A Door Wide Open

Innovation leads the way to tighter physical security

IN the last four and a half years, new government mandates for tighter physical security at critical infrastructure sites have led to significant strides in physical access control innovation. Demonstrated in some of the most sensitive, widespread and complex government credentialing projects, these new technologies are poised to transform the method in which government and commercial organizations control an individual's access to specific facilities.

A notable result of increasing security regulations within the government is the development of a physical access security technology capable of achieving consistent access control and an interoperable trust level for various sites across an organization.

A notable result of increasing security regulations within the government is the development of a physical access security technology capable of achieving consistent access control and an interoperable trust level for various sites across an organization. For the first time, new technology enables government and private businesses to easily separate credentialing functions from system policies to support a distributed, ground-up approach to access control.

This new method lessens the administrative time and costs necessary to maintain site policies and technologies. This approach ensures that all sites within an organization have a consistent level of confidence that people are who they claim to be and -- based on pre-determined credentials -- are given the same level of clearance.

Legacy access control methods that admit and restrict access based on what a user holds in his or her possession (such as a key) or knows (such as a PIN) do not provide a high degree of security. Granting access to whomever possesses an object, such as a proximity card, without additional means to verify the identity of the possessor, provides little assurance that only authorized individuals can gain access to secured sites.

PIN- or password-based access control systems also are flawed. Again, this method of security does not directly verify the identity of the individual attempting to gain access to a site. Simply stated, passwords, keys and proximity cards can easily be shared, borrowed and/or stolen.

The use of keys, PINs and cards within multi-site organizations tends to magnify the issues of security and administrative upkeep.

Independently managed sites within the same organization often require an office to set up a new set of policies and distribute a new set of keys, PINs or cards to the same person. The more security objects a person possesses, the more there are to lose, misplace or share, with each instance becoming a potential security breach.

Separating Credential from Policy
The idealized model of an organization-wide security infrastructure is usually based on a monolithic back-end system for managing user provisioning and access policies across all sites and individual systems. But, in practice, such comprehensive systems are rarely deployed and may not even be the best arrangement for multi-site organizations. Instead, by separating the user credential from the policy, organizations can give themselves the flexibility to create and selectively apply policies that meet the unique needs of discrete sites. At the same time, embedding user identity information directly into a trusted credential -- such as a biometrically enabled smart card -- simplifies the task of adding new individuals to a local system.

User identity information can be read directly from the card without the need for re-keying. And since the credential also includes unique biometric information about the holder, it also is a far more secure and tamper-resistant form of identification than keys, PINs or proximity cards.

Field-Tested, Government Approved
Since 9/11, government and other high-risk organizations have urged the security industry to bring new solutions to market that make credentialing large groups of people across disparate locations straightforward and easy to deploy. Government agencies, in particular, demand the strongest level of authentication possible to prevent acts of terrorism and related security breaches. These requirements were recently addressed in Phase III of the Transportation Security Administration's Transportation Worker Identification Credential program.

In this project, the industry's foremost experts on security and authentication collaborated to design a system-wide, common credential for all civilian workers across all transportation modes, including seaports, airports and rail lines. The project -- designed to improve security, enhance commerce and protect personal privacy -- provided workers with a tamper-resistant, biometric smart card to be used to gain access to secured areas.

Many factors make TWIC the de facto case study for designing company-wide credentialing programs. For example, the scale of the deployment required technology vendors to accommodate extremely diverse conditions. In addition to providing potential support for more than 6 million workers in an eventual nationwide rollout, variables included complex physical landscapes and extreme outdoor weather conditions such as direct sunlight, wind and rain. Educating large numbers of volunteer transportation workers on how to use the credentialing technology during the pilot was another significant learning experience.

Upon completion of TWIC design and deployment, government and non-government businesses had a real-world study on the practical steps involved in deploying an interoperable credentialing framework across an entire organization, regardless of scale and site complexity.

"Ensuring that only authorized individuals gain access to critical infrastructure, such as ports, is vital to homeland security," said Kate McCurdy, public sector technology analyst, Datamonitor. "Reliable, biometrically-enabled, weather-resistant access card readers are an important component of an effective access control system."

Like many private organizations, transportation facilities involved in the TWIC pilot had an existing physical access security infrastructure. Instead of replacing a site's legacy system, TWIC technology suppliers designed the biometric smart card security system to be easily integrated with the existing infrastructure. This approach enables sites to increase security by simultaneously ensuring authentication and access control. TWIC also uses contactless, biometric smart card readers for end-user convenience. As opposed to sliding cards through readers, cardholders simply wave their cards near the device, then apply a finger to the reader for identity verification.

Another landmark government security initiative to consider in the evolution of physical access control technology is the result of Homeland Security Presidential Directive (HSPD) 12, a mandate for a common interoperable biometric smart card for all federal employees and contractors by 2007. In response to this directive, the National Institute of Standards and Technologies developed the Federal Information Processing Standard (FIPS) 201, also known as personal identity verification, to enable government organizations to comply with this new security measure. PIV, an independent credentialing standard from TWIC, is expected to become the new interface of TWIC in Phase IV.

Like TWIC, the PIV identity management system seeks to replace weak identity verification methods, such as a standard photo ID cards, with tamper resistant, biometrically enabled smart cards. This standard will enable the government to achieve a higher interoperable trust level among geographically dispersed facilities. Like TWIC, a PIV-compliant access control deployment requires a federal worker to place a biometric smart card near a contactless reader and touch a sensor to scan and encode his or her fingerprint as a value.

In seconds, the reader verifies the worker's identity and a centralized server authenticates the request, opening the requested gate or door. By using a biometric credential, organizations virtually eliminate the threat of tampering with an employee's identity while allowing workers to carry a single credential instead of multiple ID cards.

Industry Impact
The impact of TWIC on other large-scale credentialing programs is already becoming apparent. The state of Florida, through its Florida Uniform Port Access Control program, has chosen to implement biometric smart card authentication in the state's 14 deep-water seaports. Saflink Corp. has been selected to provide the technology for fixed security stations and mobile guard units. The technology deployment commenced in 2005 and will continue through 2006, providing a reference implementation for other ports currently investigating physical access upgrades.

Government-tested security initiatives that deploy identity management programs for the protection of critical infrastructure and terrorism prevention, such as TWIC, will have a significant impact on commercial infrastructures and business practice standards. This has already become apparent in Florida. Organizations in nearly every vertical industry interested in enhancing security by adopting a large-scale credentialing program should consider TWIC as a reference for proven strategies and technologies for streamlining physical access control. In particular, Saflink's platform for contactless biometric smart cards has set an industry precedent for identity verification, ease of use and interoperability.

Legislation, policy and regulatory changes aimed at increasing security for critical infrastructure sites and transportation nodes have resulted in the development and testing of comprehensive, flexible and easy-to-add solutions for enhancing physical access control. Stringent, in-depth trials of access technologies by the federal government in programs, such as TWIC, have been an integral step in further understanding which technologies are capable of credentialing large groups of people across various geographical locations. The implementation of new approaches in these programs, such as the separation of security policies from user credentials, has demonstrated that it is possible to deploy more secure, more flexible and easier to manage security infrastructures.

While initially intended for the benefit of government organizations, TWIC and PIV provide the commercial sector with a clear indication that the technology to streamline and strengthen physical access security procedures exists today.

This article originally appeared in the October 2006 issue of Security Products, pgs. 68-69.

Featured

  • Security Today Announces The Govies Government Security Award Winners for 2025

    Security Today is pleased to announce the 2025 winners in The Govies Government Security Awards. The awards honor outstanding government security products in a variety of categories. Read Now

  • Survey: 60 Percent of Organizations Using AI in IT Infrastructure

    Netwrix, a cybersecurity provider focused on data and identity threats, today announced the release of its annual global 2025 Cybersecurity Trends Report based on a global survey of 2,150 IT and security professionals from 121 countries. It reveals that 60% of organizations are already using artificial intelligence (AI) in their IT infrastructure and 30% are considering implementing AI. Read Now

  • New Research Reveals Global Video Surveillance Industry Perspectives on AI

    Axis Communications, the global industry leader in video surveillance, has released its latest research report, ‘The State of AI in Video Surveillance,’ which explores global industry perspectives on the use of AI in the security industry and beyond. The report reveals current attitudes on AI technologies thanks to in-depth interviews with AI experts from Axis’ global network and a comprehensive survey of more than 5,800 respondents, including distributors, channel partners, and end customers across 68 countries. The resulting insights cover AI integration and the opportunities and challenges that exist with regard to security, safety, business intelligence, and operational efficiency. Read Now

  • SIA Urges Tariff Relief for Security Industry Products

    Today, the Security Industry Association has sent a letter to U.S. Trade Representative Jamieson Greer and U.S. Secretary of Commerce Howard Lutnick requesting relief from tariffs for security industry products and asking that the Trump administration formulate a process that allows companies to apply for product-specific exemptions. The security industry is an important segment of the U.S. economy, contributing over $430 billion in total economic impact and supporting over 2.1 million jobs. Read Now

  • Report Shows Cybercriminals Continue Pivot to Stealthier Tactics

    IBM recently released the 2025 X-Force Threat Intelligence Index highlighting that cybercriminals continued to pivot to stealthier tactics, with lower-profile credential theft spiking, while ransomware attacks on enterprises declined. IBM X-Force observed an 84% increase in emails delivering infostealers in 2024 compared to the prior year, a method threat actors relied heavily on to scale identity attacks. Read Now

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.