Automation cures Pearson’s security pain points

The GTAA had a number of disparate physical security systems that
didn’t talk to one another. So it rolled out a software suite for
identity management and access control systems, which manages security
identities, compliance and events across these disparate systems.

“It’s so fast-moving, how do you manage that access control without
making any mistakes, without relying on a human being?” says Ajay Jain,
CEO of San Jose, Calif.-based Quantum Secure, which offers an
integrated policy platform for all underlying subsystems in a physical
security infrastructure, from identity management to enterprise
resource planning — just what the GTAA was looking for.

The lineups and processing time at the PPCO had increased beyond
acceptable levels ”“ it was taking 560 minutes to process one
pass/permit request. The reason? It was using an in-house system that
was cobbled together by various contractors over a number of years,
which was limited in scope and had come to the end of its life.

“We were using a home-built inventory system along with a large number
of other systems, so we had six or seven systems we were managing with
individual data in each system,” said Bryan Scott, senior manager of
security infrastructures with the GTAA.

Scott was looking to transform this system of siloed applications that
shared common and related information into a single overall management
system, automating all manual processes and streamlining operations, to
cut down the time required to process access cards, identity cards and
pass/permits.

It was also looking for a system that would address the next 10 to 15
years of growth at Toronto Pearson, and move it toward more of an
automated compliance-related framework while decreasing the cost of
operations.
Through an open tendering process, it chose a proposal from Deloitte
& Touche Canada using Quantum Secure’s SAFE technology.

---

The project took 18 months and was completed in December 2008. Today,
using the SAFE software suite, it has a central administrative
repository that pushes information out to the other systems,
eliminating multiple data entry. This, however, doesn’t have anything
to do with the monitoring of and response to security issues ”“ it’s
strictly to ensure that access controls are in place, such as with the
Restricted Area Identification Card (RAIC) system and Transport Canada.
Those systems can still operate independently of each other if required
from a business confidentially perspective, but ultimately they’re able
to talk to each other.

The average cost per client has been reduced from $49 to $35, while
average wait times have dropped from 560 minutes to 20 minutes. The
average service time has dropped from 74 minutes to 25 minutes.

“We’re not double-entering information, and the information is
automatically transferred,” says Scott, “which means when the client
leaves the office, everything is working, whereas before there’d be a
delay.” Previously, a client’s access card wouldn’t work right away,
and it could take some time before that information was available to
other systems. Now, not only can employees get to work faster, there’s
better data integrity because there’s only one source of data entry ”“
and less chance for human error.

“When an issue occurs, it’s addressed immediately as opposed to having
to jump from system to system and potentially losing track of the
issue,” said Scott. “It allows for better control of access.”

Every night, for example, the Canadian government sends over a list of
authenticated identities that are allowed to work at the airport, based
on information from its criminal database. In the past, a file was sent
to the airport each night and someone had to manually compare it with
two disparate access control systems ”“ and take necessary action based
on any discrepancies. “This whole process is fully automated now, so
the human element is completely removed,” said Jain.

Another example is Airside Vehicle Operations, which provides small,
motorized vehicles that transport fuel and supplies on the airside. To
drive one of these vehicles, you must be certified and meet specific
insurance criteria, meaning you have to carry about $10 million worth
of insurance from two or three different insurance carriers.
Authenticating these drivers used to require a lot of ongoing work.

---

The SAFE system now connects to the Airside Vehicle Operations system
and training database to automate this process and send out alerts if
required. If an insurance certificate has expired, for example, an
alert is sent out to the appropriate person.

The GTAA was looking to integrate various physical security systems,
both on the front-end (for the PPCO) and the back-end (systems with
physical security controls). “So it’s about efficiencies, but at the
same time it’s about improving security controls by having automation
in place,” said Andre Romanovskiy, senior manager of security and
privacy services with Deloitte & Touche Canada, and also the
project lead. “Previously it was all manual.” And manual, he said,
leads to human error and inefficiencies.

Quantum’s role was to customize the system to the airport’s
requirements, while Deloitte provided the system integration work,
testing and client-facing project management. Deloitte is now working
with a couple of airports in the U.S., as well as another airport in
Canada that’s looking for similar automation capabilities. “Pearson is
the largest airport in Canada and they have a lot of unique
requirements as a hub,” says Romanovskiy. “There may be similar
requirements for others, but on a smaller scale.”

But Pearson’s pain points don’t only apply to airports ”“ they’re common
to other industries with the same heightened interest in security,
including the rest of the transportation industry.

“Traditionally physical security systems were very isolated in nature,”
says Romanovskiy. “Now we have an integrated system, so the physical
world joins logical security.” The identity lifecycle of an employee,
which used to be handled by traditional management systems, now ties
into physical security.

Another area where this might apply is the pharmaceutical industry,
where there’s a need for tightened physical access control ”“ which
employees have access to lab results and research facilities, for
example ”“ or companies with high turnaround.

The physical security industry was about 20 years behind other
industries in terms of technology, says Jain. In most organizations,
finance was the first discipline to be automated, followed by marketing
and support. Physical security, however, was made up of point solutions
that were disparate in nature and location-specific. “We came into the
picture because we realized something needed to be done to optimize the
processes within an organization relating to identity management or
physical security operations management,” he says. “The only reason
operations cannot be streamlined is because these systems are so
disparate.”

Following the completion of the project Scott was nominated by his
peers and subsequently named 2008 Security Practitioner of the Year by
the Toronto chapter of ASIS International for outstanding achievement
in the practice of security.