In enterprise-wide identification card access systems, which came first – the card or the printer? In this twist on the chicken and egg, the card came first. Before barcodes, magnetic stripes, Wiegand, proximity, employee photographs and smart card chips, some organizations issued an enterprise-wide ID card or badge worn while at work.
Then came the ability of cards and badges to open secured doors – some now called them credentials – and what followed are myriad technologies encoded and embedded in and printed on the card. Establishing a robust identity management framework within an enterprise requires both the implementation of new business processes and the selection of appropriate credentialing technology. A next step: use of the identity card to get into the enterprise computer network.
The evolution of identity, especially across large enterprises, shifts the emphasis to the card printer, where features such as networking, throughput, ease of use, and modules for adding higher level security and embedding a diversity of technologies all have emerged.
In the U.S., the biggest users of card printers are the individual state driver’s license facilities thanks to more than 200 million licensed drivers. Somewhat controversial efforts are underway to make state driver’s licenses more secure but mostly through the process of authenticating the license holder before issuing a new or renewed card. The federal government, with both civilian and military card holders, continues to move to a more secured common access card.
Other countries have bolder identification card plans.
Germany, for example, has given the go-ahead on a national identity card for all citizens which includes radio frequency identification technology from chipmaker NXP. The new card allows German authorities to identify people with speed and accuracy. The new electronic ID card, which will gradually replace the old mandatory German ID cards, is one of the largest scale roll-outs of RFID cards with extended official and identification functionality, including the ability to enable citizens to identify themselves on the Internet by using the ID card with a reading device at home. After registering an online account bonded to the ID card, people in Germany will be able to do secure online shopping, download music and interact with government authorities online.
No doubt, card printers in Germany will be spitting out the new credentials starting next month.
A ROBUST IDENTITY FRAMEWORK
Still, in the U.S. and worldwide, most corporate enterprises require employees to carry cards or badges that verify the employee’s identity and allow the employee to access enterprise resources. However, changes in both the regulatory environment and the amount of risk that enterprises face from unauthorized access are driving security leaders to reevaluate their identity management practices.Establishing a robust identity management framework within an enterprise requires both the implementation of new business processes and the selection of appropriate credentialing technology, including the card and badge printers.
While there are many approaches to enterprise identity management, industry and government have worked for years to develop both a standardized identification process within the government and specifications for proving an individual’s identity and providing individuals with a secure identity credential. The process and technical specifications, which are now implemented throughout the federal arena, are documented as Federal Information Processing Standard Publication 201 (FIPS 201), Personal Identity Verification (PIV) of federal employees and contractors.
While there are many approaches to enterprise identity management, industry and government have worked for years to develop both a standardized identification process within the government and specifications for proving an individual’s identity and providing individuals with a secure identity credential. The process and technical specifications, which are now implemented throughout the federal arena, are documented as Federal Information Processing Standard Publication 201 (FIPS 201), Personal Identity Verification (PIV) of federal employees and contractors.
So the future of cards and card-making devices maybe in the chips.
Of course, identity cards and badges have evolved from printed tokens to secure documents that incorporate machine-readable technology. Legacy credentials asserted a privilege and, to bind the credential to the holder, identity information may have been printed or even written on the card or badge surface.
To validate credentials rapidly, issuers must provide an infrastructure that can verify the current standing of the credential holder. Machine-readable credentials became the norm to facilitate rapid verification. As a result, credentials that are read visually fill a different role than credentials that are read electronically. A printed badge can assert both identity and a privilege. A credential that is read by an electronic system asserts identity only. The system determines the privileges authorized for the credential holder.
SMART CARDS NEXT STEP?
An increasing number of government organizations and some corporate enterprises are now using smart cards as their employee identity credentials. A smart card-based identity credential stores the employee’s identity information securely. This information can include personal information (for example, a biometric or signed digital photo) or privileges (such as an electronic purse or digital certificates that allow computer logon). Additionally, because a smart card has computing power, it can require the user to provide authentication in the form of a PIN or, in some cases, a biometric before the card communicates with the interrogating system.And finally, a smart card can use cryptographic methods to establish a secure communication channel between the reader and the card, for example, using a challenge and response to require the interrogating system to authenticate itself to the smart card prior to any communication taking place.
One indication of the growing appeal of smart cards for corporate use came from HID Global earlier this year when it introduced Fargo direct-to-card printers, which offer solutions for creating customized photo IDs and encoding smart cards.
Before a smart card future, many enterprises issue proximity or magnetic stripe cards as two examples. For all, however, there are a few questions to pose when considering what type of printer is best.
While most enterprises issue credentials in color, there still is something to say for monochrome cards – they are less expensive and quicker to print. Do you want to print on both sides of the card? With a dual-sided printer you can add information to the back side of your cards, like contact information, return to sender, emergency numbers, etc. The downside is time and cost. How much security is another factor. Features can include security laminates, UV ink, microprinting, magnetic stripes and smart chips encoded with biometric information. Encoders are added to the printer by the manufacturer. Laminated cards require a special station in the printer.
Today’s ID cards can store a variety of information; but how much is really needed? It can be as simple as an identification number on a barcode or magnetic stripe, or as sophisticated as biometric information encoded on a smart chip. Beyond security concerns, the new generation of smart cards can open doors or sign employees in and out of s computer network.
CARD THROUGHPUT
When considering enterprise card printer solutions, also consider how many cards will be printed per year. Then there is the lifecycle of a corporate card. Card replacement can be a major factor in a large enterprise. Abrasive activities like swiping barcode or magnetic stripe card readers can wear on a card in a short period of time. There are some ways to extend the life of a card. Overlays are an extra panel on the printer ribbon that gets laid down on top of the card. The overlay can be clear or be printed with a security pattern or hologram. An overlay offers only minimal protection and will usually extend the life of the card one additional year. Lamination is an application of vinyl to one or both sides of the card, applied with heat and pressure. You can use laminate of different thicknesses and composition, but a laminated card will generally last longer.There also is the need for integration of cards into other security and enterprise systems including computer/network access and visitor management. It’s a connected world today and buyers need to provision accordingly, both in physical and logical needs, notes Tony Ball of HID Global. The building of the future will be vastly more intelligent than it is now.
For instance, EasyLobby has an add-on software module that tightly integrates its secure visitor management software with access control systems such as UTC Fire & Security’s Picture Perfect. With such software integration modules, enterprise security leaders can issue different levels of access to visitors, contractors and employees directly from a visitor form. When a visitor or contractor is badged, the person’s name and photo, the employee being visited, the access level granted, the card number, and the expiration date/time is automatically passed from the visitor management database to the card access control database, and the card is activated in real-time.
There are other visitor security solutions.
Technology, of course, has elevated the “science” of badging from label-based stickers to smart badging technologies that provide instant visual verification of visitor status. For example, Brady People ID offers identification products that can work with conventional thermal, inkjet or laser printers. When used with visitor management solutions the badges can clearly and instantly indicate clearance levels and access credentials provided from the access control database, the Lightweight Directory Access Protocol (LDAP) directory or pre-registration information, along with photo images scanned from a driver’s license or passport. In addition, visitor information can be stored in a database for later review in the event of an incident, or mined for traffic flow analysis.
ALTERNATIVES TO CARDS
Keyfobs are an alternative to issuing cards or badges.For instance, the Wilbert Group, which makes tower cranes for customers throughout Europe and in Canada, has a time and attendance and access control system that uniquely combines the online systems with a mechatronic locking system through a credential from Legic, with its contactless smart card platform. Employees’ access authorizations are written to the ID via online readers. By the way, mechatronic systems intelligently integrate mechanical and electrical elements to perform increasingly complex and demanding functions. In this case, the mechatronic component of the door checks whether the credential is valid and opens the door if the employee is authorized to enter. The door requires no other additional devices or wiring of any kind. A modern update mechanism ensures that users receive modified access rights easily and quickly on an online reader and transfers these rights to their personal identification credential at individual access points.
Wilbert opted for an employee ID in the form of a keyfob because such fobs are small and can be securely attached to a bunch of keys. Now employees validate their chip at the turnstile every day to receive appropriate authorization as well as time and attendance.
“The concept impressed us,” says Chief Executive Franz Rudolf Wilbert. “It enabled us to improve our corporate security. Previously, every day was an open-house day; now people can only enter areas to which they are authorized.”
In Italy, an enterprise printer solution creates contactless smart cards for Bicincittà, an innovative bike sharing concept of the Comunicare Group. By participating in Bicincittà, registered users have access to a number of public bicycles. To allow maximum flexibility, the user receives the card which uses Legic technology for personal identification at the bike stations. It allows the Bicincittà member to take a bicycle from any cycle-park station in the city and return it to any free parking place at any time.
A bicycle’s movement is transmitted to a server and updates the availability of bikes in any given area. Each bike is anchored to a parking column that is equipped with an electronic locking device which has to be unlocked by presenting the card. “The integration of the advance technology was easy to realize,” says Manuela Quario, project manager of Comunicare.
PIV CARDS FOR AGENCIES AND ENTERPRISES
While fobs and chips are well established in Europe, in the U.S., the federal common access card movement, spurred on by FIPS 201 PIV cards, is moving ahead into non-government corporate use, too.A PIV interoperable credential, required for enterprises that do business with the government, will spread to related organizations within an industry to establish a basis for trusting identity credentials across organizations, according to a white paper issued by the Smart Card Alliance. A PIV compatible credential is a credential that meets the FIPS 201 technical specifications but does not follow the FIPS 201 process for credential issuance. Federal relying parties cannot automatically trust the card. But enterprises issuing compatible credentials can benefit by being able to use the growing range of products on the FIPS-201 approved products list.
Cards, readers, printers, software and other products can be purchased from a variety of vendors, be connected, and function as a system.
Enterprises can choose to implement interoperable or compatible credentials. FIPS 201 provides a defined framework and technical specifications for enterprises to follow for both. By basing identity credentialing efforts on FIPS 201, enterprises can:
• Follow a proven process for employee identity vetting.
• Implement an identity vetting process that provides the basis for trusting identities across organizations or with federal agencies.
• Implement an identity credentialing solution that has the potential to be interoperable and compatible across organizations or with federal agencies.
• Acquire proven products and services that meet FIPS 201 technical specifications from multiple vendors.
• Follow a proven process for employee identity vetting.
• Implement an identity vetting process that provides the basis for trusting identities across organizations or with federal agencies.
• Implement an identity credentialing solution that has the potential to be interoperable and compatible across organizations or with federal agencies.
• Acquire proven products and services that meet FIPS 201 technical specifications from multiple vendors.
TOTAL PIV LISTING APPROACH
Some access control providers also have gained a FIPS 201 approved product listing. Just a few months ago, Brivo Systems, with its Software as a Service application for security management, won its listing in the Caching Status Proxy category. Caching status proxies periodically update certificate revocation status, allowing for rapid access control decisions when on-line certificate validation may not be possible or may create unacceptable delays.“The need for a continuously updated certificate status is critical across both logical and physical access control systems,” notes Don Fergus, vice president of IT risk at Intekras, a government and commercial professional services firm. “Without the implementation of such a capability, timely and streamlined verification and updating of cardholder status cannot be assured.”
While enterprises may see value in the PIV approach, it is still a slow climb for government agencies and their contractors. It really is an unfunded mandate and it takes time and money as end users move away from their legacy systems, points out Patrick Hearn, vice president of government and identification markets – North America at Oberthur Technologies. It now supplies smart credentials to about 100 U.S. federal government agencies.
The Department of Homeland Security (DHS) is behind in its effort to fulfill the mandate to issue identification cards to its employees to provide them with secure physical and logistical access to department resources, the DHS Inspector General reported late last year.
Hearn does see the data model used for authentication easily moving into the healthcare arena, though, whether as PIV I or interoperable. And, when it comes to large enterprises, if you value your intellectual property, you should be focused on identity management, adds Hearn.
Beyond stronger government and corporate credentials that call for feature-rich printers, anti-terror actions worldwide are also bringing biometrics to electronic passports and some national identification cards.
ADD IN BIOMETRICS
One example: Spain has installed multi-biometric electronic access kiosks in two of its largest airports. The technology provides a highly efficient and secure way to speed-up the passport control process for European citizens at Barajas Airport in Madrid and the Barcelona Airport El Prat. Indra, a Spanish information technology company, uses biometrics from Neurotechnology as multi-biometric engines for the airport access control kiosks.The solution allows citizens, after being identified in a kiosk, to perform a quick and simple procedure that includes the automatic reading of the electronic document and validation of its authenticity. The passenger is, at the same time, identified and matched to his or her document through biometric recognition and verification. Upon completion of this process, the traveler is issued an entry permit. Each individual process is supervised by officials of the national police. While similar systems have been established in other countries using a single biometric feature, such as the iris, fingerprint or face to verify the passenger identity, the Spanish system performs a more secure dual biometric test using facial and fingerprint recognition.
One application consists of a set of double-door lock gates, with identification kiosks inside. In this setup travelers access the lock gate through the first door, proceed with the identification inside and access the airport terminal through the second door that opens automatically after positive verification of the citizen’s identity.
How to Choose an ID Card Printer
Over the years, IDedge.com has found six questions that narrow down choices to a reasonable number. Ask yourself these questions.1. Do you want to print in color or monochrome?
2. Do you need to print on both sides of the card?
3. How secure do your cards need to be?
4. How smart do your cards need to be?
5. How many cards will you need to print per year?
6. How long do you need your cards to last?
How It Works: On the Road to Shanghai, Contactless Style
New mechanical and electronic locking systems are the result of a partnership between Legic Identsystems and Shanghai United Sea Trading, a security systems integrator for offices and public buildings. From safe locks and cylinder systems up to architectural hardware and complete access control systems, the product portfolio includes all parts of an integrated security solution. Thanks to new smart card technology, “we are able to expand to electronic locking solutions in all fields of physical access control,” says Joseph Gu, the firm’s director.Bottom Line Advantages of Common Access Cards
• Strong criteria for verifying an individual’s identity.• High resistance to identity fraud, tampering, counterfeiting, etc.
• Fast electronic authentication.
• Issuance by official accredited bodies in a secure manner.
Privileged Users with High Risk Assets
In addition to stringent security policies, the U.S. Department of Homeland Security is subject to compliance regulations including Federal Desktop Core Configuration (FDCC) standards. Launched by the Office of Management and Budget in 2007, the FDCC ensures that federal workstations have standardized, uniform, desktop configurations to enable more consistent and better documented security while reducing costs. Technology from Xceedium provides access control for privileged users including system and network administrators to its key network servers. The purpose-built solution enforces fine grained access control policy on users, contains them to authorized systems and applications, and monitors, logs, records and reports their activities for compliance and security risk management. This gives DHS control over its privileged users and high risk assets.Another Look at Badging Security – Four to Secure Your Facility
A May 2010 issue of Security magazine contained a security badging article, which drew thoughtful response from Dr. David Haas, who works with Data Management Inc. (DMI) on a consulting basis. He founded Temtec Inc. in 1981 and now is with Tecco Corp. DMI offers TAB-expiring visitor passes among other access control solutions. Among his thoughts:• Electronic badges are always the most security IDs. For companies that invest and use electronic badge systems for visitor and temporary badges, this investment provides them with the most secure badge as the color change in a self-expiring badge is unnecessary when badges are read electronically.
• Time expiring badges and indicators do not relate to the authenticity or the ownership features of an ID. The expiring properties relate to the authorization features only. Time expiring badges only prevent the re-use of the credential after [a certain period of time].
• Plastic IDs provide the most secure form of visual authorization, authentication, and, when printed at the registration desk, provide ownership names and images of the visitor.