The Universal Badge

Corporate security can take a lesson from the government’s FIPS challenges


Multi-Facility Access
If a universal badge is in place (the same appearance, technology and protocol), then the remaining limiting factor for physical access is that the employee’s badge information needs to be loaded into the electronic access control database for each particular site across the company. If the employee’s badge credential number is not in the access control database and assigned to access control system readers at a particular company’s location, then the employee cannot gain access at that location.

Enrolling an employee into a company’s access control database often requires enrollment at each of the company’s sites, because many times, the company’s electronic physical access control systems are not linked together to allow a company-wide automated enrollment update. Since each site is usually antonymous and does not report to a common company access control server, some manual means of enrolling employees from other sites must be incorporated. This manual effort can be a phone call or fax sent from one company site’s badge room to the company’s site badge room at another site. The employee’s badge credential is then manually loaded into the physical access control database for that given site. This approach enables each site’s physical security manager to control who has access to what areas within his or her site, yet still enables access to “general” area readers for any employee within the company.

Alternatively, an automatic process can be developed to automatically enter the employee’s badge credential number into the access control databases of different sites. An automatic employee enrollment process or system is the ideal direction to go to achieve a “universal” badge, but such a process requires both a complex computer system and ongoing expert computer system support. An automatic electronic process requires a central server to send the information to physical access control workstations at all company sites. Accomplishing the downloads of badge information for different manufacturer’s physical access control equipment requires a protocol conversion for the server to “talk” to different systems. The protocol conversion enables the different physical electronic access control manufacturer’s equipment to share the information about an employee’s badge.

The only other option for automatic employee badge transferring of data information requires a single manufacturer’s access control platform with central and/or regional servers. This would be an extremely expensive solution. There are; however, some other potential pitfalls with a single-manufacturer approach, such as the chosen manufacturer going out of business or merging into another manufacturer’s product line. It can be argued that a single manufacturer will provide the best service because you are a major customer. It can also be argued that you are at the mercy of the manufacturer.

Logical Access
Logical access can suffer from many of the same types of issues as physical access — except that a common interconnected network often exists within the enterprise IT system. The badge can be incorporated into an IT functionality that is already in place.

The challenge is often more of a “field” problem, because access control readers are usually not part of a typical office computer IT environment. If the badge is needed to gain logical access, the badge reader may not already be in place, which for the most part, is the opposite problem for physical security access to a facility.

Lessons from the Government
A universal badge is not only a desirable goal, but it is also very important to both government and corporate entities. The government has produced a standard based on Homeland Security Presidential Directive 12 (HSPD-12) that has and will continue to affect the security industry. HSPD-12 will provide authentication via biometric identifiers and public key infrastructure as well as administrative controls of the badge stock and personal background checks.

Migrating to the standard does not, in itself, ensure a universal badge for the corporate world; however, the standard does provide a means of verifying identification to ensure the individual carrying the badge is who they say they are — a critical ability in these times of terrorism.

Different entities within the government still require different information to be stored in the badge technologies. These are standardized, but there is still an enrollment issue for physical and logical access to different sites and areas even with a universal badge.

Most companies would say that they have or are working towards a universal, enterprise-wide badging system. The problem is the definition of what a universal badging system really entails — it requires a definition by every organization within the company and these definitions may or may not agree. The challenge is to define a universal badge and its capabilities for the environment in which it will work.

Robert Pearson is a registered professional engineer and a member of the National Standing Committee for ASIS International. He teaches on integrated security systems and corporate security management at the The George Washington University in Washington, DC. He is also a consultant for the Strategic Oil Reserve and manager of electronic security systems for Raytheon Company. In the past, Mr. Pearson has been responsible for electronic security for Texas Instruments worldwide. He has designed and installed electronic security systems for nuclear military assembly facilities.