Nat Pisupati, Regional Sales Director, Identity & Access Management, Middle East & Africa, HID Global
A number of factors are increasing demand for improved access control; new technology capabilities, escalating security threats, and the trend to converged access control solutions that combine multiple applications either on smartcards or a new generation of Near Field Communications (NFC) – enabled mobile phones.
Customers may not need the full range of available capabilities – yet. But they do need to meet today’s security requirements with a platform that will preserve investments in the current infrastructure when it’s time to migrate to future capabilities.
System integrators play an increasingly important role in ensuring that companies can optimise security for today’s installations while charting the most cost-effective course for migrating to future capabilities. This approach pays off in a much higher level of security for people and property, both today and down the road. It also improves operational efficiency and cost-effectiveness, especially for organisations that add other applications to their contactless access control cards, and those who eventually want to incorporate NFC-enabled smartphones into their physical access control system (PACS). At the same time, this forward-looking approach increases integrators’ revenue potential while enhancing their value to customers and creating future opportunities to support their evolving needs.
Building the Foundation: Reader and Card Technology
Although migration to new capabilities involves change, it is less disruptive when executed with multi-technology smart cards and readers that leverage an extensible and adaptable platform. Some organisations that are still using Wiegand or another magnetic stripe access control technology may be tempted to upgrade to a low frequency system to improve security. But this still leaves an organisation vulnerable, without delivering significant cost savings or an easy migration path. The best option is to move to contactless high frequency smart cards which, when properly implemented and deployed, provide the highest level of security, convenience, and interoperability, along with the adaptability to meet future requirements.
The latest smart card technology uses mutual authentication and cryptographic protection mechanisms with secret keys, and a secure messaging protocol delivered on a trust-based communication platform within a secure ecosystem of interoperable products. Ideally, smart cards also must feature a universal, standards-based card edge that improves adaptability and interoperability. Additionally, they must be portable for use on NFC-enabled smartphones so that customers have the option to use smart cards, mobile devices, or both within their PACS. Taking this approach provides the best possible security now, along with the flexibility to adapt to future requirements. There are a number of reasons why this is important.
First, it may eventually be advantageous for an organisation to combine multiple applications onto a single solution. In addition to providing centralised management for the organisation, this convergence of multiple access control applications delivers ease-of-use for employees by eliminating the need to carry separate cards for opening doors, accessing computers, using time-and-attendance and secure-print-management systems, paying for meals or transit fares, making cashless vending purchases, and other applications.
Second, there may be other new applications that organisations will want to add in the future. This might include biometric templates such as fingerprints, iris or hand geometry, or vein patterns that are securely stored on the card for additional factors of authentication. Other application examples include access control capabilities for building automation and medical records management.
Third, an organisation might want to adopt new technologies like the Commercial Identity Verification (CIV) card. CIV technology takes advantage of the infrastructure created by the Federal government’s Personal Identity Verification (PIV) program, bringing strong authentication mechanisms to applications outside Federal agencies. PACS can be upgraded to CIV by simply augmenting existing panels and door controller functionality, without rip-and-replacing the existing infrastructure.
Fourth, organisations may need to deploy new technology when there is a merger or acquisition, or the move to a new location that involves rebranding and/or combining administrative and other systems. Usually at some point in the process, the organisation will need to issue new credentials.
Fifth, it may be necessary for an organisation to improve risk management in the future, either because of insurance requirements or to decrease costs by reducing liabilities. This may require moving from an outdated system to one with significantly improved security. Ideally, organisations should migrate to the risk-appropriate solution before there is a problem, especially if the existing system is a low-frequency solution that is easily cloned.
Sixth, new legislation or regulatory requirements may prompt the need to increase security capabilities. For instance, the Health Insurance Portability and Accountability Act (HIPAA) imposes strict requirements for accessing medical records, which may necessitate the use of a smart card to enter secure areas or to access IT networks that store patient information.
And finally, organisations may need the flexibility to migrate at least a portion of their cardholders to digital credentials carried in NFC-enabled mobile devices. Mobile access control enables a more hassle-free security experience for users, who can carry all of their credentials on a carefully protected device that they rarely lose or forget. Mobile access control credentials will be provisioned in one of two ways — either via the same type of internet portal used to provision traditional plastic credentials (the mobile device will be connected to the network via a USB or Wi-Fi-enabled link), or over-the-air via a mobile network operator, similar to how smartphone users download apps and songs. Multiple physical and logical access applications can reside on NFC-enabled smartphones for improved convenience and security.
Despite the many benefits of mobile access control, this technology is unlikely to completely replace physical smart cards in the coming years. Instead, mobile access control solutions will co-exist with cards and badges so that organisations can implement a choice of smart cards, mobile devices or both within their physical access control system (PACS). Integrators will play a pivotal role in making sure their customers can navigate the migration to this hybrid access control environment, with the assurance that investments in today’s technologies can be leveraged in the future. They will need to offer their customers multi-technology readers and cards based on open standards, that enable both legacy credential and new credential technology to be combined on the same card, and that also support NFC-enabled mobile platforms.
One example is HID Global’s iCLASS SE platform, which includes iCLASS Seos credentials that are pre-provisioned with the company’s Secure Identity Object (SIO) data models to simplify deployment. SIO data models represent many forms of identity information on any device that has been enabled to work in HID Global’s Trusted Identity Platform (TIP) communications boundary, which ensures protected transactions within an ecosystem of interoperable products. The iCLASS SE platform supports multiple reader-to-panel communication options, including RS485 OSDP, CANBUS Hi-O, and Wiegand for legacy control panel compatibility. Plus, reader and credential upgrade options don’t require a physical change to the device. Interpreter packages are available that support specific card technologies and can be applied in the field and after the initial installation. Cryptographic operation changes or upgrades can be applied to both readers and credentials after the initial installation and card deployment. Also, customers optionally can manage their own cards and credential keys, and they can migrate to digital credentials on NFC-enabled smartphone when they are ready.
Secure Issuance: The Other Half of the Equation
In addition to providing a future-proofed card and reader solution, integrators can also help customers meet their current secure issuance requirements with an eye to tomorrow.
Today’s printers, card materials and software deliver the highest levels card security by incorporating critical visual and logical technologies for multi-layered validation. There are many options for accomplishing this. Integrators should help smaller companies choose solutions that meet their need for ease of use, since few have the support of extensive IT resources. Mid-size organisations will typically need intuitive solutions that are easy to use and scalable to meet evolving requirements. Large organisations need high card throughput to support growth and the ability to deploy a wide variety of risk-appropriate solutions.
Hardware choices include monochrome direct-to-card (DTC) solutions that combine quality, reliability and ease of use, as well as high definition printing (HDP) retransfer technology for contactless or contact smart cards. There are also high-throughput solutions that optimise performance and productivity. The latest desktop card printer/encoder solutions enable organisations to combine the high-volume reliability and advanced credentialing features of large centralised printers with the lower cost and smaller footprint required for the distributed printing model. For organisations that need cards to look alike whether issued in a distributed fashion or centrally, the best approach is to deploy the same retransfer print technology in both issuance environments.
Integrators should help their customers plan ahead for the most secure validation capabilities possible. Most ID card issuance systems rely on two-dimensional identity validation, comparing the person presenting credentials with identifying data that is displayed on the card. This identifying data may be a simple photo ID or sophisticated elements such as higher-resolution images, or it might be a laser-engraved permanent personalisation attribute that makes forgery and alteration virtually impossible. Smart card chips, magnetic stripes and other digital components add a third security dimension. In addition, expanded data storage on the card makes it possible to include biometric and other information, which further enhances the validation process.
Proper identity validation management requires routine synchronisation of pre-programmed data on the card’s electronics with personal data that is printed onto the outside of the card. In the past, organisations typically used a desktop card printer to add colour and text to a card’s exterior, the card was extracted from the printer’s output bin, and the pre-printed/pre-programmed IC number was transferred to a computer database either through manual entry or by tapping the card to an external desktop reader. Today’s inline smart card personalisation processes reduce this to a single step, enabling users to submit a card into a desktop printer equipped with an internal smart card encoder that personalises the card inside and out.
Nearly all major card printer manufacturers offer the option to build card readers/encoders into their machines, and they also offer card issuance software that is compatible with the integrated system. If an organisation already owns a card printer, it can usually be upgraded with an encoder in the field. By integrating readers/encoders into card printer hardware, organisations position themselves to leverage the benefits of smart card applications well into the future. And when they’re ready to maximise their smart cards’ functionality, they’ll already have the smart issuance part of the equation figured out.
Installers and integrators will play an important role in realizing the vision for higher-security solutions including mobile access control on NFC-enabled smartphones. Offering standards-based smart card technology that is portable to NFC mobile phones is the optimal approach for meeting customer needs today while charting a course for the future. By taking this path, customers have the option to use both types of credential technology in their PACS. They also can continue to adapt to new requirements with the confidence that they will be able to preserve investments in their existing infrastructure.