Security

Access Denied

• By Matt Villano
• 11/01/08

Physical security technology moves into more sophisticated realms at last, while schools continue to rely on more traditional means of building access control.

ASK A HIGHER EDUCATION CIO what keeps her up at night and the answer is usually: security.

On the data (or logical) side, technologists have taken action with new systems to protect against virus outbreaks and data breaches such as those that have grabbed national headlines for exposing personal information. On the physical side, fears are more visceral. Not surprisingly, during the almost 19 months since the shooting tragedy at Virginia Tech that left 32 dead, many technologists have pulled out all the stops to deploy new emergency notification systems that work toward preventing a similar event from occurring again. And in almost every case, these new tools have markedly improved the safety of college campuses. The exception?

Building access control (BAC), where until recently, advancements have been few and far between. Building access control-- a catchall phrase to describe the systems that control access to facilities across campus-- has traditionally been handled with remarkably low-tech solutions: manual locks, electronic locks, and ID cards with magnetic strips. Recent improvements have included smart cards and keyless solutions that make use of shortwave radio frequencies (RF) to unlock doors when specially programmed key fobs are within 3 to 5 feet of a reader.

Sure, some schools are investigating newer systems that incorporate cutting-edge technologies such as biometrics and video recognition software (see "Go to the Videotape"). But for the most part, while just about every other aspect of security technology seems to be advancing at breakneck speed, the technologies behind building access control have progressed at what is comparatively a snail's pace.

Some security experts argue that innovation in this area is not necessary, supporting the common notion that "if it ain't broke, don't fix it." Still, with physical security topping the "to improve" lists of campus technology, security, and facilities pros, one can't help but wonder why BAC technologies have been taking a backseat, and how soon it will be before the next generation of technologies is here, assuaging administrators'-- and parents'-- fears.

From Magstripe…

In the radical 1970s, through the birth of the internet in the 1990s, many colleges and universities left their building entrances unlocked most of the time-- a physical manifestation of the "open" environment that historically has been the bedrock of academia. Even among those schools that secured doors, most doors were locked and unlocked manually, with standard jagged-edge keys or Marlock keys that incorporated an electric charge.

Phil Mullendore, executive director for the California College and University Police Chiefs Association, recalls that even on the campuses of institutions renowned as trailblazers, building access wasn't much different from the strategies of home residents. "You have a door, you have something that acts as a key, you use this key to unlock the door-- for most schools, that's been it," says Mullendore, who for 22 years was police chief at Pasadena City College (CA). "It sounds simplistic, but unless you're made of money, there really aren't that many ways you can control access to a building."

Go To The Videotape

MOST BUILDING ACCESS CONTROL (BAC) experts believe the future of their industry lies in biometric recognition technologies that grant access based upon certain physical characteristics of users-- in the case of higher ed, students, faculty, and staff. Others, however, say the future of physical security lies in something entirely different: video.

New systems incorporate the automatic door locks of building access control with video technologies more commonly found in basic surveillance systems. In many cases, the functions are combined in a single device-- a magstripe or proximity card reader equipped with a camera that records digital images whenever it senses movement within a 3- to 5-foot radius.

One of the vendors leading this charge is Barix, a Switzerland-based company that specializes in the research, development, and manufacture of IP-based audio and data distribution, communication, monitoring, control, and automation hardware solutions for commercial, industrial, security, and military applications.

Other vendors are found closer to home: Cisco Systems, IBM, and smaller companies such as Allied Fire & Security, to name a few. Many of these vendors' systems stand alone, operating independently of anything else on campus except the power grid.

In a handful of cases, at schools such as Bryant University (RI), the systems run over an IP network, transmitting information in real time over the campus intranet, back to a command center where it is recorded and analyzed by computers or humans (see "Convergence: Yea or Nay," in "Securing the Campus," special supplement to the CT July 2008 issue).

Despite the sophisticated nature of these systems, Phil Mullendore, executive director for the California College and University Police Chiefs Association, maintains the human component to these video systems is critical. "You can't give an electronic device discretionary decision-making power," he remarks. "Only a human can possess that."

The first innovation came in the 1990s, when schools deployed locks controlled by access cards pre-programmed with magnetic strips. Magstripe technology, as it was termed, was considered an upgrade over traditional jagged-edge and Marlock keys because the hardware on each entry point was considerably harder to pick. What's more, the magstripes themselves could be incorporated into student ID cards-- something students had to carry around campus anyway.

This was the thinking at North Dakota State University, where the school has used one of two magstripe systems since 1992. The original system, supplied by Synergistics, was replaced with a new and more sophisticated system (from The CBORD Group), which was installed last year.

All-told, the school has installed magstripe readers outside 250 doors across campus. At each door, users swipe their cards through the reader, and the reader compares information encoded in the strip against a local database updated regularly throughout the semester. If the user's information is contained in that database, he or she is granted access, and the door unlocks. If the user's information is not contained in the database, entry is denied. (Sound familiar?)

According to Joan Chapek, director of the school's telecommunications and emergency support technologies department, the system has served its purpose well, granting and denying access automatically at most doors around campus. Chapek admits the system's security can be compromised when students prop open doors for their friends, but she adds that she doesn't believe these incidents occur frequently.

"The system isn't perfect, but it automates a process that, for many years, was mostly manual for all of us," she says, noting that the current system runs off of a magstripe on the Bison Card, the school's student ID card. "By recording who has come and gone, the system also gives us a great way to track how safe each of our buildings really is."

As part of the access control strategy, NDSU worked with university police to create a communications call center to respond to any problems users have with the system. University police officials staff the center 24/7, and handle anything from basic troubleshooting (lost cards, students getting locked out, etc.) to emergencies. Chapek points out that there are a number of benefits to the call center. For starters, the facility helps to centralize management of the system, giving users one place to go with any problems they might have. But the call center also is a profit center: For access to the support, Chapek's department charges other campus departments $23 per month for each door. With 250 doors around campus, the system generates $69,000 of revenue each year.

"It's not a ton of money, but it is something," she says. "When you're a public institution in today's environment of dwindling financial resources, you take every penny you can get."

…to Prox

As part of the new CBORD building access control system that it adopted last year, NDSU plans to standardize on yet another BAC technology known as Prox, or proximity integrated circuit devices. This technology has been around since the late 1990s but is becoming more and more prevalent in higher education in recent years, since the system is considered more convenient than magstripe systems.

Just as with magstripe systems, the technology consists of a card and a reader. But unlike magstripe setups, the two components never need to touch. Instead, Prox revolves around a "resonant" circuit (which generates signals at a particular frequency), and an "integrated" circuit (which receives the signals and sends back information). The resonant circuit is inside the reader, and is always on. The integrated circuit usually resides in a key fob or smart card that the user carries, and is energized only when it receives the appropriate signal from the resonant circuit.

Once the integrated circuit has been activated, it transmits the card number via radio frequency to the card reader. From this point, the system works just like a magstripe system does-- the reader checks the number against a regularly updated database and grants or denies access accordingly.

This is the building access strategy at Dartmouth College (NH), where the school uses the system to control access on the vast majority of the school's doors. The system utilizes Wiegand readers (from Honeywell) and smart cards from HID.

According to Keith Cutting, director of the school's facilities operations and management department, the cards double as student IDs and are used for a variety of purposes. In addition to containing the smart card chip that operates the Prox system, the cards also feature a barcode and two magstripes-- one for point-of-sale transactions, and the other for declining-balance or debit-card transactions. "Students used to need to carry separate cards for various stuff around campus," he says. "Now one card does it all." And Cutting notes that a major benefit of the Prox system is convenience: Because door readers can communicate with the chips in the cards at a distance of within three to five feet, students rarely if ever need to take their cards out of their pockets as they access a building.

On the flipside, he admits that Dartmouth's system is susceptible to the same evil as the magstripe system at NDSU: If students prop doors open, there simply is no way to ensure those doors are secure. "You can only make a system so secure," he concedes. "From that point, if humans introduce vulnerabilities, there's really not much you can do."

RESEARCHERS AT WEST VIRGINIA University are investigating privacy-enhancing technology, which would lie on top of biometric systems as a second factor of authentication.

…to Next-Gen

Cutting and other technologists at Dartmouth also have installed biometric technologies at a handful of doorways and entry points on campus. In most cases, these technologies read users' fingerprints or handprints, compare points in each print against a local (and regularly updated) database, and grant or deny access based upon those criteria. These systems don't require users to carry any sort of identifying card whatsoever. To put it plainly, many security experts believe that biometrics represent the future of building access control. Why do these technologies work so well?

First, by eliminating cards of all kinds (which can be lost or stolen), they are deemed the most secure access technology on the market today. Arun Ross, associate professor of computer science and electrical engineering at West Virginia University, and one of the country's leading researchers in biometrics, insists cards and passwords are not secure because there simply is no way to determine whether or not the person using them is the rightful owner. "If you share a password with someone, they can start using it from that point forward," he says. "And if you misplace your key, it can be used by an imposter to gain access to a facility."

Ross has put his research into practice in Morgantown, WV, where he has installed a number of pilot biometric systems for specific labs and classrooms on WVU's main campus. In particular, some of the school's labs, plus a recreational facility, now have hand-geometry systems. To use them, students simply wave a hand in front of a reader; the device does the rest.

Ross says the systems help WVU officials track and be aware of the specific individuals who have signed into these facilities, both of which contain expensive equipment and highly protected information. Still, he admits these applications are not without their drawbacks. For starters, users have expressed a certain level of discomfort with the school capturing and maintaining personal identifying information such as fingerprints and handprints. What happens if the data are compromised? Will the data be used for something else? Ross says he regularly hears questions like these, and admits they are entirely valid. "It is scary to think about what can happen when your biometric data fall into the wrong hands," he says. "You only have 10 fingerprints; you only have two hands."

To address such concerns, researchers at WVU and other schools are investigating the security potential of privacy enhancing technology (PET), which would lie on top of biometric systems as a second factor of authentication. Another technology under development: "cancelable biometrics," which will enable users to cancel certain biometric templates and issue new ones if they think their data have been compromised.

How far off are these developments? For most schools, they could be pretty far. Ross says many of the latest and greatest biometric technologies are still under development, and are not ready for widespread deployment. He adds that many of the biometric systems currently available from vendors such as Probaris are prohibitively expensive, making it difficult for fundingstrapped higher education institutions to purchase them for widespread deployment across a campus. Ultimately, he advises, prices will drop and biometrics will supplant Prox systems as the building access control technology of choice. "There is no question this is the future. It's just a question of when that future will be affordable enough for everyone to embrace."

::WEBEXTRAS ::
Biometrics Revisited: Are biometric identification devices ready for prime time?
The Ins and Outs of Access Control at a Community College District
Subsribe to our Campus Security eNewsletter

-Matt Villano, a writer based in Healdsburg, CA, is senior contributing editor of this publication.