Converged Physical and Logical ID Management Nets Toronto Pearson International Airport Measurable Benefits

| 0 Comments | 0 TrackBacks
TorontoPearson.jpg

What does a converged identity and access management solution actually net users? Consider:

Imagine you're responsible for creating and managing physical access permits and passes for 175 employees per day--about 43,000 a year. Only they aren't your employees--they are your customers' workers, and they aren't allowed into their place of work without proper credentials. But it's taking days, sometimes even weeks, to issue those credentials. And on average, your staff needs more than an hour to process credential changes. Plus you're spending $49 per person processed.

The situation is hurting your customers: their employees are quitting before they even start new jobs. That makes it harder for you to attract new business. Further, the manual

processes you're using aren't easily adapted to a slew of federal regulations hitting your industry. It's difficult and time-consuming to generate compliance reports. Finally, you suspect your physical security controls are not as tight as they could be, given that you're running three separate physical access control systems.

In a nutshell, these were the challenges facing Toronto Pearson International Airport, as outlined by Andre Romanovskiy, senior manager, security and privacy services, for Deloitte, during a May 7 webinar hosted by Quantum Secure. The Greater Toronto Airports Authority (GTAA) retained Deloitte to address the intertwined business and security issues at Toronto Pearson.

Toronto Pearson handles more than 30 million passengers annually. The airport's Pass/Permit Control Office (PPCO) manages the physical access control for the 33,000 employees of the tenants based at Toronto Pearson--from airline service and maintenance companies to concourse retailers--as well as contractors. The office issues and manages Restricted Area Identification Cards (RAICs), keycards, parking permits, vehicle markers, and Airside Vehicle Operator's Permits (AVOPs) and provides other administrative services and training. PPCO serves an average of 175 clients per day, and over 43,000 employees and contractors each year.

By law, PPCO must conduct a variety of checks against multiple internal and some external databases to ensure employers have performed necessary background clearances, that they carry appropriate amounts of liability insurance for AVOPs, and that any necessary employee training is complete. The PPCO also must collect biographic data, such as passports and driver's licenses.

Three major challenges

The Deloitte, GTAA and Toronto Pearson security team identified slow, labor-intensive PPCO processes as contributing to three key challenges for the airport, said Romanovskiy. These were to improve client services; enhance security controls; and create operational efficiencies.

The long wait times for credentials were a major issue, reflecting badly on the overall performance of the airport, said Romanovskiy. "One of the missions of the airport, and operations in general, is to...basically make it easy to do business...at the airport. That was challenging. So the airport was getting a number of complaints."

Security was another concern. The existing system was built on silo databases, disparate systems that were not connected," he said. "It was hard for the PPCO to keep data in sync, to have consistent data and maintain the accuracy, quality and timeliness of data. [That] typically results in gaps and inconsistent security controls and makes it difficult to enforce those controls."

The manual processes were also affecting the airport's ability to adapt to increased business and regulatory changes. For example, the Canadian Air Transport Security Authority (CATSA) issued a regulation about more swiftly terminating badges based on clearance expiration. "The airport had a hard time complying with that given that information was spread across a number of databases," said Romanovskiy.

Integration, integration, integration

To address these business challenges, Deloitte and its client determined a solution for Toronto Pearson's PPCO operations would need to incorporate five core abilities:

  • Profle management, the ability to store employee profiles for all tenants in a single system;
  • Pass/keycard management throughout the life cycle of an identity;
  • Interfaces to the airport's three existing PACS systems to keep them updated and in sync with the keycard management module;
  • Connections to external systems and databases, such as the clearance and background check databases created by CATSA and Transport Canada;
  • Reporting and exceptions, indicating not just security issues but business process exceptions, such as missing or mismatched data, and the ability to handle such notifications as part of an automated workflow.
After researching industry offerings that could fill this grocery list, Deloitte recommended Toronto Pearson implement SAFE, the physical and logical identity management system offered by San Jose, Calif.-based Quantum Secure.

SAFE had the necessary policy-driven rules engine and workflow automation capabilities, said Romanovskiy. It also had what Deloitte judged the most robust technological platform for integrating disparate databases and systems, offering out-of-the-box "the richest set of PACS adaptors and interfaces in the market," he said. Some of these have been created especially for the airport market.

Automatic workflows

The solution now deployed for Toronto Pearson interconnects the three existing PACS; an incident management system; a web-based forms system, a vehicle marker system; and an electronic filing system. The system also integrates data from Transport Canada files and from CATSA's Restricted Area Identity Card (RAIC) system. By accessing and correlating this data, as well as becoming the central repository for employer and employee profile data, SAFE has enabled Toronto Pearson to greatly automate the work involved in issuing and maintaining security credentials, Romanovskiy explained. 

SAFE contains the access rules and policies in its database and uses these to guide PPCO staff through the credentialing process, ensuring the correct access rights are granted based on an employee's pre-defined role. The system automatically queries the appropriate external and internal databases to see confirm that background clearances, training, insurance, etc., are appropriate. If required data is missing, SAFE won't complete the credentialing process.

All this workflow is accomplished at a single workstation, whereas previously, PPCO staff had to walk around the office to log onto different terminals. Staff access to SAFE is also defined by roles, so individual staffers have access only to data they require for their jobs.

For employees coming to the PPCO to request status changes, the system automatically reconfirms required data. The system can also proactively monitor critical data attributes, such as AVOP employer liability insurance and violation tickets issued to vehicle operators. SAFE may then automatically deactivate AVOP passes if an insurance levels dip below a set threshold and are not rectified within a specified time, or if an airside vehicle operator gets too many tickets.

Measurable benefits

The solution took slightly under a year to implement, with a combined Deloitte/Quantum Secure team of five people, plus about five to six Toronto Pearson staffers. Implementation proceeded in phases that included building prototypes reviewing these with business users to ensure the interfaces and functions would meet user needs and expectations, Romanovskiy said. The full system went live earlier this year. After just two months in operation, the system returned these benefits:

  • Average cost per customer dropped from $49 to $35, a 28% cost savings;
  • Average wait times for initial credentials plummeted from 560 minutes, or more than 10 hours, to 20 minutes, a 96% reduction;
  • Average service time for credentials maintenance decreased from 74 minutes to 25 minutes, a 66% reduction.
"Honestly, it was unexpected to achieve such aggressive results in such a short period of time," said Romanovskiy.

Maintaining a single source of employee and access rights data makes that information easier to manage and thus tightens security, Romanovskiy said. As necessary, SAFE triggers updates to other airport systems, ensuring data is synchronized among the systems.

With manual processes now automated, PPCO staff has more time to give to other high value activities, such as proactive monitoring, enforcement and planning. Romanovskiy also touted the flexibility of the SAFE solution, noting it can easily accommodate future growth of employees and additions of more IT and/or physical access control systems, inside the airport or out.
# # #

Query: How many databases hold identity data in your organization? What are your costs, in dollars and time, for managing that data across those domains? How well integrated are your PACS with those identity data sources?

TorontoPearson.jpg

What does a converged identity and access management solution actually net users? Consider:

Imagine you're responsible for creating and managing physical access permits and passes for 175 employees per day--about 43,000 a year. Only they aren't your employees--they are your customers' workers, and they aren't allowed into their place of work without proper credentials. But it's taking days, sometimes even weeks, to issue those credentials. And on average, your staff needs more than an hour to process credential changes. Plus you're spending $49 per person processed.

The situation is hurting your customers: their employees are quitting before they even start new jobs. That makes it harder for you to attract new business. Further, the manual

processes you're using aren't easily adapted to a slew of federal regulations hitting your industry. It's difficult and time-consuming to generate compliance reports. Finally, you suspect your physical security controls are not as tight as they could be, given that you're running three separate physical access control systems.

In a nutshell, these were the challenges facing Toronto Pearson International Airport, as outlined by Andre Romanovskiy, senior manager, security and privacy services, for Deloitte, during a May 7 webinar hosted by Quantum Secure. The Greater Toronto Airports Authority (GTAA) retained Deloitte to address the intertwined business and security issues at Toronto Pearson.

Toronto Pearson handles more than 30 million passengers annually. The airport's Pass/Permit Control Office (PPCO) manages the physical access control for the 33,000 employees of the tenants based at Toronto Pearson--from airline service and maintenance companies to concourse retailers--as well as contractors. The office issues and manages Restricted Area Identification Cards (RAICs), keycards, parking permits, vehicle markers, and Airside Vehicle Operator's Permits (AVOPs) and provides other administrative services and training. PPCO serves an average of 175 clients per day, and over 43,000 employees and contractors each year.

By law, PPCO must conduct a variety of checks against multiple internal and some external databases to ensure employers have performed necessary background clearances, that they carry appropriate amounts of liability insurance for AVOPs, and that any necessary employee training is complete. The PPCO also must collect biographic data, such as passports and driver's licenses.

Three major challenges

The Deloitte, GTAA and Toronto Pearson security team identified slow, labor-intensive PPCO processes as contributing to three key challenges for the airport, said Romanovskiy. These were to improve client services; enhance security controls; and create operational efficiencies.

The long wait times for credentials were a major issue, reflecting badly on the overall performance of the airport, said Romanovskiy. "One of the missions of the airport, and operations in general, is to...basically make it easy to do business...at the airport. That was challenging. So the airport was getting a number of complaints."

Security was another concern. The existing system was built on silo databases, disparate systems that were not connected," he said. "It was hard for the PPCO to keep data in sync, to have consistent data and maintain the accuracy, quality and timeliness of data. [That] typically results in gaps and inconsistent security controls and makes it difficult to enforce those controls."

The manual processes were also affecting the airport's ability to adapt to increased business and regulatory changes. For example, the Canadian Air Transport Security Authority (CATSA) issued a regulation about more swiftly terminating badges based on clearance expiration. "The airport had a hard time complying with that given that information was spread across a number of databases," said Romanovskiy.

Integration, integration, integration

To address these business challenges, Deloitte and its client determined a solution for Toronto Pearson's PPCO operations would need to incorporate five core abilities:

  • Profle management, the ability to store employee profiles for all tenants in a single system;
  • Pass/keycard management throughout the life cycle of an identity;
  • Interfaces to the airport's three existing PACS systems to keep them updated and in sync with the keycard management module;
  • Connections to external systems and databases, such as the clearance and background check databases created by CATSA and Transport Canada;
  • Reporting and exceptions, indicating not just security issues but business process exceptions, such as missing or mismatched data, and the ability to handle such notifications as part of an automated workflow.
After researching industry offerings that could fill this grocery list, Deloitte recommended Toronto Pearson implement SAFE, the physical and logical identity management system offered by San Jose, Calif.-based Quantum Secure.

SAFE had the necessary policy-driven rules engine and workflow automation capabilities, said Romanovskiy. It also had what Deloitte judged the most robust technological platform for integrating disparate databases and systems, offering out-of-the-box "the richest set of PACS adaptors and interfaces in the market," he said. Some of these have been created especially for the airport market.

Automatic workflows

The solution now deployed for Toronto Pearson interconnects the three existing PACS; an incident management system; a web-based forms system, a vehicle marker system; and an electronic filing system. The system also integrates data from Transport Canada files and from CATSA's Restricted Area Identity Card (RAIC) system. By accessing and correlating this data, as well as becoming the central repository for employer and employee profile data, SAFE has enabled Toronto Pearson to greatly automate the work involved in issuing and maintaining security credentials, Romanovskiy explained. 

SAFE contains the access rules and policies in its database and uses these to guide PPCO staff through the credentialing process, ensuring the correct access rights are granted based on an employee's pre-defined role. The system automatically queries the appropriate external and internal databases to see confirm that background clearances, training, insurance, etc., are appropriate. If required data is missing, SAFE won't complete the credentialing process.

All this workflow is accomplished at a single workstation, whereas previously, PPCO staff had to walk around the office to log onto different terminals. Staff access to SAFE is also defined by roles, so individual staffers have access only to data they require for their jobs.

For employees coming to the PPCO to request status changes, the system automatically reconfirms required data. The system can also proactively monitor critical data attributes, such as AVOP employer liability insurance and violation tickets issued to vehicle operators. SAFE may then automatically deactivate AVOP passes if an insurance levels dip below a set threshold and are not rectified within a specified time, or if an airside vehicle operator gets too many tickets.

Measurable benefits

The solution took slightly under a year to implement, with a combined Deloitte/Quantum Secure team of five people, plus about five to six Toronto Pearson staffers. Implementation proceeded in phases that included building prototypes reviewing these with business users to ensure the interfaces and functions would meet user needs and expectations, Romanovskiy said. The full system went live earlier this year. After just two months in operation, the system returned these benefits:

  • Average cost per customer dropped from $49 to $35, a 28% cost savings;
  • Average wait times for initial credentials plummeted from 560 minutes, or more than 10 hours, to 20 minutes, a 96% reduction;
  • Average service time for credentials maintenance decreased from 74 minutes to 25 minutes, a 66% reduction.
"Honestly, it was unexpected to achieve such aggressive results in such a short period of time," said Romanovskiy.

Maintaining a single source of employee and access rights data makes that information easier to manage and thus tightens security, Romanovskiy said. As necessary, SAFE triggers updates to other airport systems, ensuring data is synchronized among the systems.

With manual processes now automated, PPCO staff has more time to give to other high value activities, such as proactive monitoring, enforcement and planning. Romanovskiy also touted the flexibility of the SAFE solution, noting it can easily accommodate future growth of employees and additions of more IT and/or physical access control systems, inside the airport or out.
# # #

Query: How many databases hold identity data in your organization? What are your costs, in dollars and time, for managing that data across those domains? How well integrated are your PACS with those identity data sources?

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/37

Leave a comment