A Door Wide Open

Innovation leads the way to tighter physical security

• By Walter Hamilton
• Oct 01, 2006

IN the last four and a half years, new government mandates for tighter physical security at critical infrastructure sites have led to significant strides in physical access control innovation. Demonstrated in some of the most sensitive, widespread and complex government credentialing projects, these new technologies are poised to transform the method in which government and commercial organizations control an individual's access to specific facilities.

A notable result of increasing security regulations within the government is the development of a physical access security technology capable of achieving consistent access control and an interoperable trust level for various sites across an organization.

A notable result of increasing security regulations within the government is the development of a physical access security technology capable of achieving consistent access control and an interoperable trust level for various sites across an organization. For the first time, new technology enables government and private businesses to easily separate credentialing functions from system policies to support a distributed, ground-up approach to access control.

This new method lessens the administrative time and costs necessary to maintain site policies and technologies. This approach ensures that all sites within an organization have a consistent level of confidence that people are who they claim to be and -- based on pre-determined credentials -- are given the same level of clearance.

Legacy access control methods that admit and restrict access based on what a user holds in his or her possession (such as a key) or knows (such as a PIN) do not provide a high degree of security. Granting access to whomever possesses an object, such as a proximity card, without additional means to verify the identity of the possessor, provides little assurance that only authorized individuals can gain access to secured sites.

PIN- or password-based access control systems also are flawed. Again, this method of security does not directly verify the identity of the individual attempting to gain access to a site. Simply stated, passwords, keys and proximity cards can easily be shared, borrowed and/or stolen.

The use of keys, PINs and cards within multi-site organizations tends to magnify the issues of security and administrative upkeep.

Independently managed sites within the same organization often require an office to set up a new set of policies and distribute a new set of keys, PINs or cards to the same person. The more security objects a person possesses, the more there are to lose, misplace or share, with each instance becoming a potential security breach.

Separating Credential from Policy
The idealized model of an organization-wide security infrastructure is usually based on a monolithic back-end system for managing user provisioning and access policies across all sites and individual systems. But, in practice, such comprehensive systems are rarely deployed and may not even be the best arrangement for multi-site organizations. Instead, by separating the user credential from the policy, organizations can give themselves the flexibility to create and selectively apply policies that meet the unique needs of discrete sites. At the same time, embedding user identity information directly into a trusted credential -- such as a biometrically enabled smart card -- simplifies the task of adding new individuals to a local system.

User identity information can be read directly from the card without the need for re-keying. And since the credential also includes unique biometric information about the holder, it also is a far more secure and tamper-resistant form of identification than keys, PINs or proximity cards.

Field-Tested, Government Approved
Since 9/11, government and other high-risk organizations have urged the security industry to bring new solutions to market that make credentialing large groups of people across disparate locations straightforward and easy to deploy. Government agencies, in particular, demand the strongest level of authentication possible to prevent acts of terrorism and related security breaches. These requirements were recently addressed in Phase III of the Transportation Security Administration's Transportation Worker Identification Credential program.

In this project, the industry's foremost experts on security and authentication collaborated to design a system-wide, common credential for all civilian workers across all transportation modes, including seaports, airports and rail lines. The project -- designed to improve security, enhance commerce and protect personal privacy -- provided workers with a tamper-resistant, biometric smart card to be used to gain access to secured areas.

Many factors make TWIC the de facto case study for designing company-wide credentialing programs. For example, the scale of the deployment required technology vendors to accommodate extremely diverse conditions. In addition to providing potential support for more than 6 million workers in an eventual nationwide rollout, variables included complex physical landscapes and extreme outdoor weather conditions such as direct sunlight, wind and rain. Educating large numbers of volunteer transportation workers on how to use the credentialing technology during the pilot was another significant learning experience.

Upon completion of TWIC design and deployment, government and non-government businesses had a real-world study on the practical steps involved in deploying an interoperable credentialing framework across an entire organization, regardless of scale and site complexity.

"Ensuring that only authorized individuals gain access to critical infrastructure, such as ports, is vital to homeland security," said Kate McCurdy, public sector technology analyst, Datamonitor. "Reliable, biometrically-enabled, weather-resistant access card readers are an important component of an effective access control system."

Like many private organizations, transportation facilities involved in the TWIC pilot had an existing physical access security infrastructure. Instead of replacing a site's legacy system, TWIC technology suppliers designed the biometric smart card security system to be easily integrated with the existing infrastructure. This approach enables sites to increase security by simultaneously ensuring authentication and access control. TWIC also uses contactless, biometric smart card readers for end-user convenience. As opposed to sliding cards through readers, cardholders simply wave their cards near the device, then apply a finger to the reader for identity verification.

Another landmark government security initiative to consider in the evolution of physical access control technology is the result of Homeland Security Presidential Directive (HSPD) 12, a mandate for a common interoperable biometric smart card for all federal employees and contractors by 2007. In response to this directive, the National Institute of Standards and Technologies developed the Federal Information Processing Standard (FIPS) 201, also known as personal identity verification, to enable government organizations to comply with this new security measure. PIV, an independent credentialing standard from TWIC, is expected to become the new interface of TWIC in Phase IV.

Like TWIC, the PIV identity management system seeks to replace weak identity verification methods, such as a standard photo ID cards, with tamper resistant, biometrically enabled smart cards. This standard will enable the government to achieve a higher interoperable trust level among geographically dispersed facilities. Like TWIC, a PIV-compliant access control deployment requires a federal worker to place a biometric smart card near a contactless reader and touch a sensor to scan and encode his or her fingerprint as a value.

In seconds, the reader verifies the worker's identity and a centralized server authenticates the request, opening the requested gate or door. By using a biometric credential, organizations virtually eliminate the threat of tampering with an employee's identity while allowing workers to carry a single credential instead of multiple ID cards.

Industry Impact
The impact of TWIC on other large-scale credentialing programs is already becoming apparent. The state of Florida, through its Florida Uniform Port Access Control program, has chosen to implement biometric smart card authentication in the state's 14 deep-water seaports. Saflink Corp. has been selected to provide the technology for fixed security stations and mobile guard units. The technology deployment commenced in 2005 and will continue through 2006, providing a reference implementation for other ports currently investigating physical access upgrades.

Government-tested security initiatives that deploy identity management programs for the protection of critical infrastructure and terrorism prevention, such as TWIC, will have a significant impact on commercial infrastructures and business practice standards. This has already become apparent in Florida. Organizations in nearly every vertical industry interested in enhancing security by adopting a large-scale credentialing program should consider TWIC as a reference for proven strategies and technologies for streamlining physical access control. In particular, Saflink's platform for contactless biometric smart cards has set an industry precedent for identity verification, ease of use and interoperability.

Legislation, policy and regulatory changes aimed at increasing security for critical infrastructure sites and transportation nodes have resulted in the development and testing of comprehensive, flexible and easy-to-add solutions for enhancing physical access control. Stringent, in-depth trials of access technologies by the federal government in programs, such as TWIC, have been an integral step in further understanding which technologies are capable of credentialing large groups of people across various geographical locations. The implementation of new approaches in these programs, such as the separation of security policies from user credentials, has demonstrated that it is possible to deploy more secure, more flexible and easier to manage security infrastructures.

While initially intended for the benefit of government organizations, TWIC and PIV provide the commercial sector with a clear indication that the technology to streamline and strengthen physical access security procedures exists today.