The logic behind physical-access controls

Unified security systems help manage threats, whether it's a hacker in China or a shady visitor at the front gate<@VM>RFP Checklist: | Physical-access systems

In the real world ' as opposed to Hollywood ' terrorist acts are more often low-tech than high-tech. Terrorists use box cutters and car bombs more often than laser-guided missiles.

Likewise, organizations have become increasingly aware that malicious hackers dialing in from half a world away could actually be a lesser threat than the guy who sneaks through the ancient card-reader lock on the door of a remote outpost.

Recent thefts from government offices of laptop PCs containing sensitive data offer ample evidence that physical-access systems ' long the domain of security specialists working with older technologies ' are as important to information technology departments as network security measures. (See chart, Page 36.)

For several years, there has been a serious effort to merge the two. This convergence of physical and IT, or logical, security is the philosophy behind Homeland Security Presidential Security Directive 12, the federal government's effort to issue personal identity verification, or PIV, smart cards to every employee and contractor. The cards specified in Federal Information Processing Standard 201 will be required for access to both physical assets ' typically, buildings ' and IT assets.

Convergence of the physical and IT security realms brings unprecedented advantages, and proponents highlight likely scenarios. For example, with a secured network that ties IT network security to the physical-access devices on doorways, administrators can make sure that a terminated employee will no longer be able to enter buildings. Every door lock and guard desk will know not to accept their credential. 'When you take someone out of the system, you want to take them out of the system everywhere,' said Sal D'Agostino, executive vice president at CoreStreet, a Cambridge, Mass.-based company that makes smart-card authentication hardware linking the two domains.

Digital systems will also benefit from information captured at physical access points. For example, an employee using a badge to enter the main office can't possibly be logging in to the network 500 miles away. The two events together might mean a cyberintruder.

Convergence also unites physical and IT security administration. That includes not only the employees but also the network directories, databases and monitoring tools for daily oversight. People charged with staffing or monitoring facilities ' guards at federal buildings in Washington, for example ' can have some decision-making taken off their shoulders, freeing them for other tasks and lowering the risk of security errors.

D'Agostino said CoreStreet's offerings help answer at least 95 percent of the questions likely to arise. One example: What local resources should be accessible to a person who shows a valid PIV card? 'We can pre-generate these responses,' he said. 'We don't need a secure connection to the database.'

What's more, a well-designed converged architecture provides performance improvements if it has the optimal division of centralized and distributed data processing. D'Agostino said centralizing too much on a single identity repository can burden the network and database with one-to-many hits, and distributing the intelligence allows more one-to-one transmissions. 'In some cases, you never need to touch the door with anything,' D'Agostino said. 'It just needs to see a valid message signed by a trusted source.' To achieve this, read/write PIV cards will carry a personal identification number, biometric and photo, and a digital signature signed by a trusted source, which will enable them to update remote systems.

But centrally managed databases can be effective even in less-automated local setups. It's the approach FIPS-201-approved integrator BearingPoint used when it implemented the Transportation Worker Identification Credential program at 28 sites overseen by the Transportation Security Administration. Some sites have what's called swivel-chair integration, with guards at desks looking up authentication information on the central database, said Gordon Hannah, a BearingPoint managing director who worked on TWIC.

He added that local authorities will still handle visitor control and policy, for which they might be granted the power to issue credentials that work only at that location. In contrast, 12 deepwater ports in Florida have a single system that automates transmission of centrally issued credentials in addition to suspension and revocation, he said.

Card tricks

Vendors say the federal government relies primarily on proximity cards, many of them made by HID Global. But FIPS-201 requires faster-transmitting, larger-memory smart cards and readers that follow International Organization for Standardization specification 14443. It also requires backward compatibility with the proximity card specification. Thus, so-called dual-technology card readers are a promising technology.

'The question is, do you go for cards first, or readers first,' said Mark Diodati, an analyst at Burton Group. He also recommended that agencies strongly consider card management systems, which provide the workflow tools to handle the upfront
vetting required by HSPD-12.

Physical-access control systems are the workhorses of physical security with command-and-control hubs for electronic door locks and readers, closet panels that accept the remote devices' usually proprietary relays, and a central server to manage them. The newer systems can handle other hardware, such as surveillance cameras and alarms.

But many physical-access control readers can't transmit enough bits to encode the new, 40-digit ID number required in federal specifications. 'You can make that new card work with the legacy systems, but there are risks,' Hannah said.

There is a push to upgrade some access-control hardware to IP to link them to logical systems, but the move is tricky. Card readers and panels must continue to operate during power outages ' a weakness of IP networks. But Lenel Systems International, a maker of physical-access software, has focused much of its recent development on IP. One example: a new controller panel, the LNL-2200, an Ethernet card that can handle reader transmissions from two doors and be strung along in groups of 32.

Lenel product manager Erik Larsen said the closet is the best place to install IP. 'There is a big push right now for IP-based readers,' he said. 'We don't see much value in it. The reason is the reader is on the nonsecured side' ' that is, outside the door.

Another issue is that physical-access control systems have no standards for cross-vendor interoperability. Most of the standardization problems are being tackled by the Physical Access Interagency Interoperability Working Group of the Government Smart Card Interagency Advisory Board.

Mike Butler, program manager of the General Services Administration's Managed Service Office and, until recently, chairman of IAB, who now works on GSA's HSPD-12 effort, said another ISO standard, 24727, for multiapplication smart cards, holds promise for access control. But, he said, ISO standards aren't a panacea. 'You can call it an ISO standard, but it doesn't mean anyone has to follow it.' A GSA-approved test lab also aids standardization, but he said it only tests if card data is in the proper format. 'It brings everybody up to a certain level. It still doesn't guarantee anything.'

Many manufacturers of IT network infrastructure are seeking convergence through partnering with physical-access vendors. Novell, for example, recently got together with Honeywell to link their identity-assurance and physical-access software.

Another promising standard, Service Provisioning Markup Language 2.0, ratified by the Organization for the Advancement of Structured Information Standards in April 2006, has as its goal to tie provisioning 'setting employees up with the resources for their jobs and removing them when they leave 'card-management and physical-access systems together in the proper hierarchy. 'Physical-access systems are just beginning to [become] more open and interoperable,' he said, adding that such systems would benefit from IT directory standards, such as Lightweight Directory Assistance Protocol.

One final option: shared-services providers such as the one EDS will build for GSA to handle HSPD-12 vetting and enrollment for agencies that don't want to do it themselves.

Physical-access systems

Vendor Product Major Features

(800) 529-9499
ActivID Card Management System CMS; customizable workflows, tamper-evident auditing, distributed batch of
service-bureau issuance, PKI registration/credentialing, Java cards
AMAG Technology

(800) 889-9138
Symmetry Homeland

Symmetry M2150 8DBC Controller

PACS; alarm, opt. video, monitoring, visitor management, badging, graphical maps, Windows single- or multiple-server configuration, unlimited clients/readers/cardholders

Control panel; eight doors/16 readers/250,000 cardholders, serial, dialup, and TCP/IP connections, 32 controllers per system, optional video monitoring


(617) 661-3554
Card-Connected Access Control


Wireless/card-connected access points; user rights and audit data propagated on card, wall-mounted readers, door locksets available from third-party partners

Wireless/wired handheld card reader; off-line operation, activity logs, multiple databases, CoreStreet server software, available with CoreStreet shared-service providers

Hirsch Electronics

(888) 809-8880
DIGI*TRAC Controllers


Control panel; serial, TCP/IP, and dialup, up to 64 outputs, ScramblePad or PC remote programming, alarm monitoring, modular, multisite scalability

Card reader/access control box; dual-technology personal identification number/bar code/biometric/smart-card entry, heavy-duty construction

Honeywell Integrated Security

(414) 766-1700
N-1000 Series Controllers

Pro-Watch Security Management Software Suite

Control panel; up to four doors, 31 controllers/25,000 cards per system, distributed database for optional offline operation, serial, dialup, and TCP/IP connections

PACS; Central and remote Windows servers, replicated cardholder database, distributed card activation/deactivation and status updating, HR interface, video support


(877) 663-7446
OneSign Physical/Logical Convergence appliance; consolidated authentication repository, failover, instant physical/logical user lockout, centralized monitoring/reporting Lenel, S2, Tyco integration
Lenel Systems International

(585) 248-9720
IdentityDefender Suite

Lenel Open Card Reader

Identity management system; end-to-end PKI-based workflow, Web-based
enrollment, card production and issuance, support for physical and logical security

Multitechnology reader; 125KHz and 13.26MHz proximity, 13.26MHz vicinity, optional
General Services Administration-approved PIV cards, modular keypad

S2 Security

(781) 237-0800
S2 Netbox Access Control Convergence appliance; dual reader/keypad, alarm, optional video, photo ID support,
multiple card technologies, scheduled portal unlock, enrollment, access histories
SCM Microsystems

(510) 360-2300
Physical Access Control Terminals (PACT) Contact/contactless card reader; federal smart-card standards (PAIIWG, NIST,
GSC-IS 2.1, etc), 3DES authentication, optional PIN pad, biometric reader, indoor or outdoor use
Software House (Tyco Fire & Safety)

(800) 507-6268
C*Cure 9000 Event
Management System
Client/server software for centrally monitoring security systems (alarms, video
cameras, etc.); badging modules, graphical maps, push installation, .NET integration

(305) 265-1565
AuthentX System Card issuance/authentication/revocation system; decentralized card
enrollment/issuance, optional centralized card production, GSA spec, optional
biometric scanners

CMS = card management system

GSC-IS = Government Smart Card Interoperability Specification

OCSP = Online Certificate Status Protocol

PAIIWG = Physical Access Interagency Interoperability Working Group's Physical
Access Control System ' Smart Card Technical Guidance

PACS = physical-access control system

PKI = public-key infrastructure security technology for issuing digital certificates

David Essex is a freelance technology writer based in Antrim, N.H.
Experts in government and the information technology industry all sounded the same theme when asked what to put in a request for proposals for a physical-access system that can live in the brave new world of convergence with logical security: Plan well. That oft-repeated advice can sound trite and obvious with other IT projects, but it might be the most important step. Upgrading or replacing older physical systems risks wasting resources if you don't have a specific vision of the smart cards, readers, biometrics, back-end infrastructure and network security scheme ' including digital certificates ' that will be in place five years from now.

Any plan will be heavily location-conscious. Some buildings may take highest priority for the newest, two-factor access systems; others might safely continue with transitional legacy and converged bridge technology such as new card readers and control panels; and still others can stick with older proximity cards. Some wings within buildings may need no door devices at all.

But don't get too comfortable. Agencies must have all employees using Federal Information Processing Standard 201 PIV cards by October 2008.

Accordingly, consider the following approaches:

  • If using a systems integrator ' almost a necessity, given the complexity of the architecture ' make sure it is on the FIPS-201 approved list.

  • Don't be mesmerized by technology and think it alone will solve most problems. FIPS-201 is really about process. You'll do better asking a vendor or integrator how they envision the connection to the issuing authority and whether the lag time for getting status data will meet your security needs. High-value sites might require daily ' rather than weekly ' updates if card volume is high, and you can't risk a single loophole.

  • Don't take card reader quality for granted. Look for International Organization for Standards 9001 quality control and adequate mean time between failures, and make sure the ones planned for outdoor locations are sufficiently waterproof and ruggedized, especially those with biometric features.

  • Examine maintenance guarantees and prices to ensure turnaround times meet your security requirements.

  • If considering a card management system, make sure it interfaces with the card-provisioning system you plan to buy.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected