Physical security technology moves into more sophisticated
realms at last, while schools continue to rely on more
traditional means of building access control.
ASK A HIGHER EDUCATION CIO what keeps
her up at night and the answer is usually: security.
On the data (or logical) side, technologists have taken
action with new systems to protect against virus outbreaks and
data breaches such as those that have grabbed national headlines
for exposing personal information. On the physical side,
fears are more visceral. Not surprisingly, during the almost 19
months since the shooting tragedy at Virginia Tech that left 32
dead, many technologists have pulled out all the stops to
deploy new emergency notification systems that work toward
preventing a similar event from occurring again. And in
almost every case, these new tools have markedly improved
the safety of college campuses. The exception?
access control (BAC), where until recently, advancements
have been few and far between.
Building access control-- a catchall phrase to describe the
systems that control access to facilities across campus-- has
traditionally been handled with remarkably low-tech solutions:
manual locks, electronic locks, and ID cards with magnetic
strips. Recent improvements have included smart cards
and keyless solutions that make use of shortwave radio frequencies
(RF) to unlock doors when specially programmed
key fobs are within 3 to 5 feet of a reader.
Sure, some schools are investigating newer systems that
incorporate cutting-edge technologies such as biometrics and
video recognition software (see "Go to the Videotape"). But for the most part, while just about every other aspect
of security technology seems to be advancing at breakneck
speed, the technologies behind building access control have
progressed at what is comparatively a snail's pace.
Some security experts argue that innovation in this area is
not necessary, supporting the common notion that "if it ain't
broke, don't fix it." Still, with physical security topping the
"to improve" lists of campus technology, security, and facilities
pros, one can't help but wonder why BAC technologies
have been taking a backseat, and how soon it will be before the
next generation of technologies is here, assuaging administrators'--
and parents'-- fears.
In the radical 1970s, through the birth of the internet in the
1990s, many colleges and universities left their building
entrances unlocked most of the time-- a physical manifestation
of the "open" environment that historically has been the
bedrock of academia. Even among those schools that secured
doors, most doors were locked and unlocked manually, with
standard jagged-edge keys or Marlock keys that incorporated
an electric charge.
Phil Mullendore, executive director for
the California College and University
Police Chiefs Association, recalls that even on the campuses
of institutions renowned as trailblazers,
building access wasn't much different
from the strategies of home residents.
"You have a door, you have something
that acts as a key, you use this key to
unlock the door-- for most schools,
that's been it," says Mullendore, who for
22 years was police chief at Pasadena
City College (CA). "It sounds simplistic,
but unless you're made of money,
there really aren't that many ways you
can control access to a building."
Go To The Videotape
MOST BUILDING ACCESS CONTROL
experts believe the future of their industry lies
in biometric recognition technologies that
grant access based upon certain physical
characteristics of users-- in the case of higher
ed, students, faculty, and staff. Others, however,
say the future of physical security lies in
something entirely different: video.
New systems incorporate the automatic
door locks of building access control with
video technologies more
commonly found in basic
surveillance systems. In
many cases, the functions
are combined in a single device-- a magstripe
or proximity card reader equipped with a camera
that records digital images whenever it
senses movement within a 3- to 5-foot radius.
One of the vendors leading this charge is Barix, a Switzerland-based
company that specializes in the research,
development, and manufacture of IP-based
audio and data distribution, communication,
monitoring, control, and automation hardware
solutions for commercial, industrial, security,
and military applications.
Other vendors are found closer to home: Cisco Systems, IBM, and smaller companies such as Allied Fire & Security, to name a few. Many of these
vendors' systems stand alone, operating
independently of anything else on campus
except the power grid.
In a handful of cases, at schools such as
Bryant University (RI), the systems run over
an IP network, transmitting information in real
time over the campus intranet, back to a
command center where it is recorded and
analyzed by computers or humans (see "Convergence:
Yea or Nay," in
"Securing the Campus,"
special supplement to
the CT July 2008 issue).
Despite the sophisticated nature of these
systems, Phil Mullendore, executive director for
the California College and University Police
Chiefs Association, maintains
the human component to these video
systems is critical. "You can't give an electronic
device discretionary decision-making power,"
he remarks. "Only a human can possess that."
The first innovation came in the 1990s,
when schools deployed locks controlled
by access cards pre-programmed with
magnetic strips. Magstripe technology, as
it was termed, was considered an upgrade
over traditional jagged-edge and Marlock
keys because the hardware on each entry
point was considerably harder to pick.
What's more, the magstripes themselves
could be incorporated into student ID
cards-- something students had to carry
around campus anyway.
This was the thinking at North Dakota
State University, where the school has
used one of two magstripe systems since
1992. The original system, supplied by Synergistics,
was replaced with a new and more
sophisticated system (from The
which was installed last year.
All-told, the school has installed
magstripe readers outside 250 doors
across campus. At each door, users swipe
their cards through the reader, and the
reader compares information encoded in
the strip against a local database updated
regularly throughout the semester. If the
user's information is contained in that
database, he or she is granted access, and
the door unlocks. If the user's information
is not contained in the database,
entry is denied. (Sound familiar?)
According to Joan Chapek, director
of the school's telecommunications and
emergency support technologies department,
the system has served its purpose
well, granting and denying access automatically
at most doors around campus.
Chapek admits the system's security
can be compromised when students
prop open doors for their friends, but
she adds that she doesn't believe these
incidents occur frequently.
"The system isn't perfect, but it automates
a process that, for many years,
was mostly manual for all of us," she
says, noting that the current system runs
off of a magstripe on the Bison Card, the
school's student ID card. "By recording
who has come and gone, the system also
gives us a great way to track how safe
each of our buildings really is."
As part of the access control strategy,
NDSU worked with university police to
create a communications call center to
respond to any problems users have with
the system. University police officials
staff the center 24/7, and handle anything
from basic troubleshooting (lost
cards, students getting locked out, etc.)
to emergencies. Chapek points out that
there are a number of benefits to the call
center. For starters, the facility helps to
centralize management of the system,
giving users one place to go with any
problems they might have. But the call
center also is a profit center: For access
to the support, Chapek's department
charges other campus departments $23
per month for each door. With 250 doors
around campus, the system generates
$69,000 of revenue each year.
"It's not a ton of money, but it is something," she says. "When you're a
public institution in today's environment
of dwindling financial resources,
you take every penny you can get."
With 'cancelable biometrics,' users will
be able to cancel certain biometric
templates and issue new ones if their
data have been compromised.
As part of the new CBORD building
access control system that it adopted
last year, NDSU plans to standardize on
yet another BAC technology known as
Prox, or proximity integrated circuit
devices. This technology has been
around since the late 1990s but is
becoming more and more prevalent in
higher education in recent years, since
the system is considered more convenient
than magstripe systems.
Just as with magstripe systems, the
technology consists of a card and a reader.
But unlike magstripe setups, the two
components never need to touch.
Instead, Prox revolves around a "resonant"
circuit (which generates signals at
a particular frequency), and an "integrated"
circuit (which receives the signals
and sends back information). The
resonant circuit is inside the reader, and
is always on. The integrated circuit usually
resides in a key fob or smart card
that the user carries, and is energized
only when it receives the appropriate
signal from the resonant circuit.
Once the integrated circuit has been
activated, it transmits the card number
via radio frequency to the card reader.
From this point, the system works just
like a magstripe system does-- the reader
checks the number against a regularly
updated database and grants or denies
This is the building access strategy at
Dartmouth College (NH), where the
school uses the system to control access
on the vast majority of the school's
doors. The system utilizes Wiegand
readers (from Honeywell) and smart cards from HID.
According to Keith Cutting, director
of the school's facilities operations and
management department, the cards double
as student IDs and are used for a
variety of purposes. In addition to containing
the smart card chip that operates
the Prox system, the cards also feature a
barcode and two magstripes-- one for
point-of-sale transactions, and the other
for declining-balance or debit-card transactions.
"Students used to need to carry
separate cards for various stuff around
campus," he says. "Now one card does it
all." And Cutting notes that a major benefit
of the Prox system is convenience:
Because door readers can communicate
with the chips in the cards at a distance of
within three to five feet, students rarely if
ever need to take their cards out of their
pockets as they access a building.
On the flipside, he admits that Dartmouth's
system is susceptible to the same
evil as the magstripe system at NDSU: If
students prop doors open, there simply is
no way to ensure those doors are secure.
"You can only make a system so
secure," he concedes. "From that point,
if humans introduce vulnerabilities,
there's really not much you can do."
RESEARCHERS AT WEST VIRGINIA University are investigating privacy-enhancing technology, which
would lie on top of biometric systems as a second factor of authentication.
Cutting and other technologists at Dartmouth
also have installed biometric technologies
at a handful of doorways and
entry points on campus. In most cases,
these technologies read users' fingerprints
or handprints, compare points in
each print against a local (and regularly
updated) database, and grant or deny
access based upon those criteria. These
systems don't require users to carry any
sort of identifying card whatsoever. To
put it plainly, many security experts
believe that biometrics represent the
future of building access control. Why do
these technologies work so well?
First, by eliminating cards of all kinds
(which can be lost or stolen), they are
deemed the most secure access technology
on the market today. Arun Ross, associate
professor of computer science and
electrical engineering at West Virginia
University, and one of the country's leading
researchers in biometrics, insists cards
and passwords are not secure because
there simply is no way to determine
whether or not the person using them is
the rightful owner. "If you share a password
with someone, they can start using it
from that point forward," he says. "And if
you misplace your key, it can be used by
an imposter to gain access to a facility."
Ross has put his research into practice
in Morgantown, WV, where he has
installed a number of pilot biometric systems
for specific labs and classrooms on
WVU's main campus. In particular, some
of the school's labs, plus a recreational
facility, now have hand-geometry systems.
To use them, students simply wave
a hand in front of a reader; the device
does the rest.
Ross says the systems help WVU officials
track and be aware of the specific
individuals who have signed into these
facilities, both of which contain expensive
equipment and highly protected
information. Still, he admits these applications
are not without their drawbacks.
For starters, users have expressed a certain
level of discomfort with the school
capturing and maintaining personal identifying
information such as fingerprints
and handprints. What happens if the data
are compromised? Will the data be used
for something else? Ross says he regularly
hears questions like these, and admits
they are entirely valid. "It is scary to think
about what can happen when your biometric
data fall into the wrong hands," he
says. "You only have 10 fingerprints; you
only have two hands."
To address such concerns, researchers
at WVU and other schools are investigating
the security potential of privacy
enhancing technology (PET), which
would lie on top of biometric systems
as a second factor of authentication.
Another technology under development:
"cancelable biometrics," which will
enable users to cancel certain biometric
templates and issue new ones if they
think their data have been compromised.
How far off are these developments?
For most schools, they could be pretty far.
Ross says many of the latest and greatest
biometric technologies are still under
development, and are not ready for widespread
deployment. He adds that many of
the biometric systems currently available
from vendors such as Probaris are prohibitively expensive,
making it difficult for fundingstrapped
higher education institutions to
purchase them for widespread deployment
across a campus. Ultimately, he
advises, prices will drop and biometrics
will supplant Prox systems as the building
access control technology of choice.
"There is no question this is the future.
It's just a question of when that future
will be affordable enough for everyone
Biometrics Revisited: Are biometric
identification devices ready for prime
The Ins and Outs of Access Control at
a Community College District
Subsribe to our Campus Security
-Matt Villano, a writer based in Healdsburg,
CA, is senior contributing editor
of this publication.