Secure Credentials in a Network Environment

Technologies are converging all around us. Data networks connect more people and devices, and more of our assets are information-based. Thieves use technology to take advantage of our network-dependent society. Identity and data theft are becoming as common as physical crime, so computer-based security has become paramount to protecting the enterprise.
If we can properly identify people and network devices, we’ll have mastered an essential deterrent to crime in this Internet age. A simple, printed ID badge or surveillance camera is not enough anymore. Now, IP cameras send surveillance images over the network, and electronic credentials authenticate users to the computer network. Proper identification can help make sure that only the right people are on the premises and on the network.

Card credentials are the first line of defense for the enterprise security professional. As credentials become more sophisticated, so do the systems of issuance. In the past, most credentials were printed in large, central facilities where brick and mortar, along with a number of surveillance cameras, secured the issuance process. However, in today’s world of networks and mobile employees, many organizations require instant issuance at the point of need. The Department of Defense, which has issued millions of Common Access Cards for service personnel and their families, exemplifies this strategy. They deployed individual printers to issue cards at bases where needed and set up groups of printers in temporary issuance sites to enroll larger groups.

The value of instant issuance comes from the flexibility of the system. Several printers can be networked together in a single area to manage large-scale issuance of credentials, which are then distributed to the point of need. Instant issuance is more adaptable for small batches, badge replacement, visitor management and contract employees.

You can use issuance security management tools to monitor the issuance process over the network. Using networked card production and intelligent network monitoring, you can detect fraudulent card production in real time. Using central facilities, on the other hand, requires a large capital investment and a secure way to transport cards, and it doesn’t provide the flexibility of small batch printing. If you have to mail cards or wait for an ID for a new employee, you’re adding to your security concerns.

If you want secure, instant, distributed issuance, you must take both physical and network security precautions.
Surveillance cameras are valuable tools for monitoring credential issuing locations. But since surveillance systems require constant monitoring, it’s a good idea to add network security monitoring as well. Intelligent programs provide an automated way to monitor the issuance process.

Lock up valuable supplies like cards, color ribbons and security holograms in lockable printer hoppers and supplies cabinets. (Some sites even create cabinets for printers and computers.) To add even more security, keep these valuable supplies in an inventory vault that is monitored over the network. This helps make sure they are only used to make valid credentials.
The equipment used to finalize the credential—including the card printer, data encoders, and security overlaminate equipment—should be authenticated to the network and monitored for misuse. Automatically disable issuance equipment that is stolen or misused, and set up alerts to be transmitted to the appropriate network manager.

The operators who issue the credentials should be vetted and authenticated before they can issue a card. Perform complete background checks on these personnel, and issue them a computer-based credential with biometrics in order to ensure that only authorized operators issue cards on the issuance equipment.

Why should these precautions be taken? Because if you can’t trust your credentials, the whole networked security model falls apart. Monitoring the issuance process when it is distributed over a network of systems makes the process more secure. In the past, the only way to ensure security was with labor and surveillance cameras. Today, intelligent computer programs can enhance issuance security.

Central facilities are still an important part of the credential issuance chain. Cards and computer chips are often mated in a central facility. Initial security features and data templates for computer chips are often pre-personalized in a central facility. Even though the cost to print a card is lower in a central facility, card program managers should consider carefully the cost of capital equipment, batch size, mailing and other factors that limit the flexibility of a central site.

The news frequently reports cases of fraudulent credentials being issued by a trusted individual. Computer programs can help us secure credential issuance using inventory vaults, equipment authentication, and operator monitoring in a networked enterprise. It only takes one creative individual to destroy the trust in a credential-based security system. It’s a chance better not taken.

Gary Klinefelter serves as vice president of Technology for Fargo Electronics Inc. Mr. Klinefelter holds 22 patents with Fargo and a BSEE degree. He is a long-time member of IEEE and the Society for Imaging Science and Technology. He is currently the Chairman for the Open Security Exchange.