Who Are You?
Airports exhibit one of the most complicated scenarios to administer
restricted-area access control, identity verification and issuance of an
access credential. Various airline employees, vendors, third-party contractors
and tenants need to be authenticated at all times, and their
physical access rights must be controlled and managed dynamically based upon
their role and policies affecting their access.
But in many airports, security operations feature siloed access control systems
and disjointed processes used to manage employee credentials for facility access.
Additionally, IT systems that issue transportation authority clearance, such as the
Transportation Security Authority or Canadian Air Transport Security Authority,
are all managed independently, often by different departments.
As a result, many physical identity and access management operations are handled
manually, leading to costly human errors, ad-hoc cardholder credentialing,
multiple ghost/orphan accounts, and long on- and off-boarding times.
Beyond these obvious inefficiencies, new compliance mandates are driving
an entirely new level of security challenges within the airport infrastructure:
Homeland Security Presidential Directive 12 mandates that all TSA employees
and contractors authenticate themselves using two fingerprints and a smart card.
Identities need to be checked against no-fl y lists on a regular basis. And transportation
authority clearance needs to be monitored in real time.
Real Challenges
Because of the inefficient means by which identities and access to the restricted
areas are managed, airport security practitioners are faced with a litany of issues
on a regular basis.
- A large number of transitory and/or contingent workers across airport staff,
tenants and third parties need to be managed on a real-time basis
- Inconsistent badging processes and operations, resulting in long processing
times and erroneous area access rights
- Constant facilities expansion, adding new layers of complexity regarding area
access, related technologies and security infrastructure
- A lack of overall visibility into airport identity and access operations, resulting
in poor reporting and potential compliance issues.
For example, because so much of the airport staff is made up of contingent
workers, making sure that their identities are well-managed and their access rights
are current and appropriate based upon policies are continual challenges. If a
third-party repair technician is fired, how can you make sure that their physical
access rights are immediately removed, thus eliminating a potential security risk?
Single Identity Across the Entire Airport
Some airport organizations have begun to see the value in an integrated approach
to physical identity and access management. By connecting disjointed and manual processes with their biometric
and physical access control systems, security
practitioners can create a single
notion of identity across the entire airport,
along with a policy paradigm for
credential issuance and granting access
to the airport facilities. This single notion
of identity can be managed simply,
effectively and securely, from the first
day of employment to the last.
Quantum Secure's SAFE suite of
products addresses this problem by providing
a supervisory management system
to transform and automate manual
workfl ows and processes, enabling airport
authorities to manage enrollment,
credential issuance, do background
checks, and credential expiry and facility
access of users and groups. SAFE
is a commercial off-the-shelf solution
that, through an automated, role-based,
policy-based access control mechanism,
offers an integrated enrollment, access
provisioning and badging engine along
with a framework to integrate siloed
systems and processes.
The SAFE enrollment engine authenticates
and verifies identities and
digital certificates, captures biometric
images, issues a credential, binds the relevant
biographical and biometric data
with the card, and provisions the identity
for facility access in the PACS—all
in one connected process.
Conversely, identity expiration
policies ensure that the card is automatically
expired based on defined
trigger points, including training, termination,
insurance updates and governmental
agency requirements.
A Real-world Example
One organization that is realizing dynamic
returns by automating key processes
related to identity management
is the Toronto Pearson International
Airport. Toronto Pearson, under governance
by the Greater Toronto Airports
Authority, handles 30 million
passengers per year, employs more than
33,000 people and is an important economic
engine for the area.
The airport's Pass/Permit Control
Office, which issues restricted area
identification and access control cards
and passes for employees, serves an average
of 175 clients per day and more
than 45,000 employees and contractors
each year.
Because every employee of every airline,
shop, food vendor, contractor and
consultant working at Toronto Pearson—
as well as airport employees themselves—
must be processed by the PPCO,
this function is critical for the economic
vitality, operation and security of the
airport. Toronto Pearson needed a system
that could keep up with demand,
ensuring that staff started work in a
timely fashion while maintaining high
levels of customer satisfaction.
The SAFE suite of software enabled
Toronto Pearson to incorporate
existing, fragmented physical security
processes and systems into its larger
IT infrastructure, automating many of
the previously physical, labor-intensive
tasks of credentialing employees. It
also made the applications more userfriendly,
with better customer service,
while leveraging the productivity opportunities
available from the technology
infrastructure.
Based on these preliminary results,
the airport expects it will meet the goals
of reducing average cost per customer
from $49 to $35, average wait times from 560 minutes to 20 minutes and average
service time by 50 minutes.
Greater Visibility, Strong ROI
By bringing together disparate systems
and automating key processes
and policies, security practitioners can
quickly instill best practices and realize
a strong ROI.
Manual, error-prone processes regarding
the on-boarding of new identities
can now take minutes, instead of
days. An automated enrollment process
can transform paper-based identity
proofing and application process to an
electronic and rules-based process for
managing the on-/off-boarding of identities
into and from the organization.
Access to restricted areas can quickly
be granted via automated policies and
approvals. And the termination of a
person is immediately pushed out to
the physical access control systems.
At the same time, real-time reporting
allows for greater visibility into all
facets of airport security operations.
To better manage that airside vehicle
operator, an automated policy can be
created that links access to driving privileges,
allowing for the removal of airside
access while penalties are enforced
and other remediation activities occur.
Automated audit and compliance reporting
allows for systematic checks and
balances throughout the entire identity
lifecycle management—on-boarding,
change management and off-boarding.
All anomalies and alarms related to
failure in compliance are caught in real
time, which activate automated policies
for corrective action.
An integrated document management
system allows for the centralized
storage of enrollment applications, valid
credentials, biographic and biometric
information—including driver's license
and passport data—I-9 information,
photo and other related documents in
an electronic format are always available
with a click of a button.
And because a smart software solution
integrates directly with the existing
airport security infrastructure, there is
no need for a complete rip and replace
strategy. The SAFE suite of software
includes integration agents that receive
and push relevant information to all
leading PACS, allowing a disparate environment
of security systems to act as
a single unit.
From a functionality standpoint, the
various modules can be added independently,
allowing airport security practitioners
to grow and evolve their system
based on their unique needs. For example,
if badging and credential management
is paramount, a module exists to
streamline that function within the organization.
If document management
is a particular pain point, a module exists
to digitize and bind key documents
to an identity, storing approval forms,
I-9 information and other related information
in a centralized
electronic system.
About the Author
Ajay Jain is president and CEO of Vector Flow, Inc.