A universal badge is an elusive commodity. It is what everyone wants, but it is difficult to develop or obtain. To check the validity of this statement, all you need to do is examine the huge effort, time spent and expenses that are still going on within our own government as they migrate to a universal badge (Federal ID card) for physical and logical access control.
The goal is a badge that can be used across various governmental organizations. There have been a large number of security manufacturers that have participated in the government universal badge standard (FIPS 201) program. This standard will provide a universal government badge and will ensure that the person who has the badge is actually who they say that they are. (The process to control the badge stock and authenticate the badge holder is an important aspect of FIPS 201.)
To incorporate this government universal badge across many government agencies has been a huge challenge. Part of the challenge has been that many different physical access control systems are already in place access the country in government facilities. Another challenge is the tremendous number of government people that must receive the new badges — including government employees, government contractors, military personnel, etc. There has been resistance by government organizations and individuals about complying. Some have been cost-related some have been privacy issues with the required background checks. The Department of Homeland Security is not expected to meet the credentialing deadline until 2010.
The new government standard will ultimately have a major impact on the security industry as a whole, but just accepting the standard does not address all the issues necessary to reach the universal badge goal.
Corporate America is also looking for a universal badge to use across the enterprise. The goal normally is for universal identification, physical and logical access. Due to mergers and acquisitions, the universal badge can be difficult to develop and incorporate across a major company even for physical access, much less for both physical and logical access.
One of the issues to be addressed by the universal badge is the appropriate image that properly reflects the desired image of the corporation. For the most part, this is a physical appearance issue that is affected by color choices, corporate logos, fonts, employee photos, special requirements such as a clearance level, special security measures such as a hologram, etc.
The company security badge says a great deal about the organization as a whole and its concern about security. It attests to the quality of effort the Security and Information Technology (IT) departments have used to address security. It also shows the level of support that these departments receive from upper management. If the badge is not distinctive, well-designed and original, it is apparent that it is more an instrument of necessity vs. part of an orchestrated image campaign. The lack of concern for the quality of the badge speaks volumes about the security and its role in the company.
The other issue for a corporate universal badge is access across the enterprise itself, both physical and logical. On the physical access control side, when employees and in particular upper management, travel between corporate sites, there is an expectation that the employee will have access to the appropriate physical areas at all sites. The lack of a universal badge will prevent visiting employee access and many times that denied access is due to different access control technologies at different locations within the company. This issue is particularly true when mergers and acquisitions have added different physical properties and locations to the corporation.
Even the same technology does not ensure access — if the protocols used by that technology are not standardized, access will be denied. It is one thing to have a badge that looks the same across the enterprise, projecting the proper image, and another thing to ensure that all the access control technologies and technology protocols are the same.
If a universal badge is in place (the same appearance, technology and protocol), then the remaining limiting factor for physical access is that the employee’s badge information needs to be loaded into the electronic access control database for each particular site across the company. If the employee’s badge credential number is not in the access control database and assigned to access control system readers at a particular company’s location, then the employee cannot gain access at that location.
Enrolling an employee into a company’s access control database often requires enrollment at each of the company’s sites, because many times, the company’s electronic physical access control systems are not linked together to allow a company-wide automated enrollment update. Since each site is usually antonymous and does not report to a common company access control server, some manual means of enrolling employees from other sites must be incorporated. This manual effort can be a phone call or fax sent from one company site’s badge room to the company’s site badge room at another site. The employee’s badge credential is then manually loaded into the physical access control database for that given site. This approach enables each site’s physical security manager to control who has access to what areas within his or her site, yet still enables access to “general” area readers for any employee within the company.
Alternatively, an automatic process can be developed to automatically enter the employee’s badge credential number into the access control databases of different sites. An automatic employee enrollment process or system is the ideal direction to go to achieve a “universal” badge, but such a process requires both a complex computer system and ongoing expert computer system support. An automatic electronic process requires a central server to send the information to physical access control workstations at all company sites. Accomplishing the downloads of badge information for different manufacturer’s physical access control equipment requires a protocol conversion for the server to “talk” to different systems. The protocol conversion enables the different physical electronic access control manufacturer’s equipment to share the information about an employee’s badge.
The only other option for automatic employee badge transferring of data information requires a single manufacturer’s access control platform with central and/or regional servers. This would be an extremely expensive solution. There are; however, some other potential pitfalls with a single-manufacturer approach, such as the chosen manufacturer going out of business or merging into another manufacturer’s product line. It can be argued that a single manufacturer will provide the best service because you are a major customer. It can also be argued that you are at the mercy of the manufacturer.
Logical access can suffer from many of the same types of issues as physical access — except that a common interconnected network often exists within the enterprise IT system. The badge can be incorporated into an IT functionality that is already in place.
The challenge is often more of a “field” problem, because access control readers are usually not part of a typical office computer IT environment. If the badge is needed to gain logical access, the badge reader may not already be in place, which for the most part, is the opposite problem for physical security access to a facility.
Lessons from the Government
A universal badge is not only a desirable goal, but it is also very important to both government and corporate entities. The government has produced a standard based on Homeland Security Presidential Directive 12 (HSPD-12) that has and will continue to affect the security industry. HSPD-12 will provide authentication via biometric identifiers and public key infrastructure as well as administrative controls of the badge stock and personal background checks.
Migrating to the standard does not, in itself, ensure a universal badge for the corporate world; however, the standard does provide a means of verifying identification to ensure the individual carrying the badge is who they say they are — a critical ability in these times of terrorism.
Different entities within the government still require different information to be stored in the badge technologies. These are standardized, but there is still an enrollment issue for physical and logical access to different sites and areas even with a universal badge.
Most companies would say that they have or are working towards a universal, enterprise-wide badging system. The problem is the definition of what a universal badging system really entails — it requires a definition by every organization within the company and these definitions may or may not agree. The challenge is to define a universal badge and its capabilities for the environment in which it will work.
Robert Pearson is a registered professional engineer and a member of the National Standing Committee for ASIS International. He teaches on integrated security systems and corporate security management at the The George Washington University in Washington, DC. He is also a consultant for the Strategic Oil Reserve and manager of electronic security systems for Raytheon Company. In the past, Mr. Pearson has been responsible for electronic security for Texas Instruments worldwide. He has designed and installed electronic security systems for nuclear military assembly facilities.