Using the Cloud for Identity Protection

Providing the means to open doors and access IT systems

• By Robin Tandon
• Apr 09, 2020

The way ID cards are used in the enterprise and on college and university campuses has changed dramatically in recent years. Once a simple identification tool, corporate ID badges now provide the means to open doors and access IT systems, networks and data, and campus IDs are used to purchase meals, check out library books, enter dorm rooms and more.

The way cards were issued had not changed much for two decades, using one or more PCs that were each connected to a nearby printer. Now, enterprises and universities are making a shift to cloud-based solutions that enable a remote card issuance experience, transform ID card printers into edge devices within the Internet of Trusted Things (IoTT), and redefine the economics of card issuance by ushering in new service-based models.

Improved User Experience

Traditionally, ID cards were designed and printed from a PC that was connected to a nearby printer. Someone had to be physically present at the PC to design the card, use the student ID database to encode data on the card, and send the card to a printer.

Some suppliers added a piece of locally installed software that enabled web-based design and, in some cases, a certain level of encoding work. In contrast, today's true cloud-based platforms bring all the elements required for secure issuance into a centralized and integrated system that enables the entire process to be managed and executed remotely, from design and encoding to printing.

An administrator in a card office or any satellite facility or other remote location, for instance, can seamlessly create new cards, encode data on them, issue replacements and manage print queues. This can all be accomplished through one trusted system using a tablet, laptop or any device with a web interface.

This cloud-based model improves the user experience by enabling instant issuance at many different locations, rather than requiring a visit to the main card office in order to pick up an ID. Card printers can be installed anywhere, including remote offices and satellite campuses, and cards can be sent to any of these printers. Printers essentially become smart, secure, web-enabled edge devices in the IoTT that can leverage all of the platform's functionality.

Security and privacy protection are both improved with the cloud-based model. There is end-to-end encryption of all sensitive data both in transit and at rest, using banking-level encryption protocols. The use of digital certificates creates a trusted relationship between the cloud and the issuance console, and card data remains encrypted until it is printed, after which all personally identifiable information (PII) disappears.

All encryption keys are securely stored in tamper-proof hardware, and unique firmware ensures the printers cannot be hijacked, but will only work with the cloud-based issuance system software. The issuance console can also be used with a card reader so that print jobs are not released until an authorized card or credential has been physically presented for validation.

In addition to transforming security, privacy protection and the user experience, this cloud-based model also improves the administrator experience by simplifying high-volume card issuance management and delivery, while increasing control and security. It is no longer necessary to manage software and other IT resources typically required for card issuance.

Since there is no longer the need for printers to be locally connected to printers, the administrator is also saved the task of maintaining associated software updates and security patches across local computers connected to printers. Not only does this approach eliminate the problem of using legacy systems that limit the ability for IT or security personnel to track system activity, it also eliminates any capital expenditure requirements for deploying printers as part of a world-class card issuance implementation. Instead, this cloud-based model introduces new economics for card operations, providing the option for resources to be leased and their costs bundled into a cloud-based offering.

New Economics of Cloud-based Card Issuance

With a cloud-based platform, the entire ID card issuance process can be delivered through a service model billed on an annual or monthly-installment basis – hardware, software and service all in one offering. This approach cuts multiple layers of program costs while making it easier for administrators to scale the card office to accommodate future technology capabilities or changing volume demands. For instance, during periods of peak demand, large batches of cards can be produced and dispatched by commercial printing bureaus.

Cost savings can be substantial. This savings can include the typical annual cost for card stock, laminates and ribbons as well as the expense of service, maintenance and hardware and software updates. Not included are the costs of staff time required for issuance or reordering supplies, or IT resources to support the operation, or periodic replacement of obsolete equipment.

A service model enables administrators to convert their budget for ID card issuance into an operational expense that could amount to a service fee covering all ribbons, pre-printed cards and mag stripe encoding. This approach diminishes the previous unpredictable ancillary costs associated with owning and managing hardware and software by eliminating costs related to maintaining hardware, inventory, labor, and potentially the capital expenditure related to purchasing printers.

The cloud-based service model can include auto-replacement of cards and other consumables when needed, and delivers all the benefits associated with centralized control and visibility along with distributed or batch printing. Cloud-based solutions are aware of printer health and maintenance needs, as well as all activity down to the printer level, including the status of consumables. A service provider can, for instance, predict when a printer will run out of consumables, and drop-ship replacements to the customer when they need them.

Equally important, administrators who adopt a cloud-based model for their card office know that their operations will be compatible with today's and tomorrow's credential technology, including mobile IDs that enable users to carry ID cards on their smartphones. Solutions are generally also compatible with leading card systems.

An example is HID Global's HID FARGO Connect secure cloud-enabled card issuance system, which is compatible with systems including the CBORD solution for higher education and HID SAFE Enterprise software for managing identities and their access across physical access systems.

While the technology used by card production offices had largely remained static, the technology available to most other operations in the enterprise and a university campus has advanced considerably, improving how employees were onboarded and making it easier for university students to seamlessly register for classes online, pay fees and be ready for classes on the first day without waiting in physical lines.

The crucial task of printing and issuing student IDs has caught up with these advances, taking the inefficiency and inconvenience out of corporate ID badging while removing the fall crunch time for university card office administrators. Cloud-based card issuance solutions are giving back both time and money while re-envisioning the way card offices operate.

This article originally appeared in the April 2020 issue of Security Today.