Presentation on theme: "San Francisco International Airport"— Presentation transcript:
1San Francisco International Airport Access Control and Biometrics Case StudyKim Dickie, Asst Deputy Airport Director, - Aviation Security
2Background Access Control System (ACS) MDI and Ingersoll Rand Hand Geometryinstalled 1991Serve 20,000 airport ID badged employeesTerminal 2 Renovation ProjectNew domestic terminal w/ 14 gatesSelect a new ACS and Biometric systemIdentify need for migration plan for all terminal facilitiesSmart Card TechnologyComply with new industry standardsTerminal closed since Opening in January No impact to opening date. Opportunity to identify new ACS and Biometric, SMART CARD. Completed an upgrade from an 0S2 to a Windows version, very challenging. No longer service needs of airport.
3ACS and Biometric System - Current Approximately 1500 airfield access portalsACS Card Reader transactions—over 200,000 / day200+ access portals equipped with Card/ Hand Geometry ReadersHand Geometry Reader transactions—can exceed 35,000 / dayDeployed at all Airport controlled access portals leading directly to the Secured Area
4Access Control System - Current Turnstile Vestibule, CardReader/Hand Geometry, Access Portal
5Biometric Technology – Current How it works……………Over 90 distinct hand measurements taken including:LengthWidthThicknessSurface area3-D image acquired9 byte template is generated
6Biometric Technology - Current Hand Geometry FactsEasy to useLow failure to enroll rate2 out of 70,000Fast verification2 – 3 second averageLow false rejection rate—.1%probability an authorized user is rejectedHand Geometry Reader reliability— greater than 99.9%
7Biometric Technology - Future Lumidigm™ fingerprint readers to replace infrared hand geometry readersMultispectral imaging technology used to collect fingerprint information from below the surface of the skinAvoids conventional fingerprint reader pitfalls:Worn fingertipsOverly moist or dry skinSoft press against readerSusceptibility to fraudulent, artificial fingertips
8Access Control System - Future ACS system – Lenel OnGuardHID iClass Elite “contactless” CardFingerprint, Hand Geometry, Mag stripe, proximity cardSpace for a contact chip
10CA DOJ Pre-Enroll Forms & Pre-Checks CHRC Manual Setup Enroll Time for completion Not Controlled by Airport -CADOJCHRCManualSetupEnrollFingerprintingManualVerification – inconsistent return rate – 3 places to check for approval“No-Fly” ListManualSetupAirport Security TrainingConductDocumentArchivingManualFilingBadging & Card IssuanceManualResultsEnd EnrollAuditManual AuditReportsFORMS AND PRE CHEKCS – Paper intensive process. First integration phase - In 2007 migrated majority of databases into a single database developed locally by a consultant called SAO database. Second integration phase - We were able to integrate the Identix LiveScan to the SAO database. When individual’s fingerprints and information are captured, populate the SAO database automatically. Third integration phase – audit of physical metal keys during re-badging process, eliminate auditing as a separate process.FINGERPRINTING - In 2009, the Badging Office started conducting the CAL DOJ fingerprint submission. Previously, airport employee would have to go to downtown in the city to conduct this step of the background check in addition to the required TSA CHRC/STA. Badging Office was capturing two sets of fingerprints for the background check.SECURITY TRAINING – In 2008, migrated from a video to CBT platform. Currently, still a separate database maintaining all training records for both safety/security classes.BADGING AND CARD ISSUANCE – Paper process for filing all documents. Conducting Annual ID Audit as a manual process that takes months to complete.PACS – Access is selected by badging clerk.ManualPhysical AccessPrivilegesPhysicalAccessManual DataReconciliationProvision
12Badging, Card, Key, Issuance AutomateData InputCaptureFingerprints“No-Fly” &“Selectee” listCHRCBackground CheckUpload &VerificationCADOJWeb Paper FormsPre-EnrollAirport SecurityTrainingDocumentArchivingConductAutomateDoc MgmtAutomate TrainingRegistrationBadging, Card, Key, IssuanceEnd EnrollAutomate Result UploadHowever by Automating the Processes: Reduce decision time. Improve processing time. Operational efficiency. Higher level of Security. Capability to create new rules.WEB PAPER FORMS - Forms will be printed w/ a barcode, signed by employer, and when employee goes to Badging Office, the bar code will be used by the clerk to populate the database. Creating a web portal for Authorized Signers to access the start the process. Automated process for access requests and is pre-determined by position.FINGERPRINTS - The enrollment record containing the biometric and biographic information for vetting required by federal agencies via BASIC concept. Information (like fingerprints, driver’s license, passport information, etc.), are captured and stored, in an electronic format on a centralized document management system, and mbedded in the enrollment software. Capture all biographic and biometric information for both TSA and City background process (CAL DOJ).SECURITY TRAINING - Automate Training requirements by sending a URL to the Authorized Signatory validating completion of training prior to credential issuance. Identify all training requirements to obtain ID badge. Re-enforces policy of required training before issuance of ID.BADGE ISSUANCE – All prior steps completed, wSAFE will allow clerk to issue ID Badge to employee. Continue to capture Fingerprint and Hand Geometry biometric. Issue new HID iClass Elite card w/ mag stripe and contactless chip.PACS – SAFE boards both MDI and Lenel OnGuard at same time. Privleges are the same. Two ID numbers, Unique identifer on front and an airport number on back of card.AuditAutomate DataReconciliationAutomate AuditReportsPhysicalAccess PrivilegesProvisionAutomateProvisioning &Role-based Access Privileges
13Identity Management System (IDMS) ExternalProcessesAAAE/TSC(BASIC, CATSA)No-FlyPhysicalSecurityDocumentsPACSBiometricsSmartcardThird PartiesBackground Check/ No-fly ListVettingCredential CheckVehicle/ParkingAccess ControlBiometric, Smart CardsDocument MgmtBe prepared to modify their processes and adjust to new regulations, policies and technology and to adhere to the BASIC concept of operations when finalized . By deploying the Airport IDMS system, the airport is positioned to adjust and change to all processes recommended by AAAE and the BASIC task force.Rules based system allowing to create requirements. Manage Identities w/ airport policy. Added Safety/Security Enforcement Program, for example three citations, you lose your privileges, all agencies involved in Enforcement Program (Operations, Communications) would have ability to view history. Identify when an employee may lose privileges based on number of infractions.Position airport to be able to participate in new initiatives, BASIC pilot, PKI applications, etc. Have left room on new HID card to add a contact chip. Eventually, E-Form will be authenticated by Authorized Signatory using PKI and barcode and printing of application goes away and is replaced w/ all electronic transactionsIDMS solution connects siloed systems into a common framework
14IDMS – Automated Workflow E-Form Credential ApplicationEliminates duplicate data entryStreamlines manual enrollment of biographic dataBadge creation is only allowed when:STA & CA DOJ is approvedRole-based badge template selectionTwice Daily – SAFE is looking for STASetup alert for company-authorized designee,Deactivate Card within 48 hoursAutomatic Notification ProcessCreates Authorized Signatory or Employer correspondenceAutomated Compliance of TSA regulationsAudit processAuthorized designee training mandatorySAFE AppliesPre-Defined RulesOther Policies that SFIA is using their IdM application to facilitate and automate include things like:1. E-FORM Employers are responsible for the data entry for new employees through the entry into a web form that produces a barcode form. The barcode form that the employee submits to the Credentialing Office will auto populate the database, so as to alleviate fat-finger errors and labor hours. Steamlines manual enrollment2. BADGE CREATION IS ONLY ALLOWED WHEN: Ensures compliance w/ background checks being completed prior to being able to issue a badge SAFE is checking twice daily to see if background checks have been approved. This still a manual process of checking for the return but now the credentialing officer merely checks off in SAFE and it triggers notifications to the actual badge creation office to go ahead and issue a badge.3. Badge creation is only allowed once all background checks and approvals have been checked off within the system. Also, role based template selection makes it easy for a badging officer to determine the proper template as it is preselected by SAFE based upon identity attributes during the enrollment process. This ensures NO credentials are issued without complying.4. SAFE monitors all cards, keys and passes that are provisioned to each individual so that if the individual is terminated there is a Failure to Return flag raised and communicated to the proper authorities to ensure outstanding cards and keys are returned. Notication sent to employere (Authorized )5. Automatic revocation of access privileges based upon expiration date, training expiration and infraction record.6. Alerts are sent to employers and Airport Security for lack of badge use in 90 days.7. Multiple employers per identity – assigning a unique Person Id # to each employee for life, so that when they leave and if they come back their UID remains constant and their history can be traced.
15BASIC Pilot Program SFO to BASIC : XML Web Services - HTTP, SOAP 1.1 Phase 1 – Biographic information completed5-15 Day Exercise (Design, Test, Deploy)Initial round of integration testing completeTesting conducted remotelyPhase 2 – Biometric and Biographic in workIntegrate SAFE to Identix LiveScan – Fall 2009Allow SFO to connect to BASICSAFE had passed the integration testing with BASIC and will conduct Biographic data exchange and STA security assessment, but are waiting for BASIC to get a “green light” on conducting the CHRC so we can exchange biometric.
16Lessons learned so far…….. Identify IDMS requirements and opportunitiesPhased approach - operational pilot• Create integration for Lenel to airports CAD system, Integraph. Was identified later in the process and ultimately became a critical path item. Public Dispatch managed by another department.• Created an operational test room, capability to also conduct acceptance test and training for clerks.• Work closely to identify network path multiple interfacesClearly define your current processes to identify potential cost savingsEvaluate Network system to identify requirementsPerform ROI - Metrics