The Future of Multipurpose Smart Cards
The Future of Multi-purpose Smart Cards
- By Brad Jarvis
- Aug 01, 2011
Increasing threats on school campuses and at government facilities, coupled
with diminishing budgets and intense pressure to cut costs across all levels
and departments, are forcing security administrators to find new ways
to keep their buildings safe without breaking the bank. Each organization
features its own set of ever-changing idiosyncrasies and unique challenges,
requiring flexible system architectures to satisfy specific needs.
There are many steps that security administrators can take to address these
issues. Many are improving cost efficiencies and user convenience by deploying
multi-purpose smart cards that can be used not only for identifying individuals
and granting secure access but also for applications that include transport, cashless
payments and energy control.
According to a study by IMS Research, smart card use grew at a 13.5-percent
CAGR between 2009 and 2013, compared with 2.4 percent for proximity technology
in the same period. IMS believes the number of smart card installations will approach that of proximity installations
by 2013. One of the biggest
growth drivers is the desire to move to a
single card or credential that can store
more information for additional applications
and/or security.
Deploying multiple applications on
a single card not only saves time and
money for organization and user alike,
but it also simplifies the user’s life. Yesterday’s
ID cards used simply to enter
a building or earn a discount are now
a one-stop source for security and commerce,
and they can enable users to open
doors, access services, manage energy
usage, purchase food and merchandise,
check out materials and ride the bus.
In the future, these multi-purpose credentials
will even be virtualized so users
can carry them in their phones, memory
sticks or other electronic devices.
The convergence of multiple applications
on a credential, be it a smart
card or other devices, is an accelerating
trend, and many organizations simply
will not consider any purchase unless it
enables them to add more applications
to existing physical access systems and
credentials, or extends the use of existing
applications.
Improving School Security
One example of a well-executed, multipurpose
smart card deployment can be
seen at Reykjavik University in Iceland,
which had been using proximity technology
to secure its buildings for many
years. When it came time to build a
larger, more modern facility, RU wanted
as “key-free” an environment as possible,
one that would increase student,
faculty and staff convenience and security;
reduce costs; improve efficiency;
and provide the flexibility to support
future needs.
To realize this vision, the university
needed a multi-application smart card
that could be used for cashless vending,
canteen transactions, on-demand printing,
photo ID production, library access,
locker use and more, and that could also
give the wider community controlled
access to such public services as RU’s
buses, museum and swimming pools.
The university began moving from proximity
solutions to the more secure HID
iCLASS multi-technology system, easing
the transition by using cards and
readers that support both technologies.
The university has integrated its access
control system with lighting, electricity
and room allocation control to further
improve overall efficiency. Cards
are quickly and easily printed on-site
for staff and every incoming student,
and now provide approximately 4,000
students with access to all university
classrooms, labs, study areas and other
buildings as well as its intranet, 24 hours
a day, 365 days a year.
Administrators faced a different
convergence challenge at Coventry College
in the United Kingdom. In developing
a new security system, the college
had to consider a culture in which staff
and students were not used to wearing
ID badges. Additionally, there was
limited secure parking, no real physical
access control, very little control of
IT user accounts, and problems with
photocopy and print service abuses. It
was important for the college that its
current, laborious manual processes—
library book inventory and fine payments—
also could be automated and
simplified in the future, as part of the wanted to reduce on-site cash handling
by introducing a cashless payment solution
for the canteen.
Another key requirement at Coventry
College was the ability to control
real estate, personnel and assets
through a single, multi-application
smart card that combined both physical
and logical access control. To meet the
logical access requirements and provide
centralized control of personnel, real
estate and university access, the college
deployed 1,000 multi-application smart
cards with integrated middleware to its
staff. It deployed an additional 12,000
customized cards with ID photos to
students for both physical access and
cashless catering. The resulting solution
enables the storage of personal
student information, such as allergies,
on the smart card, helping canteen staff
to serve the cardholder with food suitable
to his or her condition.
Transportation management is another
common challenge that smart
cards can address. At Murcia University
in Spain, the university and its
bus transportation service contractor,
Autocares Espuña, needed an efficient
way to monitor bus fleet usage both for
security purposes and to maximize efficiency.
They needed a method to communicate
passenger status to the bus
driver, and also wanted to generate a
database of historical usage information.
The system also had to be quick,
convenient and cost-effective for students,
with the ability to integrate twoway
text messaging for communicating
with bus drivers and GPS capabilities
to supervise itinerary data including
distance driven, fuel level, observance
of speed limits, stop/start records and
whether the buses stayed within their
approved route areas.
Murcia University’s prior procedure
required that bus drivers hand-count
passengers and cross-reference that
information to the number of cards
sold. Drivers also needed to remember
whether a student had already ridden
the bus to prevent plan abuse. Finally,
Autocares Espuña did not have a reliable
way to project usage and provide
the correct number of buses to accommodate
peak rider demand. To solve
this challenge, the university and Autocares
Espuña chose a solution that integrated
GPS, text messaging and database
capabilities with a combination of
iCLASS contactless reader/writers and
13.56 MHz contactless smart cards.
To use Murcia University’s bus service
now, students simply approach the
bus’s on-board reader with their card,
and it responds with either a green light
indicating a valid card, allowing the
student to board the bus, or an orange
light accompanied by a buzzer if the
card is invalid. A text message then appears
on a screen telling the driver the
reason the student is not authorized to
ride. All cards are personalized by the
university and can be reprogrammed
when the amount of transportation
purchased expires. The university is
considering opportunities for tracking
time and attendance and other future
applications to be deployed using the
same smart card technology.
The combination of physical access
and payment capabilities is an increasingly
popular smart card application.
One of the nation’s leading banks recently
developed an award-winning
program that consolidates traditional
magnetic stripe purchases, contactless payment transactions and facility access
on a single employee card. The selected
technology combines a point-ofsale
contactless-payment application
and HID’s iCLASS smart card technology
for physical access control and
security. One of the potential applications
for a program like this is to offer
students payment functionality—cashless
or magnetic stripe—on their physical
access card at no additional charge.
Services such as these improve convenience
while enabling students to establish
an early banking relationship.
For banks, these relationships can extend
beyond graduation as a graduate’s
need for financial services grows.
Universities also must be concerned
about maximizing overall security. Today’s
multi-purpose smart cards carry
more information that must be protected,
and they require more privacy
protection. This has created the need
for multiple layers of card security,
including two-factor authentication
to validate identity, and in some cases
even biometric templates that must be
stored on the card. These are the same
technology requirements the U.S. government
has recently specified as part
of sweeping mandates that aim to establish
more secure and reliable forms
of identification used by federal employees
and contractors.
Understanding Government
Smart Card Requirements
In August 2004, the government enacted
the Homeland Security Presidential
Directive-12 (HSPD-12), which
was designed to ensure that all federal
employees and contractors have secure
and reliable forms of identification. In a
February 2011 memorandum from the
Department of Homeland Security and
the Office of Management and Budget,
federal agencies were told they could
not use development and technology
fresh funds to complete any activities
until all existing physical and logical
access control systems were upgraded
to implement Personal Identification
Verification (PIV) credentials.
National Institute of Standards and
Technology has established implementation
guidelines, including the use of
smart card and biometric technology.
Details are provided in Federal Information
Processing Standards Publication
201 (FIPS-201).
Achieving compliance is not a
trivial task. It requires agencies to acquire
and implement a variety of often
costly technologies and has many
times required a complete overhaul of
the legacy access control infrastructure.
With the latest advances in smart card
technology, however, organizations can
achieve FIPS-201 compliance with significantly
less expense while preserving
the existing physical access control
head-end servers, panels and door control
hardware.
Organizations can simplify FIPS-201
compliance by assigning a single point
of responsibility and taking advantage
of fully interoperable, simple-to-deploy,
cost-effective products and technologies
that have been tested and validated as
part of a complete turnkey solution.
Additionally, organizations must
be able to achieve compliance quickly
and effectively; they must be able to
produce all required audit support; and
they must be able to deploy their compliant
system on an incremental, payas-
you-go basis while retaining most of the existing infrastructure.
The latest card readers feature a
number of capabilities that simplify
FIPS-201 compliance. They employ
EAL5+ Secure Element hardware to
ensure tamper-proof protection of keys
and cryptographic operations. They
also use industry-standard bidirectional
communications technology, such
as open supervised device protocol, so
that they can seamlessly and securely
connect to FIPS-201 compliance hardware
modules.
Finally, these readers use a portable
credential methodology based on a
standards-based, technology-independent
and flexible identity data structure
that can exist on any number of identity
devices. HID Global calls these
data objects Secure Identity Objects
(SIOs), and they work with companion
SIO processors on the reader side
to perform the same functions as traditional
cards and readers, only within
a significantly more secure, flexible and
extensible environment.
Using this new access control technology
and a modular upgrade approach,
organizations can achieve
FIPS-201 compliance simply by installing
the new readers, inserting compliance
modules between the readers and
the existing PACS panel, and deploying
a compliance manager. This system leverages
next-generation reader technology
to perform every step required for
PIV authentication.
In addition to increasing security
and simplifying government compliance,
these advanced reader systems
also will play a key role in the move to
virtualized credentials. Increasingly, the
concept of identity is moving beyond
traditional ID and cashless payment
cards to include many different credential
platforms.
Moving to Virtualized
Credentials
Academic institutions, government
agencies and other organizations must
plan for a future in which identity is
no longer exclusively associated with
the card that carries it but can take
many forms, including mobile phones
and USB sticks. It will be possible to
provision and embed portable, virtual
credentials into both fixed and mobile
devices, including mobile phones that
can be used to open doors, make cashless
payments and access secure data.
These phones use near-field-communications
short-range wireless technology
to receive and present virtualized credentials
that were previously stored on
contactless smart cards.
In one example, a server would first
send the user’s virtualized credential
over a wireless carrier’s connection to
the person’s mobile phone. To “present”
the person’s virtualized credentials
at a facility entry point, the phone is
held close to an NFC-enabled secure
access control reader. Throughout the
process, there must be a way to ensure
that the credential is valid. Both
endpoints, plus all of the systems in
between, must be able to trust one another.
In other words, there needs to
be a transparently managed chain of
trust extending from one end to the
other. This chain of trust requires the
creation of a trusted boundary within which all cryptographic keys governing
system security can be delivered
with end-to-end privacy and integrity.
This is the only way to ensure that all
network endpoints, or nodes—such as
credentials, printers, readers and NFC
phones—can be validated, and all subsequent
transactions between the nodes
can be trusted.
One of the first such bounded environments
is HID Global’s Trusted
Identity Platform. At the heart of the
TIP framework is the Secure Vault,
which serves known nodes within a
published security policy. TIP establishes
a scalable framework and delivery
infrastructure for delivering three
core capabilities: plug-and-play secure
channels between hardware and software;
key management and secure provisioning
processes; and seamless integration
with information technology
infrastructures. The fully scalable TIP
environment can also support multiple
usage models such as cloud-based applications
that require service delivery
across the Internet without compromising
security.
Within this trusted boundary, nextgeneration
readers will be able to easily
and reliably support portable credentials.
The device-independent security
objects described earlier will be able
to reside on any number of identity
devices and work with a companion
SIO interpreter on the reader side.
It will be possible for an identity object
stored on one device to be ported
to—and interoperate with—another
device with ease and without strict constraints.
Additionally, the objects will
enhance trusted security by acting as a
data wrapper to provide additional key
diversification, authentication and encryption
while guarding against security
penetration. Because these objects
use open standards, they will improve
flexibility and grow in security capabilities,
unlike traditional, fixed-definition
architectures.
Virtual, portable credentials, and
the reader platforms that support
them, will significantly extend the value
proposition for contactless smart card
credentials on today’s college and government
campuses. This will require
a simple-but-protected, fully scalable
and standards-based identity delivery
system that can support a wide variety
of identity nodes—ranging from
readers and cards to NFC-equipped
mobile phones—that can be registered
as “trusted nodes” and securely provisioned
anywhere on the campus.
School and government administrators
will optimize the effectiveness
of these virtualized credentials using
the same well-established best practices
that have been proven with today’s
physical smart cards. The use of flexible
system architectures will provide
the foundation for multi-purpose smart
card and virtual credential deployments
that improve cost efficiencies and
user convenience across a variety of access
and commerce applications.
This article originally appeared in the August 2011 issue of Security Today.