Identity management is the foundation of a strong security program. At the heart of many identity management systems is an ID card, used by organizations of all sizes to enhance their security with multiple technologies, such as biometric identification.
Today, many identity management systems combine the physical and logical security functions, as well as many more, to provide a more integrated environment and a stronger security posture.
The need for the convergence of physical and logical security has never been greater. The need to keep private data safe and meet compliance regulations is causing organizations to look increasingly at logical and physical security together. By combining credentials and back-end verifications, these organizations gain efficiency and combined reporting. Often the result is that employees carry only one ID card that provides them with access to the building, charge privileges in the company cafeteria and the ability to log on to the organization¡¯s secure computers.
TECHNOLOGY OPTIONS
Authentication of an individual¡¯s identity is a key component of physical and logical security. It doesn¡¯t do any good to take somebody¡¯s fingerprint if an organization doesn¡¯t know who the person is in the first place. Proper background checks need to be performed, along with verification of birth certificates and drivers¡¯ licenses. Many companies add biometrics to provide a basis for ongoing verification of identity. In the U.S. government, for example, individuals have to provide a fingerprint when they enroll in the card program and later when they receive their ID cards. The fingerprints have to match or the individual does not receive the card. Fingerprints ensure that an individual does not lend his or her card to someone else.
Organizations also must decide how much technology is needed for their specific situation. Sometimes simple photo ID cards are enough. In Lima, Peru, for example, city officials wanted to provide citizens and visitors with safe, legal transportation. With more than 7 million people in the city, that was a daunting challenge. In 2004, however, they moved one step closer to achieving their goal with the decision to provide photo identification cards for all municipal drivers and assistants.
ID cards can also include magnetic stripes and bar codes to provide an inexpensive method of adding text information such as access privileges, membership status and employment history. This information can be decoded and translated for later computer processing.
At a fitness center in Wales, the U.K., managers created an automated, user-friendly system for multi-site centers that is capable of handling large volumes of information without losing reliability or performance. New membership cards now contain a magnetic stripe and are printed with a bar code and company name. Members swipe the cards at a wall-mounted terminal as they enter the facility, logging and authorizing the visit. To verify authenticity, an individual¡¯s photo is taken and compared to the member¡¯s photo on file. As a result, the system enables members to admit themselves without the need for an attendant, saving the center money. When the member¡¯s card is approved, an alert tells the instructor that a client has arrived.
Health care organizations the world over are also working to make their systems more efficient. In Kenya, the National Hospital Insurance Fund (NHIF) prints member ID cards in-house to reduce fraud and improve the process for patients. Members use ID cards to access medical benefits in NHIF accredited hospitals, with a magnetic stripe on the back of the card to identify members and dependents to card readers.
Even small organizations, such as a search and rescue operation in Pennsylvania, the U.S.A., use ID cards as part of their operation. In this case, ID cards prevent the intrusion of unauthorized individuals in searches, which could lead to life or death situations.
While magnetic stripes and bar codes are adequate for many companies, other organizations require more sophisticated technology, such as smart cards. Smart cards hold all of the programs and data necessary to manage identification and transactions in a very secure manner. They can be contact cards, which need to have direct contact with a card reader to work, or they can be proximity cards, which only need to be held near a card reader. Contactless readers communicate through coils of wire on the card itself.
In Medelln, Colombia, the Metro public transportation system now moves 350,000 individuals per day more efficiently than ever before after introducing new, contactless smart cards for its riders. Travelers can charge their travel on the cards and avoid lines at the ticket counter, getting to their destinations more quickly.
Many schools have also graduated to smart cards. At Everglades high school in Florida, the U.S.A., students have been using ID cards for school identification for approximately 10 years. Recently, the staff added a smart chip to the cards, enabling students to charge purchases with the card at vending machines, in the media center and for certain student activities. Now, Everglades students can even purchase yearbooks and prom tickets with their ID cards.
At New York City schools, all teachers carry ID cards embedded with fingerprints and photographs as mandated by state law and the city¡¯s Department of Education (DOE) policy. Substitute and part-time teachers must also carry a smart card containing a microprocessor chip embedded with additional information, including social security number and certain encrypted security codes. This security program is connected directly to the criminal justice system and provides immediate confirmation of criminal violations as recent as the night before.
MARKETPLACE TRENDS
While technology continues to become both more sophisticated and yet easier to use, three trends dominate the identity management marketplace today. First, in the United States, the government is becoming more involved through initiatives such as the Homeland Security Presidential Directive (HSPD) 12, which created a common identification standard for U.S. federal government employees and contractors. As a result, many government organizations are creating identity management systems using common ID cards. A subsequent standard, Federal Information Processing Standards (FIPS) 201, specifies the architecture and technical requirements, such as card elements, system interfaces and security controls, verifying the identity of individuals who want physical access to government facilities or electronic access to government information systems. Others are also affected by these requirements, including first responders such as police officers and fire fighters, who need to have access to government buildings.
The second trend in identity management is the growth of biometrics. Biometrics goes far beyond fingerprints today. A person¡¯s face, hand geometry, iris and voice can be measured and secured, adding an important layer of security to an identity management program. A health care organization in the Midwest began using smart cards with biometrics for patients and physicians to eliminate fraud. The combination of a smart card and biometrics provided the strongest and most reliable method of identification, reducing the rejection rate of biometrics alone.
While the cost of biometrics is still too high for many organizations, industry experts agree that biometric data is an important complement to existing security, adding one more level of protection that is difficult to duplicate. A third trend in identity management involves the growing use of certificates and Public Key Infrastructure (PKI). PKI is a networked system that enables users to exchange information and money privately and safely over unsecured, public networks such as the Internet. The digital certificate contains a public key that can identify and authenticate an individual or an organization, encrypting and decrypting messages and digital signatures. Microsoft¡¯s new Vista platform includes infrastructure to facilitate the use of smart cards containing a digital certificate, making online transactions more secure.
The fact that Microsoft has introduced certificate capabilities into its Vista program means the concept will become more broadly accepted. HID Global, a leader in secure identity, recently introduced its new Crescendo product that puts a smart chip on the HID access card to contain a certificate. Thus, an organization can add security to a card that an individual already holds.
ADDITIONAL SECURITY OPTIONS
Because identity theft is a growing problem, many organizations are adding visual security elements to their ID cards, making them harder to counterfeit. The most economical security element is a standard 3D holographic seal. If the seal is removed from the card, it either leaves a checkerboard pattern or destroys the hologram. Custom images add more security to an ID card. Organizations can also choose to add hidden text, viewable only by laser, or micro text, viewable only under high-powered magnification. In the case of New South Wales drivers¡¯ licenses, a holographic film is used for printing. The person¡¯s image is printed directly onto the hologram and then transferred to the ID card, making the card very resistant to tampering.
It does no good to provide secure cards if the printer is vulnerable to tampering. To secure the issuance of the cards themselves, some organizations add a higher level of integrated security between printer, software and materials. For example, a password control program defends against unauthorized printing by automatically disabling a stolen or illegitimately accessed printer. Special fluorescing printer ribbons enable companies to add logos and covert numbers to their ID cards. And a 24-hour notification process allows users to customize the authorized hours of a printer¡¯s operation. Violations trigger e-mail or text messages to security personnel.
In addition, organizations need to consider how they handle the transfer of credentials over a shared network. Keeping information private once it has been collected is a challenge, as is keeping identities updated to reflect changes in names and hair styles.
RETURN ON INVESTMENT
Measuring the success of an identity management program begins by setting the business strategy itself. If compliance is a goal, measuring compliance is important. If asset protection is a goal, measuring asset protection is critical. Other frequently measured criteria include cost, efficiency and fraud prevention.
Organizations such as the Open Security Exchange are actively working to put together a road map of physical and logical security strategies to define convergence opportunities for enterprise security. They will consider business process planning from strategy to tactics, using existing standards to ensure interoperability, scalability and investment protection.
A strong security program incorporates an integrated approach from beginning to end. Organizations that create a business case for the actual technology they deploy are more likely to see a satisfactory return on their investment.
Craig Sandness is Vice President of Internatinal Sales for Fargo (www.fargo.com).
For more information, please send your e-mails to swm@infothe.com.
¨Ï2007 www.SecurityWorldMag.com. All rights reserved.