Like every public administration, managing ID/access badges in municipal security comes with significant challenges that include organizational changes, continually shifting economic factors, regulatory compliance and emerging technologies and best practices.
For one overarching security division, badging several thousand employees in several hundred different facilities can prove to be very complex. According to Walter Chan, Supervisor of Corporate Security in the City of Toronto, there is no one-size-fits-all, cookie-cutter template to government ID/access control cards.
“I oversee access control and access/ID management infrastructure in more than 1,000 city-owned and operated facilities – from daycare centers, women’s shelters, animal shelters, long-term care homes, court services to critical infrastructures like water and wastewater facilities, a consolidated data center, Toronto’s City Hall and Civic Centres,” Chan says. And those facilities offer different types of city services, so the ID/access badges not only need to be functional within those types of facilities, but you want the ID/access badges to enhance and integrate the delivery of those services as well.
“Corporate Security works with the various city divisions to come up with ID/access badge designs that work within their operational environment, so it’s more likely that employees will actually want to use their access badge and wear it while they carry out their work,” he says.
“We work with the divisions to understand the types of people requiring access to their facilities and for how long,” he says. “For example, we have some divisions, like Toronto Water that operate with a large contingent of contractors, while the Long-Term Care Homes have a large contingent of volunteers – while we try to streamline the access/ID management processes, the actual badge designs may differ.”
Similarly, Chan’s security access team has been working on an initiative since late 2010 that implements a Six Sigma type of approach to improve customer satisfaction with regards to ID/access badging services city-wide.
Some of these initiatives include:
- Plans to institute a new centralized customer service line to get direct assistance with Security Access-related questions;
- Moving from a centralized card production location to a decentralized and more accessible service, where security access team members are redeployed permanently into key city buildings;
- From an employee engagement and talent management perspective, expanding the access control system training to all security staff that will reduce operational risks and increase service efficiency;
- Leveraging on technology and integration through a Security Access Self-Serve portal and HRIS integration as an enabler to enhance process efficiency and product assurance and quality.
“This initiative makes good sense to me as it shows our team›s commitment to service excellence and stewardship,” Chan says.
More than Just a Card
In Hennepin County, MN, Kirk Simmons, Hennepin County Security Manager, is currently working on rebadging the entire county. “We currently have 17 different ID card types, which is why we need to go through this process,” he says. “Plus, some of the photos on the badges are faded and too dark.” With Simmons’ urging, county administration decided upon one card type for all 9,000 county employees, he says – a prox smart card from HID, that will not only support current card readers, but will allow for multi-function printing within any printer in the county. “We are trying to get the technology up to date as possible so that people can use it for many functions,” Simmons says. The new combined ID and access control card will have a hologram to avoid duplication. The cards will expire automatically after five years. “Getting all of the departments on board was the biggest hurdle,” Simmons explains. “I presented a good case on standardizing. And a five-year expiration date gives us the opportunity to evaluate new technologies as they change.”
In Manchester, NH, Red Robidas, Security Manager for the city, is using ID badges to control many other things besides access. “Being a municipality we go across a broad spectrum for the types of facilities that we have. We own our water district, in addition to municipal buildings and the school system. We are responsible for vehicle maintenance, so we have a consistent usage of access control to city facilities. We have a central fleet management service that uses an industrial car wash and needs vehicle fuel, of course. So we put ID badges on each vehicle, so not only do we track the individual using the vehicle, but we track the vehicle, as well. For city fleet vehicles that use our fuel bay, we employ both an employee ID card as well as a vehicle ID card. The city employees who drive those vehicles are required to track the mileage and the fuel they use. And the ID cards help us manage what they report.”
In addition, says Robidas, the city’s equipment, such as lawn mowers, snow blowers and gas cans are closely monitored, and Robidas has issued them cards as well to reduce gaps in usage. “We could lose five to 10 gallons of fuel at a time, as every piece of equipment that we have requires fuel, even empty gas containers. With the cost of fuel, we just can’t afford not to track it. So the ID card on that equipment not only tracks where and when the equipment is used, but will also help control how much fuel is being put into each piece of equipment, including gas containers.”
John Culwell of the security management unit for the city of Phoenix, also is responsible for securing the city’s water department system, including wastewater. “At last count we are the 12th largest combined water and wastewater utility in the U.S., with 540 square miles of coverage and 504 facilities with six water production facilities, two wastewater treatment plants and a water recreation facility. I have a staff of 11 with 23 contract security officers.”
Culwell is using ID badges for those contract security officers and vendors to control access into the water treatment facilities. He has a data base of more than 5,000 vendors and contractors that have been background checked and screened. “We know that wastewater treatment and water production is a target for terrorism,” Culwell says. “We work with the federal DHS and Arizona DHS on threat assessments to look at our facilities from every angle. So we gear much effort towards access control. We have to know who is on our facilities and why. ”
Culwell notes ID management must go further than simply saying that someone swiped an ID card so that must mean they can be there. “Swiping an ID card is only that the card is authorized to be through that door or gate,” he says. “There is nothing realistically tied to that card. That is my philosophy. We are very careful about not automatically signing off on access with an ID card. Access control is the most important thing that we can do. It seems almost common sense but we can’t be too careful.”
Biometric ID Management & Government Facilities
By Emily Flink, Allegion Marketing Manager–Biometrics
While everyone in government credentialing is learning more about the new FIPS 201-2 standard and planning how to assure that this new cards mandate is met within the next year, there is no question about the role of biometrics. Whether FIPS 201-1 or FIPS 201-2, no card can verify that you are you.
A military base in the Middle East wants to assure that only those authorized can enter the camp. For soldiers in battle, losing a card to an enemy could be disastrous. PINs are way too easy to steal. Like so many commercial enterprises, the military turned to biometrics, as so many other government entities do.
After all, if access control systems are to control where people, not credentials, can and cannot go, then only a biometric device truly provides this capability. And, it takes a two-step procedure to verify if the authorized person is trying to obtain entry. Users enter either a PIN (something they know) or a card (something they have) to activate the biometric hand reader.
A live biometric presented by the user is compared to a stored sample, previously given by that individual during enrollment, and the match is confirmed. However, the actual hand geometry is not stored in a database. Instead, an algorithm creates a unique number that represents the points measured on the hand. The number – or template – that results from this equation is all that is stored. Thus, even if the system were hacked, the perpetrator would end up with nothing but a series of 1’s and 0’s.
When the user keys in his PIN or uses his card, the reader pulls up the resulting template. When he then presents his hand, the reader runs the authentication process to determine if the template that is stored matches the template of the biometric being presented. If there is a match, the person is verified.
At the bases in the Middle East, the military uses biometric
hand readers housed inside a custom portal to ensure only authorized individuals access base camps in the Middle East. They are not affected by dust, dirty hands or minor injuries, which can cause false rejects with other biometric technologies.
The resulting portable, turnkey access control portals are plug-and-play, fully integrated security systems planned for military bases throughout the world. To install a MAC portal, military personnel simply set it in place and plug it into 220-power in a junction box. Since the units are portable, the military can establish a “moving perimeter,” widely used in base construction.
“When they finish with one site, they can simply pick up the portal and move it to the next site,” says David Slagel, President of Modular Security Systems Inc. (MSSI), the integrator, based in Ironton, Ohio. “For the military, it represents zero construction process. They used to spend $80,000 to $100,000 rebuilding these ‘brass shacks’ each time the perimeter changed.”
Using the portals is also easy. Military personnel enter the portal through one of five roll-up doors. They walk up to the entrance and present a proximity card and then their hand to the hand reader. If the light turns green, they are allowed entrance through the turnstiles. If the light is red, an alarm is sounded that alerts a guard, who then investigates.
The MAC portals eliminate concerns about the identity of the cardholder or “tailgating,” in which someone simply follows the next person through an access point without proving their identity.
“The proximity card in combination with the biometric identifier virtually eliminates both of these security-compromising practices and establishes a higher level of security,” Slagel notes.
New personnel are quickly registered at the MAC itself and the MACs can communicate with each other. There is typically a central MAC and the portals can be linked via a LAN or WAN.
Securing a Base in Illinois
Scott Air Force Base in St. Clair County is the headquarters for the U.S. Transportation Command, Air Mobility Command, 18th Air Force, Defense Information Systems Agency and the Air Force Communication Agency. It is located on nearly 3,600 acres of land and employs more than 5,000 active-duty military personnel. The total workforce numbers more than 13,000 people, including Air Force Reserves, National Guardsmen, civil service and other civilian employees. It also provides services for more than 14,000 retired military personnel in the region.
The Shiloh-Scott MetroLink station offers Scott employees a valuable commuting and transportation alternative to the St. Louis metropolitan region, with 27 stops, including Lambert-St. Louis International Airport. Scott Air Force Base uses hand readers to control access to the base from Shiloh-Scott MetroLink station. It is one of many U.S. Air Force bases to employ biometric hand readers for heightened homeland security and automated access control. Security forces at Scott initially manned the gate between the civilian and military sides of the Shiloh-Scott light rail train station, but access to the base is now controlled using hand readers in conjunction with a six-digit PIN, freeing security personnel for other duties.
Biometrics are user-friendly. First of all, they can eliminate the need for keys or cards. While keys themselves don’t cost much and dramatic price reductions have lowered the capital cost of the cards in recent years, the true benefit of eliminating them is realized through reduced administrative efforts. For instance, a lost card or key must be replaced and reissued by someone. Just as there is a price associated with the time spent to complete this seemingly simple task, when added together, the overall administration of a key or card system is costly. Hands are not lost, stolen or forgotten. They also don’t wear out or need to be replaced.
Secondly, biometrics are easy to administer. They are easy to install and maintain. Replacing card readers, in many cases is simply an unplug-plug-and-play operation. Hand geometry readers get people into buildings and rooms quickly. They include a variety of options, such as letting an employee quickly check accrued vacation time. Plus, it is easy to control threshold levels, tightening access control in a nuclear power plant while loosening the level at a spa.
Because they require minimal operator assistance, government agencies that use biometrics can save money by devoting customer service and other personnel to activities other than screening individuals requesting access to restricted areas.
That’s why Chesterfield County (Va.) implemented a hand reader to provide off-hours access at the county’s main administration building.
“We needed a positive identifier for people carrying out critical county functions at off-hour times,” explains Dennis Lacey, Chesterfield County security coordinator who spent 20 years with the Secret Service and 17 years with the Department of Defense. “Biometrics is the only way you can positively identify who comes into a building. At the same time, we need to assure that all those authorized to get into the building can do so, not be blocked because their biometrics aren’t being read. False rejections can become a major reliability problem. We feel that fingerprint technology relies on too small of an area to avoid the problems of false rejects. Meanwhile, hand geometry takes its data points from an entire hand. From a technology standpoint, it’s simply much easier to consistently get a good image from a big hand rather than a small finger.
“We also felt that there would be too much employee resistance to iris/retinal scan,” Lacey adds. “People are uncomfortable putting their eye near a device and positioning themselves for the reader is just too time-consuming.”
According to Lacey, the county’s existing access control system for the five-story main administration building, linked to a three-story and two-story wing and police administration building, is comprised of mechanical keys and the hand reader.
“It’s too expensive and time-consuming to replace missing keys,” Lacey emphasizes. “We often have to search for people who leave our employment to get our keys back since the key represents a part of their career. We’re looking at adding more hand readers to other doors of this building as well as other buildings. We’ve actually had comments from the highest levels of county administration to do so.”
Two Facts to Remember
For federal government agencies and other users of FIPS cards, you will be switching from FIPS 201-1 to FIPS 201-2 cards over the next year. Regardless of the card you are using, only biometrics can provide knowledge that this is the right person, not simply the right card.