Access Control: Smart Cards Offer Enhanced Capabilities in Controlling and Tracking Facility Access
By Nathan Zhuravsky - October 2005 - Security
In today’s security-conscious world, facility executives need an effective yet easy means to protect their facilities. For companies that choose a card access control solution, however, using different systems at different facilities can create complications. Even in an environment such as a hospital or university, specific buildings or even departments may have their own systems, requiring different access cards. This can cause confusion when trying to track which cards access which facilities.
What’s more, many access control systems use proprietary controllers. Thus, a base-building access control system may have its own controllers that are separate from the tenants’ card access system controllers. Tying them together requires integration between various access control systems and possibly multiple types of cards.
The answer for corporate and institutional facility executives alike may be a one-card approach using a smart card. Smart cards contain a computer chip programmed with personal information about the cardholder and the access point or points the individual is allowed to enter.
Today’s electronic access control options include a wide variety of card readers that are hard-wired to control panels, which are then hard-wired or networked to a host computer containing one or more security databases. Card readers are placed wherever a company determines access must be tracked. The challenge is selecting the right technology for a specific situation.
For example, a popular type of card today is the proximity card. In some instances, biometric access control is used for additional control and security. There are biometric readers for fingerprints, palm geometry and iris scanning. Biometric readers are difficult to fool because no two people have the same fingerprint, palm geometry or iris scan.
When a biometric reader is linked to an access control card reader, each will digitally access information in a secure database to verify whether the user is authorized to enter a facility at a specific point. In large corporations using access control cards, biometric readers can serve as a second means of verification. In such situations, fingerprint and palm readers are more commonly used, while iris scanners are more often found in government, military and high-security facilities, such as data centers.
A key advantage of smart cards is that they can be integrated with different technologies, including proprietary proximity, magnetic-stripe and biometric systems. That allows smart cards to be used in different locations with different technology readers.
Furthermore, a smart card that is programmed to be read by different types of readers or by a multi-technology reader at different locations is expandable through the addition of new access control panels and readers. While such a system has no theoretical limitations, a large corporation typically buys licenses based on the number of users it expects to have. Another consideration is existing hardware and software, which was based on specific needs at the time of purchase. Expansion of these systems to accommodate smart-card technology may require upgrading or purchasing hardware and software.
Implementing a smart card solution often requires a phased approach. The first phase is to create an all-in-one card by replacing multiple cards using different technologies with one multi-technology smart card. The second phase involves creating a set of smart cards with biometric options for the entire corporation. Combined with biometric data, the smart card technology allows the facility executive to know with certainty which person is requesting access. It provides a method for determining whether a credential is valid and ensuring that the holder owns that credential.
In the case of a retrofitted building, a needs analysis must be done that takes into account the status and viability of all current systems, upgrade plans, a timeline to implement upgrades, and whether a logical access system should be included in the upgrade.
Smart cards can also help protect corporate information networks — so-called logical access control, as compared with physical access control for entry into a facility. IT departments seek logical access as a lock on a company’s computer network. In a logical access control system, a user’s smart card is inserted into a card reader linked to the cardholder’s workstation. Logical access using a smart card reader provides better security than a password because employees often fail to log off their workstations at the end of a day, allowing others to access sensitive company files. The smart card solves that problem because removal of the card unlinks a workstation from a company’s computer network.
The planning, design and implementation of a one-card solution with or without logical access control should involve a company’s security director, a senior level person from the IT department and a representative from the executive level. The security director should have a plan to replace existing cards and upgrade the system in various locations, prioritized according to a company’s needs. The security director must also be familiar with the system’s setup and should be capable of adding elements of the company’s security risk and vulnerability profile into the mix.
A one-card solution provides standardization for a company. There are also standards for smart cards. One is the federal government’s Technical Implementation Guidance for Smart Card Enabled Physical Access Control systems and the President’s Homeland Security Presidential Directive (HSPD) No. 12. HSPD No. 12, signed by President Bush in August 2004, calls for smart cards to be resistant to fraud, tampering and counterfeiting, and to have the ability to be electrically authorized rapidly. It also requires that all federal employees and federal contractors be issued a common credential for physical access to federal buildings and logical access to federal information systems. The Federal Information Processing Standard (FIPS) 201 was a direct result of HSPD No. 12. FIPS 201 establishes minimum requirements for access to government buildings and information systems.
The federal government also established the Government Smart Card-Interoperability Specification (GSC-ISD), which requires proximity and smart card readers to provide a method of ensuring that the card user is the individual authorized for access.
The Homeland Security Administration is encouraging the private sector to implement these standards, particularly the use of smart cards as a one-card solution.
Such standardization could also allow law enforcement agencies, if needed, to access a company’s system, but such access would require programming on the part of the company, which can control and limit law enforcement’s access to specific information.
Industry standards vary by technology and are often developed by different vendors. For example, there are different standards for proximity card technology, smart card technology and biometric access technology. However, it should be noted that access control system manufacturers have built in FIPS 201 into their systems and market them as FIPS 201-ready.
Today, more than ever, large and small corporations, universities and other institutions, and owners of multi-tenant buildings need to protect their facilities and assets. Controlling and tracking access is the key to achieving adequate security. A one-card solution is an effective way to achieve that goal.
Nathan Zhuravsky is an associate at Syska Hennessy Group in New York.