one or both sides of the card, applied with heat and pressure. You can use laminate of different thicknesses and composition, but a laminated card will generally last longer.
ALTERNATIVES TO CARDSKeyfobs are an alternative to issuing cards or badges.
For instance, the Wilbert Group, which makes tower cranes for customers throughout Europe and in Canada, has a time and attendance and access control system that uniquely combines the online systems with a mechatronic locking system through a credential from Legic, with its contactless smart card platform. Employees’ access authorizations are written to the ID via online readers. By the way, mechatronic systems intelligently integrate mechanical and electrical elements to perform increasingly complex and demanding functions. In this case, the mechatronic component of the door checks whether the credential is valid and opens the door if the employee is authorized to enter. The door requires no other additional devices or wiring of any kind. A modern update mechanism ensures that users receive modified access rights easily and quickly on an online reader and transfers these rights to their personal identification credential at individual access points.
PIV CARDS FOR AGENCIES AND ENTERPRISESWhile fobs and chips are well established in Europe, in the U.S., the federal common access card movement, spurred on by FIPS 201 PIV cards, is moving ahead into non-government corporate use, too.
• Follow a proven process for employee identity vetting.
• Implement an identity vetting process that provides the basis for trusting identities across organizations or with federal agencies.
• Implement an identity credentialing solution that has the potential to be interoperable and compatible across organizations or with federal agencies.
• Acquire proven products and services that meet FIPS 201 technical specifications from multiple vendors.
TOTAL PIV LISTING APPROACHSome access control providers also have gained a FIPS 201 approved product listing. Just a few months ago, Brivo Systems, with its Software as a Service application for security management, won its listing in the Caching Status Proxy category. Caching status proxies periodically update certificate revocation status, allowing for rapid access control decisions when on-line certificate validation may not be possible or may create unacceptable delays.
“The need for a continuously updated certificate status is critical across both logical and physical access control systems,” notes Don Fergus, vice president of IT risk at Intekras, a government and commercial professional services firm. “Without the implementation of such a capability, timely and streamlined verification and updating of cardholder status cannot be assured.”
ADD IN BIOMETRICSOne example: Spain has installed multi-biometric electronic access kiosks in two of its largest airports. The technology provides a highly efficient and secure way to speed-up the passport control process for European citizens at Barajas Airport in Madrid and the Barcelona Airport El Prat. Indra, a Spanish information technology company, uses biometrics from Neurotechnology as multi-biometric engines for the airport access control kiosks.
The solution allows citizens, after being identified in a kiosk, to perform a quick and simple procedure that includes the automatic reading of the electronic document and validation of its authenticity. The passenger is, at the same time, identified and matched to his or her document through biometric recognition and verification. Upon completion of this process, the traveler is issued an entry permit. Each individual process is supervised by officials of the national police. While similar systems have been established in other countries using a single biometric feature, such as the iris, fingerprint or face to verify the passenger identity, the Spanish system performs a more secure dual biometric test using facial and fingerprint recognition.
How to Choose an ID Card PrinterOver the years, IDedge.com has found six questions that narrow down choices to a reasonable number. Ask yourself these questions.
1. Do you want to print in color or monochrome?
2. Do you need to print on both sides of the card?
3. How secure do your cards need to be?
4. How smart do your cards need to be?
5. How many cards will you need to print per year?
6. How long do you need your cards to last?
How It Works: On the Road to Shanghai, Contactless StyleNew mechanical and electronic locking systems are the result of a partnership between Legic Identsystems and Shanghai United Sea Trading, a security systems integrator for offices and public buildings. From safe locks and cylinder systems up to architectural hardware and complete access control systems, the product portfolio includes all parts of an integrated security solution. Thanks to new smart card technology, “we are able to expand to electronic locking solutions in all fields of physical access control,” says Joseph Gu, the firm’s director.
Bottom Line Advantages of Common Access Cards• Strong criteria for verifying an individual’s identity.
• High resistance to identity fraud, tampering, counterfeiting, etc.
• Fast electronic authentication.
• Issuance by official accredited bodies in a secure manner.
Privileged Users with High Risk AssetsIn addition to stringent security policies, the U.S. Department of Homeland Security is subject to compliance regulations including Federal Desktop Core Configuration (FDCC) standards. Launched by the Office of Management and Budget in 2007, the FDCC ensures that federal workstations have standardized, uniform, desktop configurations to enable more consistent and better documented security while reducing costs. Technology from Xceedium provides access control for privileged users including system and network administrators to its key network servers. The purpose-built solution enforces fine grained access control policy on users, contains them to authorized systems and applications, and monitors, logs, records and reports their activities for compliance and security risk management. This gives DHS control over its privileged users and high risk assets.
Another Look at Badging Security – Four to Secure Your FacilityA May 2010 issue of Security magazine contained a security badging article, which drew thoughtful response from Dr. David Haas, who works with Data Management Inc. (DMI) on a consulting basis. He founded Temtec Inc. in 1981 and now is with Tecco Corp. DMI offers TAB-expiring visitor passes among other access control solutions. Among his thoughts:
• Electronic badges are always the most security IDs. For companies that invest and use electronic badge systems for visitor and temporary badges, this investment provides them with the most secure badge as the color change in a self-expiring badge is unnecessary when badges are read electronically.
• Time expiring badges and indicators do not relate to the authenticity or the ownership features of an ID. The expiring properties relate to the authorization features only. Time expiring badges only prevent the re-use of the credential after [a certain period of time].
• Plastic IDs provide the most secure form of visual authorization, authentication, and, when printed at the registration desk, provide ownership names and images of the visitor.