The Future of Multipurpose Smart Cards

The Future of Multi-purpose Smart Cards

Increasing threats on school campuses and at government facilities, coupled with diminishing budgets and intense pressure to cut costs across all levels and departments, are forcing security administrators to find new ways to keep their buildings safe without breaking the bank. Each organization features its own set of ever-changing idiosyncrasies and unique challenges, requiring flexible system architectures to satisfy specific needs.

There are many steps that security administrators can take to address these issues. Many are improving cost efficiencies and user convenience by deploying multi-purpose smart cards that can be used not only for identifying individuals and granting secure access but also for applications that include transport, cashless payments and energy control.

According to a study by IMS Research, smart card use grew at a 13.5-percent CAGR between 2009 and 2013, compared with 2.4 percent for proximity technology in the same period. IMS believes the number of smart card installations will approach that of proximity installations by 2013. One of the biggest growth drivers is the desire to move to a single card or credential that can store more information for additional applications and/or security.

Deploying multiple applications on a single card not only saves time and money for organization and user alike, but it also simplifies the user’s life. Yesterday’s ID cards used simply to enter a building or earn a discount are now a one-stop source for security and commerce, and they can enable users to open doors, access services, manage energy usage, purchase food and merchandise, check out materials and ride the bus. In the future, these multi-purpose credentials will even be virtualized so users can carry them in their phones, memory sticks or other electronic devices.

The convergence of multiple applications on a credential, be it a smart card or other devices, is an accelerating trend, and many organizations simply will not consider any purchase unless it enables them to add more applications to existing physical access systems and credentials, or extends the use of existing applications.

Improving School Security

One example of a well-executed, multipurpose smart card deployment can be seen at Reykjavik University in Iceland, which had been using proximity technology to secure its buildings for many years. When it came time to build a larger, more modern facility, RU wanted as “key-free” an environment as possible, one that would increase student, faculty and staff convenience and security; reduce costs; improve efficiency; and provide the flexibility to support future needs.

To realize this vision, the university needed a multi-application smart card that could be used for cashless vending, canteen transactions, on-demand printing, photo ID production, library access, locker use and more, and that could also give the wider community controlled access to such public services as RU’s buses, museum and swimming pools. The university began moving from proximity solutions to the more secure HID iCLASS multi-technology system, easing the transition by using cards and readers that support both technologies. The university has integrated its access control system with lighting, electricity and room allocation control to further improve overall efficiency. Cards are quickly and easily printed on-site for staff and every incoming student, and now provide approximately 4,000 students with access to all university classrooms, labs, study areas and other buildings as well as its intranet, 24 hours a day, 365 days a year.

Administrators faced a different convergence challenge at Coventry College in the United Kingdom. In developing a new security system, the college had to consider a culture in which staff and students were not used to wearing ID badges. Additionally, there was limited secure parking, no real physical access control, very little control of IT user accounts, and problems with photocopy and print service abuses. It was important for the college that its current, laborious manual processes— library book inventory and fine payments— also could be automated and simplified in the future, as part of the wanted to reduce on-site cash handling by introducing a cashless payment solution for the canteen.

Another key requirement at Coventry College was the ability to control real estate, personnel and assets through a single, multi-application smart card that combined both physical and logical access control. To meet the logical access requirements and provide centralized control of personnel, real estate and university access, the college deployed 1,000 multi-application smart cards with integrated middleware to its staff. It deployed an additional 12,000 customized cards with ID photos to students for both physical access and cashless catering. The resulting solution enables the storage of personal student information, such as allergies, on the smart card, helping canteen staff to serve the cardholder with food suitable to his or her condition.

Transportation management is another common challenge that smart cards can address. At Murcia University in Spain, the university and its bus transportation service contractor, Autocares Espuña, needed an efficient way to monitor bus fleet usage both for security purposes and to maximize efficiency. They needed a method to communicate passenger status to the bus driver, and also wanted to generate a database of historical usage information. The system also had to be quick, convenient and cost-effective for students, with the ability to integrate twoway text messaging for communicating with bus drivers and GPS capabilities to supervise itinerary data including distance driven, fuel level, observance of speed limits, stop/start records and whether the buses stayed within their approved route areas.

Murcia University’s prior procedure required that bus drivers hand-count passengers and cross-reference that information to the number of cards sold. Drivers also needed to remember whether a student had already ridden the bus to prevent plan abuse. Finally, Autocares Espuña did not have a reliable way to project usage and provide the correct number of buses to accommodate peak rider demand. To solve this challenge, the university and Autocares Espuña chose a solution that integrated GPS, text messaging and database capabilities with a combination of iCLASS contactless reader/writers and 13.56 MHz contactless smart cards.

To use Murcia University’s bus service now, students simply approach the bus’s on-board reader with their card, and it responds with either a green light indicating a valid card, allowing the student to board the bus, or an orange light accompanied by a buzzer if the card is invalid. A text message then appears on a screen telling the driver the reason the student is not authorized to ride. All cards are personalized by the university and can be reprogrammed when the amount of transportation purchased expires. The university is considering opportunities for tracking time and attendance and other future applications to be deployed using the same smart card technology.

The combination of physical access and payment capabilities is an increasingly popular smart card application. One of the nation’s leading banks recently developed an award-winning program that consolidates traditional magnetic stripe purchases, contactless payment transactions and facility access on a single employee card. The selected technology combines a point-ofsale contactless-payment application and HID’s iCLASS smart card technology for physical access control and security. One of the potential applications for a program like this is to offer students payment functionality—cashless or magnetic stripe—on their physical access card at no additional charge.

Services such as these improve convenience while enabling students to establish an early banking relationship. For banks, these relationships can extend beyond graduation as a graduate’s need for financial services grows.

Universities also must be concerned about maximizing overall security. Today’s multi-purpose smart cards carry more information that must be protected, and they require more privacy protection. This has created the need for multiple layers of card security, including two-factor authentication to validate identity, and in some cases even biometric templates that must be stored on the card. These are the same technology requirements the U.S. government has recently specified as part of sweeping mandates that aim to establish more secure and reliable forms of identification used by federal employees and contractors.

Understanding Government Smart Card Requirements

In August 2004, the government enacted the Homeland Security Presidential Directive-12 (HSPD-12), which was designed to ensure that all federal employees and contractors have secure and reliable forms of identification. In a February 2011 memorandum from the Department of Homeland Security and the Office of Management and Budget, federal agencies were told they could not use development and technology fresh funds to complete any activities until all existing physical and logical access control systems were upgraded to implement Personal Identification Verification (PIV) credentials.

National Institute of Standards and Technology has established implementation guidelines, including the use of smart card and biometric technology. Details are provided in Federal Information Processing Standards Publication 201 (FIPS-201).

Achieving compliance is not a trivial task. It requires agencies to acquire and implement a variety of often costly technologies and has many times required a complete overhaul of the legacy access control infrastructure. With the latest advances in smart card technology, however, organizations can achieve FIPS-201 compliance with significantly less expense while preserving the existing physical access control head-end servers, panels and door control hardware.

Organizations can simplify FIPS-201 compliance by assigning a single point of responsibility and taking advantage of fully interoperable, simple-to-deploy, cost-effective products and technologies that have been tested and validated as part of a complete turnkey solution.

Additionally, organizations must be able to achieve compliance quickly and effectively; they must be able to produce all required audit support; and they must be able to deploy their compliant system on an incremental, payas- you-go basis while retaining most of the existing infrastructure.

The latest card readers feature a number of capabilities that simplify FIPS-201 compliance. They employ EAL5+ Secure Element hardware to ensure tamper-proof protection of keys and cryptographic operations. They also use industry-standard bidirectional communications technology, such as open supervised device protocol, so that they can seamlessly and securely connect to FIPS-201 compliance hardware modules.

Finally, these readers use a portable credential methodology based on a standards-based, technology-independent and flexible identity data structure that can exist on any number of identity devices. HID Global calls these data objects Secure Identity Objects (SIOs), and they work with companion SIO processors on the reader side to perform the same functions as traditional cards and readers, only within a significantly more secure, flexible and extensible environment.

Using this new access control technology and a modular upgrade approach, organizations can achieve FIPS-201 compliance simply by installing the new readers, inserting compliance modules between the readers and the existing PACS panel, and deploying a compliance manager. This system leverages next-generation reader technology to perform every step required for PIV authentication.

In addition to increasing security and simplifying government compliance, these advanced reader systems also will play a key role in the move to virtualized credentials. Increasingly, the concept of identity is moving beyond traditional ID and cashless payment cards to include many different credential platforms.

Moving to Virtualized Credentials

Academic institutions, government agencies and other organizations must plan for a future in which identity is no longer exclusively associated with the card that carries it but can take many forms, including mobile phones and USB sticks. It will be possible to provision and embed portable, virtual credentials into both fixed and mobile devices, including mobile phones that can be used to open doors, make cashless payments and access secure data. These phones use near-field-communications short-range wireless technology to receive and present virtualized credentials that were previously stored on contactless smart cards.

In one example, a server would first send the user’s virtualized credential over a wireless carrier’s connection to the person’s mobile phone. To “present” the person’s virtualized credentials at a facility entry point, the phone is held close to an NFC-enabled secure access control reader. Throughout the process, there must be a way to ensure that the credential is valid. Both endpoints, plus all of the systems in between, must be able to trust one another. In other words, there needs to be a transparently managed chain of trust extending from one end to the other. This chain of trust requires the creation of a trusted boundary within which all cryptographic keys governing system security can be delivered with end-to-end privacy and integrity. This is the only way to ensure that all network endpoints, or nodes—such as credentials, printers, readers and NFC phones—can be validated, and all subsequent transactions between the nodes can be trusted.

One of the first such bounded environments is HID Global’s Trusted Identity Platform. At the heart of the TIP framework is the Secure Vault, which serves known nodes within a published security policy. TIP establishes a scalable framework and delivery infrastructure for delivering three core capabilities: plug-and-play secure channels between hardware and software; key management and secure provisioning processes; and seamless integration with information technology infrastructures. The fully scalable TIP environment can also support multiple usage models such as cloud-based applications that require service delivery across the Internet without compromising security.

Within this trusted boundary, nextgeneration readers will be able to easily and reliably support portable credentials. The device-independent security objects described earlier will be able to reside on any number of identity devices and work with a companion SIO interpreter on the reader side. It will be possible for an identity object stored on one device to be ported to—and interoperate with—another device with ease and without strict constraints. Additionally, the objects will enhance trusted security by acting as a data wrapper to provide additional key diversification, authentication and encryption while guarding against security penetration. Because these objects use open standards, they will improve flexibility and grow in security capabilities, unlike traditional, fixed-definition architectures.

Virtual, portable credentials, and the reader platforms that support them, will significantly extend the value proposition for contactless smart card credentials on today’s college and government campuses. This will require a simple-but-protected, fully scalable and standards-based identity delivery system that can support a wide variety of identity nodes—ranging from readers and cards to NFC-equipped mobile phones—that can be registered as “trusted nodes” and securely provisioned anywhere on the campus.

School and government administrators will optimize the effectiveness of these virtualized credentials using the same well-established best practices that have been proven with today’s physical smart cards. The use of flexible system architectures will provide the foundation for multi-purpose smart card and virtual credential deployments that improve cost efficiencies and user convenience across a variety of access and commerce applications.

This article originally appeared in the August 2011 issue of Security Today.

Featured

Featured Cybersecurity

Webinars

New Products

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3