The Universal Badge

Corporate security can take a lesson from the government’s FIPS challenges

A universal badge is an elusive commodity. It is what everyone wants, but it is difficult to develop or obtain. To check the validity of this statement, all you need to do is examine the huge effort, time spent and expenses that are still going on within our own government as they migrate to a universal badge (Federal ID card) for physical and logical access control.

The goal is a badge that can be used across various governmental organizations. There have been a large number of security manufacturers that have participated in the government universal badge standard (FIPS 201) program. This standard will provide a universal government badge and will ensure that the person who has the badge is actually who they say that they are. (The process to control the badge stock and authenticate the badge holder is an important aspect of FIPS 201.)

To incorporate this government universal badge across many government agencies has been a huge challenge. Part of the challenge has been that many different physical access control systems are already in place access the country in government facilities. Another challenge is the tremendous number of government people that must receive the new badges — including government employees, government contractors, military personnel, etc. There has been resistance by government organizations and individuals about complying. Some have been cost-related some have been privacy issues with the required background checks. The Department of Homeland Security is not expected to meet the credentialing deadline until 2010.

The new government standard will ultimately have a major impact on the security industry as a whole, but just accepting the standard does not address all the issues necessary to reach the universal badge goal.
Corporate America is also looking for a universal badge to use across the enterprise. The goal normally is for universal identification, physical and logical access. Due to mergers and acquisitions, the universal badge can be difficult to develop and incorporate across a major company even for physical access, much less for both physical and logical access.

The Look
One of the issues to be addressed by the universal badge is the appropriate image that properly reflects the desired image of the corporation. For the most part, this is a physical appearance issue that is affected by color choices, corporate logos, fonts, employee photos, special requirements such as a clearance level, special security measures such as a hologram, etc.

The company security badge says a great deal about the organization as a whole and its concern about security. It attests to the quality of effort the Security and Information Technology (IT) departments have used to address security. It also shows the level of support that these departments receive from upper management. If the badge is not distinctive, well-designed and original, it is apparent that it is more an instrument of necessity vs. part of an orchestrated image campaign. The lack of concern for the quality of the badge speaks volumes about the security and its role in the company.

Access Control
The other issue for a corporate universal badge is access across the enterprise itself, both physical and logical. On the physical access control side, when employees and in particular upper management, travel between corporate sites, there is an expectation that the employee will have access to the appropriate physical areas at all sites. The lack of a universal badge will prevent visiting employee access and many times that denied access is due to different access control technologies at different locations within the company. This issue is particularly true when mergers and acquisitions have added different physical properties and locations to the corporation.

Even the same technology does not ensure access — if the protocols used by that technology are not standardized, access will be denied. It is one thing to have a badge that looks the same across the enterprise, projecting the proper image, and another thing to ensure that all the access control technologies and technology protocols are the same.

This content continues onto the next page...