By Robert M Fee, General Manager BU North America, LEGIC Identsystems
Establishing a corporate contactless smart card program can be a daunting task when considered in its entirety. While the physical security team might drive the project, the end result can easily turn into a corporate-wide, all-in-one credential that provides many departments with a tool to reduce costs, improve efficiencies, and eliminate waste. Best of all, it is also increasing security for environments that require both physical and logical access.
However, true convergence covers more than just IT and Physical access. It impacts the organization at all levels and in all departments. With this fact in mind, an enterprise-wide vision should guide your corporate ID program. The following article offers an overview of some key attributes that have helped launch successful contactless smart card programs.
1. You need a cheerleader! Senior management involvement & support
Now, not too many executives really like to be called cheerleaders, so you’ll have to be careful on this one, but the idea is that you are creating and implementing change for your organization. Jurgen Muller of Cosmo ID, a smart card consulting organization recommends that you, “look for the senior level management change agent in your organization that will help you with both internal and external obstacles encountered.” You’re going to be moving beyond a single application to a tool that can add to the overall bottom line. Remember, our C-level executive thinks in these terms and that this will change your credential program from an expense to a cost-savings program that benefits the entire organization.
A well-designed smart card program allows you to reduce operating costs, improve operational efficiencies, enhance use of existing assets, reduce resource requirements and yes, of course, increase corporate security. And another great benefit is that you introduce the technology but you don’t have to manage other department’s use of the card.
- Team creation & hands-on involvement
Whether the application is physical access control or combined physical and logical access, it’s a team project. Physical Security, IT and Human Resources should work together suggests facilities manager, Corina Gerber, of PricewaterhouseCoopers in Switzerland. She encourages the creation of a team to execute a successful program and to spread this success throughout the organization. The core team tasked with strategic implementation will work with other departments to create a wish list with ‘must have’ and ‘like to have’ applications.
Why HR? The HR department interfaces with every single employee and can help construct a training program detailing how the new ID program will be introduced and used with minimal impact on day-to-day operations. Depending on program construction, the HR department might even be issuing the credential to new employees.
Other departments that can take advantage of the new smart card applications can include:
- R&D, Finance and Sales for secure printing applications
- Cafeteria/POS: Speed up checkout, reallocate resources/headcount
- Vending machines: Cashless payments reduces cash handling issues
- Manufacturing: Time and attendance to reduce “buddy-punching”
- Facilities management: Employee lockers, parking facilities, janitorial, lockers, and external off-line buildings and locks.
3. Clearly established goals, objects and expectations
Mr. Mueller, of Cosmo ID tells his clients, “with a clear plan and help early on, your program will be implemented faster with less issues and it will have a greater impact on your company.” The desire or need to improve existing security requirements typically drives implementation of a contactless program. Department goals such as physical security and IT logical access can easily be combined with corporate goals that focus on reducing head count, utilizing existing resources more efficiently, and even saving time via activities as basic as getting through the lunch line faster.
Once the new smart card has been issued, each department that wants to take advantage of the new technology can run pilots and make independent evaluations of other department’s projects. Each project can then be implemented in its own time frame and with a choice of vendors. Since smart cards can be updated in the field while in use, new applications can be added or removed with minimal impact on day-to-day operations or inconvenience to employees.
4. Implement Smart Card Best Practices
Any identity management system must take in to consideration not only built-in smart card security features but also privacy issues. Implementation of best practices can help protect both your employee and your company. Why use personally identifiable information such as a social security number when alternative models work as well?
To help you identify and define what you need to evaluate, the Smart Card Alliance published a document entitled “Best Practices for the Use of RF-Enabled Technology in Identity Management.” The document, and an associated FAQ: Best Practices for the Use of RF-Enabled Technology in Identity Management, is available on the Smart Card Alliance’s web site at www.smartcardalliance.com.
- Testing/evaluation of smart cards technologies
As with access control software, you have a very wide choice of smart card technologies. Contactless, contact or even dual-technology smart cards that utilize a contact chip with an antenna are readily available. Hybrid cards and readers that can contain multiple technologies such as 125K Prox and 13.56 MHz contactless to help address migration issues are also available. Because this is evaluated as a corporate investment, you need to consider both short-term and long-term impacts.
Remember, there are two components to the testing and evaluation of smart cards: Readers and credentials. The credential is a data input device designed to provide selected information once formal and authorized communications have been established. Leading contactless technology platforms (reader & credential chips) include major chip providers such as LEGIC Identsystems, NXP and Inside Contactless. Your underlying choice of contactless technology could enhance or limit your abilities to expand use of the credentials. ISO standards such as 14443 or 15693, while providing interoperability in certain cases, does not guarantee interoperability between reader and credential vendors at the data level. The key to any system is testing all of the components.
Here are several functions that your contactless reader should provide:
- The reader should have flash memory to allow future feature enhancements to be added in the field and to be configured independently by different suppliers.
- The reader must support the use of encrypted RF data transmission, mutual authentication and anti-play-back mechanism while communicating to any access credential.
- The reader should be capable of supporting the required application. Does the application require that the readers read and write to the credential or just read application data from the credential?
Some key questions related to the credential include:
- Does the credential support open or structured file management system as your choice determines future system enhancements, flexibility and supplier interoperability.
- Does the credential have sufficient memory capacity to supports today’s physical access control system and tomorrow’s ePurse and biometric requirements?
- Does the credential limit the number of application segments to a pre-defined set or does it provide flexibility to efficiently add applications for future system enhancements.
- Are you locked in to your credential supplier or are you free to evaluate and select from competing vendors? What are your testing criteria for card durability and printability?
- Have you evaluated printers and personalization equipment with each vendor’s credential?
6. Application Selection
Smart cards support multi-applications — different applications often offered by different vendors. If you select a specific vendor’s smart card, can it be used by other departments for other applications? Have you asked your vendor this question? At the end of the day, who actually owns and controls the credential, you or your vendor?
Smart cards provide you the flexibility to add applications at any time to the existing card population. Depending on the underlying smart card technology, there is no set sequence in which applications are implemented. Here are just a few of the most popular smart card applications in use today:
- Physical Access control
- Logical access for computer and network login
- Time & attendance
- Biometrics for physical/ IT access and time & attendance
- Cafeteria & vending machine payments
- Parking control
- Printer/fax/copy machine management and payments
- Follow-me-print applications designed to keep documents stored in a print spool waiting to be released to the printer until the employee has authorized it. This reduces documents from being forgotten at the printed and read by other employees.
- Roll-Out Process
Here’s where the rubber meets the road. Depending on the size of your organization you might take the plunge and do it all at once or consider slowly migrating to the new smart cards department-by-department or building-by-building. In any case, consider only implementing one application at a time starting with physical access or IT logical access and then add new applications once all the kinks are worked out.
On your side is your vendor. Let them help you address the rollout process based on their experience in similar situations. They want a smooth rollout as much as you do which is why they typically offer a full line of single technology and hybrid readers. Hybrid readers contain multiple reading technologies that allow you to continue using older technology such as 125K prox credentials for certain applications while you implement newer smart card based applications. In any case, keep the following in mind:
- Credential issuance process
- Will it be centralized or localized?
- Who has responsibility & authority to issue credentials?
- How are temporary IDs issued to guest, vendors and consultants?
- How to you address misplaced, lost or stolen credentials
- How do you address the daily question “I left my ID at home”?
- Employee training on use of credential
- Who, when, & how is this done?
- Revocation process
- Do your systems utilize a single database or multiple independent databases? Remember, multiple databases mean multiple steps to remove a credential from all systems.
Finally, remember that a successful smart card program takes time and attention to detail. The resulting program can be a showcase for your organization, but don’t rush things. The headache you might choose to avoid today can turn into an expensive migraine further down the road.