Identity and access management (IAM) continues to a huge challenge for police forces throughout the country. Enabling employees to quickly and securely access data and facilities has always been a high priority. The growing number of data sources now available to police is making it more critical than ever that the right people have access to the information they need, and that this data can be assessed and monitored in a secure way.
“Portable and secure, contactless smart cards are fast becoming a valuable tool for safeguarding physical security and guaranteeing the privacy of sensitive electronic information across many sectors.”
- Holly Sacks
- HID Global
However, a legacy of disparate IT systems with little ability to work together means that this is no small undertaking. Police forces in different regions currently have different levels of access to different systems, each of which has its own IT platform and its own access control platform. The National Policing Improvement Agency (NPIA) has launched a review of IAM processes within the police force that is designed to bring these systems together in the best way possible. As a core part of the review, the NPIA is aiming to provide every police officer in the UK with a multi-application smart card that can combine logical and physical security.
The project focuses on authenticating the identity of officers and civilian staff who access police systems via a single user identity that can work across all police systems. With police increasingly accessing confidential data via mobile devices, in-car units and station-based PCs, the ability to safely access systems from any location will also cut costs incurred through travel while boosting the time available for frontline policing.
A nationally aligned smart card system would also reduce the IT and administrative costs associated with resetting forgotten usernames and passwords, and it would conserve man hours spent on these tasks. The police face constant demands to be a more visible presence on our streets and the ability to access IT systems with a single smart card minimises downtime spent on administrative tasks, and freeing up bobbies to get on the beat.
Another interesting potential application for smart card technology is in securely checking out firearms from a police station. Every time a police officer takes a weapon out of the police station, he or she has to show a warrant card to the person in charge of the armoury; that person will inspect the warrant card and sign a piece of paper; the paper is countersigned by the officer in charge; and only then does the requesting officer take receipt of the weapon. When the weapon is returned, the process is repeated. This kind of convoluted process is a prime example of one that could be handled electronically with a combination of radio frequency identification (RFID) tags on the firearms themselves, a contactless smart card for the officer and a contactless card smart reader at the checkout point.
As police forces across the country look to combine their logical (IT) security and physical access control into one multi-purpose system, there are several options open to them. The most basic form of secure access control is the magnetic stripe – or ‘mag-stripe’ – card, where magnetic data is stored on the back of the card. While mag-stripe cards are inexpensive to produce, they can be more costly in terms of maintenance. Magnetic stripe cards come in contact with the reader when inserted, and any debris that collects on the card inevitably ends up inside the reader and on its contact pins. They are also susceptible to magnetic interference and wear and tear: constant swiping through the card reader causes the stripe to deteriorate and eventually fail. This type of card is also extremely restricted in terms of its data storage capacity compared to that of smart cards, some of which now have up to 164K of memory.
But perhaps their biggest disadvantage is that they are very easy to clone. You can even buy a mag-stripe reader from a high-street store that will let you take data off one of these cards and use it to create an unlimited number of clones. This is clearly an unacceptable risk for the police force where officers have access to the personal details of criminals like terrorists and paedophiles. The consequences of this information being released into the public domain by someone with unauthorised access are easy to imagine.
A far more secure and flexible option is the new generation of contactless smart cards that use encryption and the internal computing power of a smart chip, reducing the risk of data being compromised or cards being duplicated. Contactless cards can offer three levels of security: single, dual or three-factor authentication. With single-factor authentication, using the card on its own will grant access to a system or open a door. Dual-factor authentication adds an extra level of security in the form of a PIN code. Three-factor authentication goes a step further, using a PIN code and an extra security measure such as a biometric scan. Contactless smart cards are traditionally used for physical access control and are now being adopted for logical access control as well.
The other advantage of contactless smart cards is the possibility for adding other applications such as contactless payments for the staff canteen, time and attendance records and authorised equipment check out.
As with all areas of the civil service, the cost of implementing and deploying a new, nationwide IAM system is a key consideration. However, the need to identify, authorise and authenticate users is a critical one. It’s clear that government and police see this drive as one that is definitely worthy of investment.
Portable and secure, contactless smart cards are fast becoming a valuable tool for safeguarding physical security and guaranteeing the privacy of sensitive electronic information across many sectors. When weighing up the costs of smart card technology against the benefits, it’s obvious that they can offer considerable value to the UK police force, saving time and money, protecting officers and civilian staff and safeguarding the public’s data.
HID Global is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th – 29th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk.