Marrying a variety of technologies together into a single card seems to be the most cost-efficient access control solution for facilities with a high turnover rate or a graduating class of 4 or 5 thousand students each year, as is the case with my facility, the Georgia Institute of Technology. Such cards usually contain a picture for identification, magnetic stripe, bar code and maybe a radio frequency chip for proximity applications.
Lately, multi-technology cards have also begun to include smart chips. Georgia Tech has recently begun to consider integrating smart technology into its access system. It's a complex decision to make. Many of us may benefit from a look back at our initial specification process as we attempt to move forward.
Initial Needs Assessment
Trying to figure out the best card for your facility can be a daunting experience, but you can make it easier on yourself by performing an initial needs assessment. Georgia Tech serves as a prime example of an initial needs assessment that developed into a second strategy once the system expanded. When Tech first decided to use card access for its facilities that housed government-classified material, it chose a Weigand card using a nationally known and respected software solution, as well as a reputable integrator for its reader system. Our concern back in 1988 was protecting the card from duplication. The sole reason for the system was card access. Although the system worked well, we not only outgrew its card capacity (100,000 individually numbered cards), but we outgrew our initial need to have the card preprinted at the manufacturer with a predetermined series of numbers. Waiting for badges only the manufacturer could make had become a strain on our supply system. Our requirements had changed, and in 1994 we began to look for alternatives.
A Matrix of Requirements
In developing an initial needs assessment, one of the most useful tools for us was a needs and requirements matrix. Any facility can create such a matrix by listing the applications needed or desired, functions of the company, the card systems now in place and the method used to enable the process to function properly. If a card system is already in place, determine the capability of the system and whether it is supporting the entire operation or only segments. If you are using multiple cards to perform different functions, a matrix may show you synergies that you could exploit in implementing a multi-technology card system.
Our matrix helped us determine what our card's appearance, including
o Picture of holder
o Identification number
o Holder status (Faculty, Staff, Student, Contractor or Auxiliary)
We also used it to list potential technologies for given applications:
o Bar code
o Magnetic stripe
o Proximity (with and without PIN)
(It should be noted that the smart card solution was in its infancy with very few well known and proven products available.)
The second matrix helped us delineate just what we wanted to do with the card. Some of our considerations were:
o Visual ID
o Card access
o Found card instructions
o Parking control
o Vending machine
o Library book check out and inventory
o High-security access
o Handicapped access
o Cash and debit card
o True Windows NT platform
o Remote input capability from a distributed ownership responsibility
Specifying the System
Once we'd established the criteria, we began the bid process. We wanted to bid not only on a state-of-the-art security access system to include the peripheral units delineated above, but also on the integrator who would install and maintain the system.
Once the bid process identified the appropriate vendors, all vendors/integrators were interviewed on technical competence, maintenance and response, and financials. Financials (bid costs) were given a 30 percent maximum preference. Technical was given a 60 percent preference, and maintenance and response, 10 percent. This way, a low-ball bid would not override a superior technical proposal.
The system was competitively bid with four manufacturers/integrators submitting proposals. The winning bidder was Andover Controls, and Operational Security Systems of Atlanta, GA, won the integration bid.
The Georgia Tech ID card, called the Buzz Card after the school's mascot, was created using a photo for visual identification; mag stripe for card access, parking control, vending and debit; bar code for library check out; and a proximity feature for the handicap entrances. The Georgia Tech Research Institute chose to add a proximity feature with PIN alternative for its secure buildings. The card access system uses Andover Controls' Continuum software, which is practically limitless in the amount of card users available. The system has grown to more than 1,200 readers. It is one of the largest systems in the United States. However, as with any system that was developed and installed in the early 1990s, technology has progressed and we need to revisit our requirements and change and add criteria for an all-encompassing system.
If It Ain't Broke?
Many people abide by the axiom, "If it ain't broke, don't fix it." However, since Georgia Tech is a leading technological university, we can't sit on our hands and ignore advancements in access technology. Georgia Tech is presently reviewing its Buzz Card system to see if the incorporation of a smart card is the way the institute wants to go. Smart cards provide a great opportunity to enhance capabilities in banking applications, debit and user authentication applications, personal key information (PKI) for verifying electronic authorization, and securely storing personal information such as health records.
One particularly interesting aspect of the smart card is its use of validation proofs that contain information about who you are, what you are allowed to do, and when you are allowed to do it. This approach can allow you to centrally manage cards and update them remotely via public networks, and to then allow transactions to take place using the updated card without a network connection. CoreStreet of Cambridge, MA, is a provider of validation products for identity management and access control. With CoreStreet's Real Time Credentials' and KeyFast' products, a card provisioned once in Atlanta can be updated to access a facility in Taiwan even if it isn't updated prior to leaving Atlanta.
According to Salvatore A. D'Agostino, VP of Physical Access for CoreStreet, "The user presents the card to the system at the Taiwan location and it updates it with the latest set of credentials, all from the central remote location over a standard network connection ... If the previous input to the card was at 12 noon and a new update was sent at 12:10 p.m., the newest version would be added to the card the next time a card hits an access point. The system deals with privileges, changes, even revocations of previous authorizations, as well as log information in this manner". D'Agostino added that the "Real Time Credentials? solutions can be deployed anywhere in the world, in connected and disconnected environments.
As Georgia Tech considers a new smart card option, it needs to dust off its old needs matrix and add to it the smart card application attributes to determine if it is a viable and cost-effective product for the institution.
The present mag stripe/bar code cards are less expensive than a programmable chip card. Changing our card readers, AC1s (units that tell the head-end what type of controller it's talking to), and net controllers in order to use a smart card may be cost prohibitive. An alternative solution may be to add a smart card reader to the present card system where required.
A smart card reader, positioned in proximity to the existing reader, can add flexibility to the overall system without creating the need to change out all the system components. For those personnel requiring the smart card option, the smart card can be made to perform as a "one-card" system, depending on which card is used as the base system. The decision for Georgia Tech, as for any other facility considering new technology, will be: Is it worth it?
Robert F. Lang is the director of homeland security at Georgia Tech. Mr. Lang's more than 30 years in security have taken him from the FBI to the Lockheed Corporation, where he was the plant protection manager.