John Fenske is vice president of product marketing identity and access management with HID Global
Organizations often avoid or delay change due to concerns about budget and the impact on productivity and workflow. This can be especially dangerous, however, in the access-control infrastructure, where a combination of technology obsolescence and escalating security threats can quickly cripple an organization’s ability to protect its people, facilities and data assets. It is far more effective to be proactive, rather than reactive, about change. This requires building an infrastructure that presumes and prepares for ongoing change to support evolving access-control needs, and enables the organization to preserve investments in its current infrastructure as it moves to new technologies and capabilities.
There are many reasons to embark on this path, including upgrading inadequate security and enhancing investment value and user convenience with a platform that supports multiple applications on smartcards or, in the future, Near Field Communications (NFC)-enabled mobile phones. The ability to embrace the positive aspects of change requires an access-control platform that can meet today’s requirements with the highest levels of security, convenience and interoperability while enabling organizations to adopt future capabilities without disrupting ongoing business operations.
Legacy security solutions can’t deliver this future, because they often use proprietary technology that is static. This makes them easy targets for attack and precludes their evolution beyond current abilities and security levels.
Interoperability and leveraging standards
Building an architecture that supports change requires careful attention to the “connections” between the architecture’s components. As components evolve — i.e. adding new equipment and systems, revisions and upgrades to existing systems — it can be a challenge to ensure that the components continue to function and deliver the expected security functionality that was originally intended. The evolution of standards within the security industry is a direct result of this challenge, and organizations such as the SIA, The Smart Card Alliance, PSIA and ONVIF are leveraging the industry’s expertise to address these challenges.
A prime example of these efforts is the Open Supervised Device Protocol (OSDP) and associated Secure Channel Protocol (SCP) for reader communications that have been standardized by the Security Industry Association (SIA). These protocols provide bidirectional, multidropped communication over an RS485 link, extending security from the card reader to the access controller. OSDP enables users to re-configure, poll and query readers from a central system, reducing costs and improving reader servicing.
Benefits of High-Frequency Contactless Smart Cards
In contrast with legacy solutions, the latest high-frequency contactless smart-card solutions are built for interoperability, as part of a larger identity ecosystem that is significantly more dynamic. These solutions also ensure that security is independent of hardware and media, making it much easier for organizations to evolve their infrastructure to support tomorrow’s needs. Today’s solutions also enable smart cards to be portable to smartphones so that organizations will have the option to use smart cards, mobile devices or both within their PACS.
HID Global’s iCLASS SE platform and iCLASS Seos card technology are the first to deliver these capabilities. The platform uses a new Secure Identity Object (SIO) data model that represents many forms of identity information on any device that has been enabled to work within the secure boundary and central identity-management ecosystem of the company’s Trusted Identity Platform (TIP). Any piece of data can be supported, including data for access control, cashless payments, biometrics, PC logon and many other applications. The combination of TIP and SIOs not only improves security but also delivers the flexibility to adapt to future requirements, such as adding new applications to an ID card. Additionally, iCLASS Seos credentials can be carried inside smartphones in a managed-access environment.
Today’s latest access-control solutions minimize disruption during migration through the use of multitechnology smart cards and readers that leverage these extensible and adaptable platforms. Another advance is the availability of encoders that enable organizations to encode and instantly issue cards using a single device. Multitechnology encoders make it easier for organizations to migrate from current technologies.
In the case of HID Global’s iCLASS SE platform, an encoder is available that provides an entirely open solution for encoding multiple credential technologies, including both Genuine HID and third-party credentials, so that users can upgrade their existing card populations for use with iCLASS SE platform readers. For maximum interoperability, the encoder solution supports Seos, iCLASS SE, standard iCLASS, MIFARE Classic and MIFARE DESFire EV1, as well as 125 MHz HID Prox for encoding Prox credentials, and for migrating from HID Prox to high-frequency technologies. Users can seamlessly and easily migrate from one technology to another by simply extracting access-control data from an existing card and writing it to the new credential, without having to manually input data or being encumbered by encoding details. For even higher security, users can “wrap” their access-control data within an SIO and then write it back to the same card. Based on open architecture, the encoder enables SIOs to be added to the full range of supported cards, including MIFARE and DESFire credentials.
Future-Proofing Secure Issuance
In addition to an organization’s foundational access-control card-and-reader platform, it is also important to consider current secure-issuance requirements with an eye to tomorrow. Today’s printers, card materials and software incorporate critical visual and logical technologies so that organizations can implement multilayered validation. There are a number of available hardware choices, including monochrome direct-to-card (DTC) solutions and high-definition printing (HDP) retransfer technology for contactless or contact smart cards. There are also high-throughput solutions that optimize performance and productivity. Today’s desktop card printer/encoder products also give organizations a single solution that can deliver the high-volume reliability and advanced credentialing features of large centralized printers, as well as the lower cost and smaller footprint required for the distributed printing model.
Secure validation is another important consideration. Most ID card issuance systems simply compare the person presenting credentials with identifying data that is displayed on the card. This two-dimensional identifying data may be a simple photo ID or sophisticated elements such as higher-resolution images, or it might be a laser-engraved permanent personalization attribute that makes forgery and alteration virtually impossible. Smart-card chips, magnetic stripes and other digital components add an important third dimension of security. With expanded data storage, cards also can include biometric and other attributes to further enhance validation.
Other elements to consider are speed and convenience. Printers with built-in programmers/encoders combine what previously were multiple processes into a single in-line card-personalization step, significantly boosting issuance speed, convenience and efficiency.
Transition to a New Platform
When is a good time to start the transition? There are many possible entry points from which to begin the migration process, including:
Merger or acquisition: Mergers and acquisitions often involve rebranding and/or merging of disparate administrative and other systems, technologies and processes. Usually at some point in the process, the organization will need to issue new credentials. With the cost of new technology being competitive with legacy systems, this would be a perfect time to migrate to a more secure, sophisticated and capable system.
Standardize on a single card: Due to rapid growth, decentralized administration systems and/or multiple physical locations, an organization may end up with several different access-control systems. Since new technology offers the ability to issue or change credentials remotely, it’s now possible to integrate access control into one system that is centrally managed. Standardizing all locations and employees on one system can increase security and improve resource management. Going a step further to mobile access control delivers the benefits of over-the-air remote provisioning and management of secure identity credentials.
Facility consolidation: If a company is moving or adding a building, new credentials will have to be issued for that location. This is an ideal time to look at access control for the entire organization. It may be time to standardize all locations into one system.
Re-issuance process: As new employees join, many organizations manage costs by purchasing additional cards that work with their old technology. Some organizations may also need to change their cards due to a new brand image or logo, at which point they can upgrade to newer technology.
New card applications: Organizations that want to add new applications such as time and attendance, secure print management systems or cashless vending functions will need to issue some type of associated card to users. They can migrate to a contactless smart card that combines access control with these other functions, enabling employees to carry a single card for many functions. Administration of these functions is centralized into one efficient and cost-effective system. Organizations also can seamlessly add logical access control for network logon to create a fully interoperable, multilayered security solution across company networks, systems and facilities. In the future, they can migrate to the convenience, flexibility and security of carrying digital keys and credentials on smartphones and other devices.
Risk-management improvement: Either due to insurance requirements or to improve risk-management costs by reducing liabilities, moving from an outdated system to a current one can dramatically improve the security in an organization.
Changes in security requirements: As a result of new legislation or regulatory requirements, an organization may be required to increase its security. Similarly, if a company acquires a new client that requires a high level of security, it may need improved access control. A new building tenant may also trigger the need for greater building or campus security, either to protect the parent organization or to comply with the tenant’s requirements. They also might want to add new visual-security technologies to prevent counterfeiting.
Security event: The reality is that sometimes it takes an unexpected event or security breach to move an organization to make the investment in a new access-control system. Ideally, an organization should migrate before there is a problem, especially if the system is still low frequency, which can be easily cloned.
There is significant value that can be derived from shifting the traditional way of thinking about change, and looking at it as a leadership opportunity rather than something initiated in response to an adverse event. With the right approach, users can easily and inexpensively expand and upgrade their systems to meet changing needs while taking advantage of new technologies. By using dynamic rather than static technologies, security becomes independent of hardware and media, and the infrastructure can evolve beyond current abilities with the adaptability to combat continuously changing threats. Making the right technology decisions today will also help organizations meet new requirements with the confidence that they will be able to preserve investments in their existing infrastructure.
John Fenske is vice president of product marketing identity and access management with HID Global