A Door Wide Open

Innovation leads the way to tighter physical security

IN the last four and a half years, new government mandates for tighter physical security at critical infrastructure sites have led to significant strides in physical access control innovation. Demonstrated in some of the most sensitive, widespread and complex government credentialing projects, these new technologies are poised to transform the method in which government and commercial organizations control an individual's access to specific facilities.

A notable result of increasing security regulations within the government is the development of a physical access security technology capable of achieving consistent access control and an interoperable trust level for various sites across an organization.

A notable result of increasing security regulations within the government is the development of a physical access security technology capable of achieving consistent access control and an interoperable trust level for various sites across an organization. For the first time, new technology enables government and private businesses to easily separate credentialing functions from system policies to support a distributed, ground-up approach to access control.

This new method lessens the administrative time and costs necessary to maintain site policies and technologies. This approach ensures that all sites within an organization have a consistent level of confidence that people are who they claim to be and -- based on pre-determined credentials -- are given the same level of clearance.

Legacy access control methods that admit and restrict access based on what a user holds in his or her possession (such as a key) or knows (such as a PIN) do not provide a high degree of security. Granting access to whomever possesses an object, such as a proximity card, without additional means to verify the identity of the possessor, provides little assurance that only authorized individuals can gain access to secured sites.

PIN- or password-based access control systems also are flawed. Again, this method of security does not directly verify the identity of the individual attempting to gain access to a site. Simply stated, passwords, keys and proximity cards can easily be shared, borrowed and/or stolen.

The use of keys, PINs and cards within multi-site organizations tends to magnify the issues of security and administrative upkeep.

Independently managed sites within the same organization often require an office to set up a new set of policies and distribute a new set of keys, PINs or cards to the same person. The more security objects a person possesses, the more there are to lose, misplace or share, with each instance becoming a potential security breach.

Separating Credential from Policy
The idealized model of an organization-wide security infrastructure is usually based on a monolithic back-end system for managing user provisioning and access policies across all sites and individual systems. But, in practice, such comprehensive systems are rarely deployed and may not even be the best arrangement for multi-site organizations. Instead, by separating the user credential from the policy, organizations can give themselves the flexibility to create and selectively apply policies that meet the unique needs of discrete sites. At the same time, embedding user identity information directly into a trusted credential -- such as a biometrically enabled smart card -- simplifies the task of adding new individuals to a local system.

User identity information can be read directly from the card without the need for re-keying. And since the credential also includes unique biometric information about the holder, it also is a far more secure and tamper-resistant form of identification than keys, PINs or proximity cards.

Field-Tested, Government Approved
Since 9/11, government and other high-risk organizations have urged the security industry to bring new solutions to market that make credentialing large groups of people across disparate locations straightforward and easy to deploy. Government agencies, in particular, demand the strongest level of authentication possible to prevent acts of terrorism and related security breaches. These requirements were recently addressed in Phase III of the Transportation Security Administration's Transportation Worker Identification Credential program.

In this project, the industry's foremost experts on security and authentication collaborated to design a system-wide, common credential for all civilian workers across all transportation modes, including seaports, airports and rail lines. The project -- designed to improve security, enhance commerce and protect personal privacy -- provided workers with a tamper-resistant, biometric smart card to be used to gain access to secured areas.

Many factors make TWIC the de facto case study for designing company-wide credentialing programs. For example, the scale of the deployment required technology vendors to accommodate extremely diverse conditions. In addition to providing potential support for more than 6 million workers in an eventual nationwide rollout, variables included complex physical landscapes and extreme outdoor weather conditions such as direct sunlight, wind and rain. Educating large numbers of volunteer transportation workers on how to use the credentialing technology during the pilot was another significant learning experience.

Upon completion of TWIC design and deployment, government and non-government businesses had a real-world study on the practical steps involved in deploying an interoperable credentialing framework across an entire organization, regardless of scale and site complexity.

"Ensuring that only authorized individuals gain access to critical infrastructure, such as ports, is vital to homeland security," said Kate McCurdy, public sector technology analyst, Datamonitor. "Reliable, biometrically-enabled, weather-resistant access card readers are an important component of an effective access control system."

Like many private organizations, transportation facilities involved in the TWIC pilot had an existing physical access security infrastructure. Instead of replacing a site's legacy system, TWIC technology suppliers designed the biometric smart card security system to be easily integrated with the existing infrastructure. This approach enables sites to increase security by simultaneously ensuring authentication and access control. TWIC also uses contactless, biometric smart card readers for end-user convenience. As opposed to sliding cards through readers, cardholders simply wave their cards near the device, then apply a finger to the reader for identity verification.

Another landmark government security initiative to consider in the evolution of physical access control technology is the result of Homeland Security Presidential Directive (HSPD) 12, a mandate for a common interoperable biometric smart card for all federal employees and contractors by 2007. In response to this directive, the National Institute of Standards and Technologies developed the Federal Information Processing Standard (FIPS) 201, also known as personal identity verification, to enable government organizations to comply with this new security measure. PIV, an independent credentialing standard from TWIC, is expected to become the new interface of TWIC in Phase IV.

Like TWIC, the PIV identity management system seeks to replace weak identity verification methods, such as a standard photo ID cards, with tamper resistant, biometrically enabled smart cards. This standard will enable the government to achieve a higher interoperable trust level among geographically dispersed facilities. Like TWIC, a PIV-compliant access control deployment requires a federal worker to place a biometric smart card near a contactless reader and touch a sensor to scan and encode his or her fingerprint as a value.

In seconds, the reader verifies the worker's identity and a centralized server authenticates the request, opening the requested gate or door. By using a biometric credential, organizations virtually eliminate the threat of tampering with an employee's identity while allowing workers to carry a single credential instead of multiple ID cards.

Industry Impact
The impact of TWIC on other large-scale credentialing programs is already becoming apparent. The state of Florida, through its Florida Uniform Port Access Control program, has chosen to implement biometric smart card authentication in the state's 14 deep-water seaports. Saflink Corp. has been selected to provide the technology for fixed security stations and mobile guard units. The technology deployment commenced in 2005 and will continue through 2006, providing a reference implementation for other ports currently investigating physical access upgrades.

Government-tested security initiatives that deploy identity management programs for the protection of critical infrastructure and terrorism prevention, such as TWIC, will have a significant impact on commercial infrastructures and business practice standards. This has already become apparent in Florida. Organizations in nearly every vertical industry interested in enhancing security by adopting a large-scale credentialing program should consider TWIC as a reference for proven strategies and technologies for streamlining physical access control. In particular, Saflink's platform for contactless biometric smart cards has set an industry precedent for identity verification, ease of use and interoperability.

Legislation, policy and regulatory changes aimed at increasing security for critical infrastructure sites and transportation nodes have resulted in the development and testing of comprehensive, flexible and easy-to-add solutions for enhancing physical access control. Stringent, in-depth trials of access technologies by the federal government in programs, such as TWIC, have been an integral step in further understanding which technologies are capable of credentialing large groups of people across various geographical locations. The implementation of new approaches in these programs, such as the separation of security policies from user credentials, has demonstrated that it is possible to deploy more secure, more flexible and easier to manage security infrastructures.

While initially intended for the benefit of government organizations, TWIC and PIV provide the commercial sector with a clear indication that the technology to streamline and strengthen physical access security procedures exists today.

This article originally appeared in the October 2006 issue of Security Products, pgs. 68-69.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3