Feature of the Month
Using Smart Cards for Secure Physical and Logical Access
Originally, the employee badge was used as a visual identity credential. Access into buildings and doors was granted when a guard recognized the cardholder's badge. Technologies for automating access control (such as magnetic stripe, bar codes and proximity chips) were developed to decrease operating costs, improve security, and increase convenience.
While these technologies reduce operating costs and increase convenience, they do not guarantee that the badge holder is in fact the person authorized to have the badge. Older ID technologies provide minimal or no security for computer networks. The requirement for a single secure credential for logical and physical access and for protection of an individual's private information have led to the emergence of the smart ID card: an ID credential in which contact and/or contactless smart card technologies are integrated into the corporate ID to allow access systems to be implemented with additional levels of security.
The smart ID card grants a person (or device) secure, authenticated access to both physical and virtual resources. The badge can authorize access to buildings, computer networks, data files or the user's personal computer. In addition, these same cards can now include applications that allow access to mass transit systems, payment accounts, and other secured data. The one common requirement for all of these applications is authenticated user identification.
Many of the people involved in the purchase, implementation, and use of the smart ID card - from the chief executive officer (CEO) to (most importantly) the employee - are realizing the card's benefits. Almost every security magazine includes at least one article, if not a cover story, on the convergence of physical and logical access. Such articles describe security advantages, ROI, convenience, and implementation considerations.
Benefits of the Smart ID Card
The choice of an access credential must address the concerns of a variety of functional areas in an organization.
- Executive management needs to secure both physical and network access.
- With lower operating budgets, CEOs and chief financial officers (CFOs) are demanding a solid business case and the most cost-effective solutions.
- The chief security officer (CSO) and chief information officer (CIO) need to be notified of security breaches quickly, identify and locate the perpetrator, and gather forensic evidence that can hold up in court.
- HR wants new employees to hit the ground running, to increase efficiency and profitability.
- Government legislation demands that a person's privacy be respected.
- And last but not least, employees need an ID credential that is easy and convenient to use. Otherwise, either employees will find ways to circumvent security or the costs of employee credentialing will increase so significantly that the company will abandon the system.
Smart ID cards are a cost-effective and flexible solution that addresses requirements throughout the organization. A single smart ID card can incorporate multiple technologies, accommodating both new and legacy access control systems as part of an overall migration plan to the new access control technology. The same smart ID card can support multiple applications, eliminating the need to issue multiple cards or other tokens to employees. Badges for employees can support a range of security profiles depending on the level of access required by the employee. For example, some badges may provide only limited facility and network access while other badges provide special access to restricted areas and use contactless or contact smart card chips to support: biometric templates that authenticate the user to the card; secure challenge-response algorithms that authenticate the card and reader to each other; and/or a key management/secure protocol that changes every time the badge is presented to a reader to prevent card duplication and protect information privacy.
New software and system integration specifications and products help to identify and analyze security breaches. Linking the physical access and IT databases provides the potential for suspicious activities to be identified immediately. For example, if a computer is accessed by an employee who has left the building, the IT department can be notified immediately and investigate the activity. Similarly, security can be notified if a computer in a restricted area is accessed by an employee who is not authorized to be in that area. Joint communication between the physical and logical access systems enables companies to protect confidential data and identify security issues.
Access control systems must address employer and employee needs and meet legal requirements. Smart ID cards are available that use the latest security protocols and anti-probing prevention techniques. An employee's information is consequently only available to parties to whom the employer has authorized access.
An organization may want to use a single process to manage an employee's authorizations, accesses, and privileges. Linking the HR, IT, and physical access databases means that an employee can make one trip to one department to receive a badge containing all required information. The HR database may indicate what access privileges need to be assigned. The IT software can check the HR database and assign the required passwords and certificates. A biometric fingerprint and a digital photo can be taken. With this information, a blank card can then be inserted into the badge printer, all required information can be downloaded onto the card, and the card can be printed. The employee receives the badge within minutes and starts working immediately.
Finally, smart ID cards are convenient and easy to use. Employees have only one badge to maintain, thus reducing the odds of a badge being lost, forgotten, or damaged. Employees need not fumble for the correct badge or feel that they are carrying around a deck of cards.
Both private enterprises and government agencies are increasingly implementing smart card-based access control systems. A smart card-based system provides benefits throughout an organization, improving security and user convenience, while lowering overall management and administration costs. Smart card technology provides a flexible, cost-effective platform not only for physical access control, but also for new applications and processes that can benefit the entire organization.
This article is extracted from the 54-page Smart Card Alliance report, "Using Smart Cards for Secure Physical Access," developed by the Smart Card Alliance Secure Personal ID Task Force. Lead contributors to the report included: ActivCard, ASSA ABLOY ITG, eID Security, EDS, Hitachi America Ltd., IBM, Lockheed Martin, NASA, Northrop Grumman Information Technology, Honeywell Access Systems (OmniTek), SC Solutions, SCM Microsystems, Transportation Security Administration, U.S. Dept. of Homeland Security, U.S. Dept. of State, U.S. Dept. of Transportation/Volpe Center and XTec Incorporated.
The full report provides a primer for understanding physical access control systems that use a smart ID card for personal identification. The report describes physical access system architecture and components, provides guidance on key implementation considerations, describes smart card technologies used for physical and logical access, discusses migration considerations in moving from legacy physical access systems to smart card-based systems, showcases other applications that can be combined with a smart card-based secure physical access system, and includes profiles of organizations implementing smart card-based access control systems.
The full report is available to Alliance members from the members-only section of the Smart Card Alliance web site and to the general public at the Alliance web store at www.smartcardalliance.org.