Who Are You?

Airports exhibit one of the most complicated scenarios to administer restricted-area access control, identity verification and issuance of an access credential. Various airline employees, vendors, third-party contractors and tenants need to be authenticated at all times, and their physical access rights must be controlled and managed dynamically based upon their role and policies affecting their access. But in many airports, security operations feature siloed access control systems and disjointed processes used to manage employee credentials for facility access.

Additionally, IT systems that issue transportation authority clearance, such as the Transportation Security Authority or Canadian Air Transport Security Authority, are all managed independently, often by different departments.

As a result, many physical identity and access management operations are handled manually, leading to costly human errors, ad-hoc cardholder credentialing, multiple ghost/orphan accounts, and long on- and off-boarding times.

Beyond these obvious inefficiencies, new compliance mandates are driving an entirely new level of security challenges within the airport infrastructure: Homeland Security Presidential Directive 12 mandates that all TSA employees and contractors authenticate themselves using two fingerprints and a smart card. Identities need to be checked against no-fl y lists on a regular basis. And transportation authority clearance needs to be monitored in real time.

Real Challenges

Because of the inefficient means by which identities and access to the restricted areas are managed, airport security practitioners are faced with a litany of issues on a regular basis.

  • A large number of transitory and/or contingent workers across airport staff, tenants and third parties need to be managed on a real-time basis
  • Inconsistent badging processes and operations, resulting in long processing times and erroneous area access rights
  • Constant facilities expansion, adding new layers of complexity regarding area access, related technologies and security infrastructure
  • A lack of overall visibility into airport identity and access operations, resulting in poor reporting and potential compliance issues.

For example, because so much of the airport staff is made up of contingent workers, making sure that their identities are well-managed and their access rights are current and appropriate based upon policies are continual challenges. If a third-party repair technician is fired, how can you make sure that their physical access rights are immediately removed, thus eliminating a potential security risk?

Single Identity Across the Entire Airport

Some airport organizations have begun to see the value in an integrated approach to physical identity and access management. By connecting disjointed and manual processes with their biometric and physical access control systems, security practitioners can create a single notion of identity across the entire airport, along with a policy paradigm for credential issuance and granting access to the airport facilities. This single notion of identity can be managed simply, effectively and securely, from the first day of employment to the last.

Quantum Secure's SAFE suite of products addresses this problem by providing a supervisory management system to transform and automate manual workfl ows and processes, enabling airport authorities to manage enrollment, credential issuance, do background checks, and credential expiry and facility access of users and groups. SAFE is a commercial off-the-shelf solution that, through an automated, role-based, policy-based access control mechanism, offers an integrated enrollment, access provisioning and badging engine along with a framework to integrate siloed systems and processes.

The SAFE enrollment engine authenticates and verifies identities and digital certificates, captures biometric images, issues a credential, binds the relevant biographical and biometric data with the card, and provisions the identity for facility access in the PACS—all in one connected process.

Conversely, identity expiration policies ensure that the card is automatically expired based on defined trigger points, including training, termination, insurance updates and governmental agency requirements.

A Real-world Example

One organization that is realizing dynamic returns by automating key processes related to identity management is the Toronto Pearson International Airport. Toronto Pearson, under governance by the Greater Toronto Airports Authority, handles 30 million passengers per year, employs more than 33,000 people and is an important economic engine for the area.

The airport's Pass/Permit Control Office, which issues restricted area identification and access control cards and passes for employees, serves an average of 175 clients per day and more than 45,000 employees and contractors each year.

Because every employee of every airline, shop, food vendor, contractor and consultant working at Toronto Pearson— as well as airport employees themselves— must be processed by the PPCO, this function is critical for the economic vitality, operation and security of the airport. Toronto Pearson needed a system that could keep up with demand, ensuring that staff started work in a timely fashion while maintaining high levels of customer satisfaction.

The SAFE suite of software enabled Toronto Pearson to incorporate existing, fragmented physical security processes and systems into its larger IT infrastructure, automating many of the previously physical, labor-intensive tasks of credentialing employees. It also made the applications more userfriendly, with better customer service, while leveraging the productivity opportunities available from the technology infrastructure.

Based on these preliminary results, the airport expects it will meet the goals of reducing average cost per customer from $49 to $35, average wait times from 560 minutes to 20 minutes and average service time by 50 minutes.

Greater Visibility, Strong ROI

By bringing together disparate systems and automating key processes and policies, security practitioners can quickly instill best practices and realize a strong ROI.

Manual, error-prone processes regarding the on-boarding of new identities can now take minutes, instead of days. An automated enrollment process can transform paper-based identity proofing and application process to an electronic and rules-based process for managing the on-/off-boarding of identities into and from the organization. Access to restricted areas can quickly be granted via automated policies and approvals. And the termination of a person is immediately pushed out to the physical access control systems.

At the same time, real-time reporting allows for greater visibility into all facets of airport security operations. To better manage that airside vehicle operator, an automated policy can be created that links access to driving privileges, allowing for the removal of airside access while penalties are enforced and other remediation activities occur.

Automated audit and compliance reporting allows for systematic checks and balances throughout the entire identity lifecycle management—on-boarding, change management and off-boarding. All anomalies and alarms related to failure in compliance are caught in real time, which activate automated policies for corrective action.

An integrated document management system allows for the centralized storage of enrollment applications, valid credentials, biographic and biometric information—including driver's license and passport data—I-9 information, photo and other related documents in an electronic format are always available with a click of a button.

And because a smart software solution integrates directly with the existing airport security infrastructure, there is no need for a complete rip and replace strategy. The SAFE suite of software includes integration agents that receive and push relevant information to all leading PACS, allowing a disparate environment of security systems to act as a single unit.

From a functionality standpoint, the various modules can be added independently, allowing airport security practitioners to grow and evolve their system based on their unique needs. For example, if badging and credential management is paramount, a module exists to streamline that function within the organization. If document management is a particular pain point, a module exists to digitize and bind key documents to an identity, storing approval forms, I-9 information and other related information in a centralized electronic system.

About the Author

Ajay Jain is president and CEO of Quantum Secure.

  • Environmental Protection
  • Occupational Health & Safety
  • Infrastructure Solutions Group
  • Spaces4Learning
  • Campus Security & Life Safety