A one-card initiative is a program to use a single smart card for both physical and logical (information system) security. Before smart cards, making the physical access control system (PACS) technology decisions was simple; you basically chose what type of card and card readers to use. You could make this decision after getting educated about the current offerings at a security trade show. In contrast, deploying smart cards involves more technology selections, because the smart card contains a chip that holds data files and software.
A Miniature Computer
Card readers can't write directly to the chip in the same way, for example, that magnetic stripe card programmers write to magnetic stripes. Smart card readers have to interact with software applications on the chip to read or write data, using an application programming interface, or API.
Because a smart card chip is a miniature computer (see Figure 1), the decisions relating to smart card deployment are similar to the decisions we make when we choose personal computers or mobile phones like the Treo® or Pocket PC®. How much memory should be on the chip? What kind of operating system should it use? What kind of software applications will we run on it? What kind of interface should we use to get data on and off the chip?
You no longer simply select a card and card reader; you select a card product line consisting of products made by different vendors, including
• plastic card
• chip
• operating system
• API
• card management software (to manage the data on the cards)
If you are a security manager responsible for selecting PACS technology, you won't have to deal with the bulk of the technology issues relating to smart card chips. These issues will fall on your counterpart in IT, because they relate to IT security technology.
At this point you may be asking, “But what about convergence? Are you advocating for separate physical security and IT silos?” That question leads to a very important point. The technology decisions don't revolve around physical security or IT silos, they revolve around how you want to use the smart chip (i.e. computer) capabilities of the card.
Applications Should Guide Your Choices
Applications will determine your smart card product line requirements, much as applications often determine your choice of a personal computer, to continue the simile. If your applications are for commercial video editing or high-end graphics production for marketing, you are likely to select a Mac and the latest Mac operating system. If your applications are for typical office work like word processing and financial spreadsheets, you'll probably select a Windows PC.
This is the way it should be. You select a technology not based primarily upon its reputation as the latest or most popular or most technically advanced technology, but based upon what you need the technology to do.
Fred Subala, manager of The Boeing Company's one-card initiative, SecureBadge, asks a full set of questions about any security technology selection. What am I considering doing? Why am I considering doing it? Is there a viable alternative? When does it need to be done, and why then? What approach should I take (phased, parallel, pilot phase or proof-of-concept first) and why? How much will I have to spend total? In the end, what exactly am I getting for my money?
Subala adds that in answering these questions it is important to keep in mind that there are only two reasons for launching any security initiative:
• To improve the quality of security
• To reduce the cost of security
What IT Needs to Know
There are many ways of applying smart cards that improve the quality of security and reduce its cost.
• Physical access control
• Information system access control
• E-mail encryption
• Digital signatures for documents
Note that three out of these four are information security applications. Here are some additional, non-security uses for smart cards:
• Payment and direct paycheck deduction (company store, cafeteria)
• Healthcare applications
• Cell phone applications
These also are information technology applications, not physical security applications. This is why the more advanced technology issues (such as smart chip operating system selection) can be left to the information technology folks. They are the stewards of all the smart card applications outside of physical access control.
If you clearly communicate what you want to do with your physical access control application, the IT folks can take the ball and run with it when it comes to selecting the card product line. In general, the IT folks need to know that the communications between the card reader and the card must take place as close to instantly as possible. While a several-second delay is okay when you're using a smart card to log onto a computer, it's not acceptable in building access. If you want to go beyond simple proximity access control to include biometrics information on the smart card, the IT folks need to know about that and what specific biometrics solutions you are considering. If you want to store a photo on the card, IT needs to know the maximum size of the photo image.
The subject of smart card deployment is complex, and the purpose of this article is to help simplify it somewhat by identifying those things relevant to considering a PACS application as part of a one-card initiative.
Just Do It
Multiple-technology cards exist that let you use one smart card technology for physical access control and another technology for information system applications. Thus the selection of physical access control technology can be relatively independent of the more complex issues that surround information systems access control.
Recently I approached the organization with the world's largest one-card initiative—the U.S. Department of Defense—and asked Michael P. Butler, chief of smart card programs for the Defense Manpower Data Center , this question: “What are the three most important things that require thought at the beginning of a one-card initiative?” Here is his response:
• First, give consideration to the full card life cycle and select a flexible card product line to leverage the future.
• Second, have a vision that includes the use in logical and physical access and what that means to the various security stakeholders including end users, as well as for other areas of usage (such as payment applications or healthcare usage).
• Third, just get started and do it! The ROI may take a while, but is a no-brainer.
Butler is not alone in his enthusiasm for one-card initiatives. Security practitioners who have completed such projects have much to say about both the strategic and tactical benefits of a one-card deployment. (See the Convergence Q&A column in the June 2006 issue to see some tactical benefits from actual projects.)
Butler 's first and second points relate to the full spectrum of card applications. The first deals with the task that faces the decision makers regarding the more advanced information system applications for smart cards. His second point relates to the kinds of questions Boeing's Subala likes to ask. Without a clear vision of what you want to accomplish, how can you accomplish it?
Butler 's third point is very important, for several reasons. If you need to get a better handle on physical and logical access control from an enterprise perspective, a one-card program is the way to do that. There is no technology reason not to move forward now, and the ROI benefits are definitely there.
It is also important to know that the bulk of the ROI for one-card initiatives comes from information systems applications. This is another reason full ROI may take a while: Deployment of smart card-based physical access control solutions is simpler and faster than the enterprise-wide deployment of many of the information system smart card applications, such as single sign-on (SSO).
So it is good news that the physical access control technology rollout can in many cases be independent of the rollout for the information systems applications. This especially benefits enterprises with older card technologies or a mix of technologies (Wiegand, magnetic stripe, proximity), because you can purchase smart cards that contain the older technology as well. This is what the U.S. federal government has done with its smart card program.
The government smart cards contain a magnetic stripe and a barcode. You can roll out multi-technology smart cards today and later upgrade or replace older physical access control systems that don't support smart card technology, or leave them in place for applications such as parking if the older technology is satisfactory.
Multiple-Technology Card Readers
There are options when it comes to the physical access control rollout. Multiple-technology readers allow you to upgrade card readers company-wide while, for the most part, leaving in place the same cards and access control systems that are there now. This can work even where there is a mix of card types within the company. Then you can phase in the one-card initiative smart cards one facility or region at a time, or according to whatever plan makes the most sense for your situation.
If you want to wait to roll out the smart cards to coincide with when the IT folks finish their deployment, you can be ready and waiting, having upgraded only those access control systems that require it in order to support smart card proximity access. If you want to add physical access control biometrics for the critical areas of selected locations, you can deploy smart cards there to hold the biometric information.
Card Technologies
Now let's take a look at some specifics with regard to card technology. There are two types of smart card chips: contact and contactless (what we think of as proximity).
Smart card chips need energy to function and some mechanism to communicate for receiving and sending data. Contact chips have a set of golden plates, also called contact pads, which are used to supply the necessary energy and to communicate via direct electrical contact with the reader. When you insert the card into the reader, the contacts in the reader sit on the contact pads on the card.
Smart cards without a contact pad make a connection between the reader and the card via radio frequency (RF). A small wire loop embedded inside the card uses the energy it receives to supply energy to the chip and to communicate with the reader. The International Organization for Standardization (ISO) has issued a number of standards for smart card technology, and adherence to a standard is what has made widespread use of smart cards commercially viable. The most common smart card technologies are described in Table 1 and illustrated in Figure 2.
Dual-Technology and Dual-Interface Cards
The U.S. federal government's security smart card program (mandated by HSPD-12 and specified by FIPS 201) requires contactless technology for physical access control applications (for speed) and contact technology for the intended information security applications (because higher data throughput is required for information security operations). In this regard there are two choices: a dual-chip card (each chip with its own interface) or a dual-interface chip (a single chip that uses both interfaces). Both types are shown in Figure 2.
Some companies have thought that they could save money by purchasing single-technology cards directly, or using existing cards they have on the shelf, and having a smart chip company embed the chip into the card. This approach can affect the quality of the card or result in damage or destruction to the card, and may void the original manufacturer's warranty. Not all physical access cards are embeddable; card thickness and quality of plastic are not the only requirements. There are variations in the manufacturing process that are acceptable for single-technology cards but not for embedded chip cards. Components internal to the card must be positioned more exactly for a dual-technology card. Proximity cards intended for chip embedding go through additional manufacturing QA steps, for example, to ensure that the coils in the card have remained a sufficient distance away from the chip area. It can be tempting to try to use existing card shelf stock, but if the cards were not designed to be embeddable, it probably won't work out.
Warranty is an important issue, and it is best to order dual-technology cards from a single company that will work with the original card manufacturer and provide a warranty that covers both technologies. Some companies will even extend the original manufacturer's warranty for an additional year.
Cost and Other Considerations
The issue of whether to use multi-technology readers or multi-technology cards is driven by the physical security applications. Cost will certainly impact the decision. Consider how many readers or entire systems will require upgrading under each scenario. In some cases the additional cost of using a multi-technology card will be less than the cost of upgrading readers or entire systems (panels and readers). This is an area that requires study and evaluation of all of the PACS technology options.
For a more in-depth look at smart card deployment issue, both technical and administrative, download the 262-page Government Smart Card Handbook, which contains a list of additional references, from
www.smartcard.gov/information/smartcardhandbook.pdf.
There are other aspects of one-card initiatives that can have unexpected impacts on budgets and schedules if not considered in advance of the project. We'll examine those issues in the next two articles in this series about one-card initiatives.
Ray Bernard, PSP, CHS-III is principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Mr. Bernard has provided strategic and technical advice in the security and building automation industries for more than 18 years. He is also founder and publisher of “The Security Minute” newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788.
