Trends in ID Cards

By John Wagley

Inside job. Northrop took an unusual step for the firm, turning to a normally external-facing business unit to set up the card databases. About six units with expertise in ID access and security were given the opportunity to submit proposals. The goal was to hone the unit’s ID access skills, building experience that could also be leveraged for outside work.

Each aspect of the overall program was segmented into a project for one of the teams, and it was set up to have quarterly deliverables. Last year, there were 21 projects, says Ward. They ranged from placing contractors in an active directory to the training and quality standards surrounding fingerprinting.

In another unusual step, Northrop also brought in a Six Sigma team at the project’s start rather than after its completion. The team helped define a strong investment return, says Ward.

Supplies. Once the card databases were worked out, it became far easier to contract with vendors, he says. The company sought vendors with DoD ID access experience, says Ward. A proof of concept was released about mid-2006.

One winning bidder was Novell, which would supply the bulk of the new software and hardware. It had both private sector and public sector experience, including with DoD. One selling point was that both the software and hardware are highly flexible, says Bowman.

Training. While staff had been consulted in the planning phase, as the startup date approached, it was also important that staff get specific instructions in how the cards should be used. The message to employees was reinforced through written documentation describing some of the system’s benefits and how it would work. Basic instructions were given in areas such as card insertion; an 800 number to the helpdesk was provided.

Local authorities were trained on issuing the cards. The company took a subset of helpdesk workers and did tier-one and tier-two support training. They were taught some troubleshooting basics to make sure that they would be able to respond quickly to problems, such as how to free up a card that had been frozen after too many wrong PIN entries.

Cost. Although declining to discuss what it has cost to purchase and install the system, Bowman anticipates cost savings. While helpdesk calls grew during roll-out, they’re now down to lower levels than before, he says, which should help cut labor costs. Employees are also now using one card in place of two, three, or more. Each card costs about $7 to $10.

Challenges. Getting all the technology to work together was sometimes challenging, says Bowman. In one case, bad cards were delivered and had to be reissued. When problems occurred, it was sometimes difficult to assess the cause, both in terms of the technology and the human factor. Was it a user problem? A vendor problem? “Everyone points fingers at one another on performance issues,” Bowman notes. But the experience has helped Northrop learn to isolate technical problems and ensure that “vendors put in the fixes,” he says.

Approval. Another challenging aspect of the initial roll-out was adjusting the governance. A major goal was to get the system to be FIPS-201 compliant. That meant that, among other things, information collection had to be handled a certain way, he says. Ward says it helped to use a government auditor, the General Services Administration’s Electrosoft.

Timing. Recently, the firm finished rolling out the initial installation. Northrop’s now experimenting with additional three-factor authentication methods. The new card readers Northrop bought for desktops, for instance, come with fingerprint readers, which could be broadly used at some point. The cards can also be programmed to serve as the logon access control mechanism for many additional Web platforms.

Online programs that staff now access by providing usernames and passwords could be switched over to digital certificate authentication. Cards may also be used for financial purposes, such as with Northrop’s Federal Credit Union, or possibly tied to a corporate card. “We’re just scratching the surface with the cards’ capabilities,” says Bowman.



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.