Answered step by step
Verified Expert Solution
Question
1 Approved Answer
DANIEL DIERMEIER AND EVAN MEAGHER 5-312-503 San Francisco International Airport and Quantum Secure's SAFE for Aviation System: Making the Business Case for Corporate Security On
DANIEL DIERMEIER AND EVAN MEAGHER 5-312-503 San Francisco International Airport and Quantum Secure's SAFE for Aviation System: Making the Business Case for Corporate Security On January 22, 2008, Assistant Deputy Director of Aviation Security Kim Dickie met with her team in a conference room at San Francisco International Airport (known by its three-letter airport code, SFO) to review the challenge facing them. Steadily rising passenger counts and the increasing launch of service by low-cost carriers such as Virgin America, Southwest Airlines, and JetBlue Airways had compelled SFO's Airport Director John Martin to announce plans to renovate and reopen Terminal 2, shuttered in 2000 upon the opening of SFO's new international terminal. The $383 million project would require new heating and ventilation installations, energy-efficient architectural design, and the construction of four additional gates, but Dickie was focused on the security infrastructure requirements.' In addition, Dickie's boss, Henry Thompson, the Associate Deputy Airport Director of Safety and Security, had a mandate to overhaul the security infrastructure of the airport, tightening loopholes around employees and passenger security, airside operations, badge credentialing, physical identity and access management, as well as investing in technology, automation, and intelligence to create a next-generation model airport. Dickie and her team saw the Terminal 2 reopening as an opportunity to start a much-needed transition to a long-term airport-wide credentialing and physical identity and access management (PIAM) system that would meet the growing need of airport risks and comply with regulations from the Transportation Security Administration (TSA). After months of work, she and her team had selected Quantum Secure's SAFE for Aviation software suite as the new Terminal 2 credentialing system.The infrastructure upgrades required by the renovation provided both momentum and initial support from senior executives, but Dickie still needed to justify a state-of-the-art airport credentialing system that would address airport security risks while complying with TSA regulations. Dickie and her team had a small window of opportunity to develop a business case that would convince senior management to fund the purchase. "SFO Eyes Old Terminal for Expansion," Oakland Tribune, September 10, 2007; "SFO Airport Awards Contract to Upgrade Old Int'l Terminal," Aviation Daily, May 19, 2008. The Transportation Security Administration is the U.S. governmental agency responsible for air travel security. It was created after the 9/1 1 attacks as part of the U.S. Department of Homeland Security. See http://www.isa.gov. 02013 by the Kellogg School of Management at Northwestern University. This case was developed with support from the December 2009 graduates of the Executive MBA Program (EMP-76). This case was prepared by Evan Meagher '09 under the supervision of Professor Daniel Diermeier. Cases are developed solely as the basis for class discussion. Cases are not intended to serve as endorsements, sources of primary data, or illustrations of effective or ineffective management. To order copies or request permission to reproduce materials, call 847.491.5400 or e-mail casesa kellogg northwestern edu. No part of this publication may be reproduced, stored in a retrieval system, used in a spreadsheet, or transmitted in any form or by any means-electronic, mechanical, photocopying, recording, or otherwise-without the permission of Kellogg Case Publishing SFO AND QUANTUM SECURE 5-312-503 Airport Security Security at SFO posed unique challenges. The most obvious was the more than 100,000 passengers who used the facility's ticketing and check-in lines, security screens, gates, and baggage claim every day. Less visible were the thousands of tenants, vendors, airline personnel, and third-party contractors who needed to be authenticated and whose physical access rights had to be controlled and managed dynamically based on their role and the airport's security policies.Due to the vast array of security threats, managing the identities of these people, their credentials, and their physical access to facilities, all airports were required to execute mission- critical processes, which included: Conducting background checks for new users and obtaining security clearances for access to secured locations from the TSA, the Canadian Air Transport Security Authority {CAT'SA}, or other relevant national transportation security governing bodies; Using the American Association of Airport EiIiecutivesI BASIC (Biometric Airport Security Identication Consortium} messaging integration to communicate with the Transportation Security Clearinghouse; Identify proofmg, enrolling, and issuing badges, which included re management and storage of related documents, such as a copy of a passport or [-9 form; Creating exible self-service access rights to allow approved parties to enroll their own employees and subcontractors and grant them physical access rights prior to their on-site arrival; Complying with and enforcing new security directives like SD-ld-E-d-DBG. which governed the security protocols for transient aircraft and after-hours operations, or SD- lAE-d-UEF, which required security threat assessments on a wider range of parties including pilots, baggage screeners, and other airport employees; Integrating with a broad variety of physical access control systems {PACE}, human resources and information technology systems, and biometric employee databases so as to generate a common workow and consistent policies across all systems; Issuing and tracking infractions to verify that violations are detected and penalized, with penalties escalating with each subsequent violation; and Performing regular identity audits to ensure that the proper people have the proper access for the proper reasons. In principle, airports could have completed these processes by creating a single notion of a user's identity for use across the entire facility and attaching iat identity to a set of access roles overseen by aviation employees and airport tenants- This would have established a unied policy paradigm that issued credentials, managed rules, and modied or retracted access when the role was changed or terminated. In actuality, however, each of these procedures was handled separately, processed manually, and the results entered into separate databases. This approach led to numerous problems. For example, there was no routine way to determine if an access card had been successfully deactivated after the termination of an airport worker, nor was there any way to tell if an airport worker without the required privileges had access to a restricted area. The databases had different formats and le types, so they could not communicate with each other or be checked for internal 2 KELLEH'JE SCI-[03L FM-INAGEMENT 5611-513 SFII] also QuaN'run-i Sacuas consistency, so updates lagged days or weeks behind actual changes such as terminations. These challenges were exacerbated by the fact that airport badging operators often lacked understanding of the strategic importance of following certain protocols and assessing risks. This led to inefciencies, delays, and at times, compromised security levels. The disjointed execution of these processeswhich were often conducted out of sequence and required additional resources for correctionundermined airports' operational efciency. {See Exhibits 1 and I.) For example, one large international airport took three weeks to register an employee in the parking, payroll, human resources, and PACE databases. \"You'd go stand in this huge line, and you'd get to the front of the line, and they would say, 'This isn't right, come back Tuesday to ll out new fonns,\" said Ajay Jain, president and CEO of Quantum Secure, a provider of enterprise-wide security software solutions. \"The wait was so long that people were starting to leave and just abandon these job offers, thereby creating heavy strain on airport operations_"3 The challenges did not end once a new employee was registered in the systemsany changes to access permissions required that a massive spreadsheet be printed and compared to the list used at an access point to identify any additions, deletions, or modifications. This inefcient, highly manual, and error-prone process had been the status quo in the physical access control world for decades, but development of comprehensive software solutions offered the prospect of integrating and streamlining existing procedures. Process automation not only promised improved efficiency, speed, and cost, but also improved compliance that could mitigate potentially serious legal and reputational risks. \"When you talk to a higher-level audience and outline these issues at the CED level, that audience understands the limitations there,\" lain said. \"They know iey've got major compliance and risk issues to deal with, and they're asking, 'How do I clean that up?r How do I make things accountable'?\""' Quantum Secure and SAFE Founded in EDDIE in San Jose, California, Quantum Secure was a privately held provider of software-based solutions and platforms for physical identity and access management. Quantum Secure's core offering was the SAFE software suite, a commercial off-the-shelf solution 'iat streamlined the identity management and access provisioning processes for clients with large facilities that required rigorous physical security and access management procedures. SAFE for Aviation enabled users to create a single notion of identity across the entire airport that integrated previously fragmented manual processes as well as biometrics. This integration enabled security managers to create policies and general procedures for issuing credentials and granting access to airport facilities. SAFE's exible system architecture and policyfrules-bascd framework accommodated changes and additions to rules, worldlows, and policies without programming, which meant that ever-changing regulations and internal uiitiatives could be easily incorporated without costly upkeep and development charges. It also addressed \"insider threats" by continuously monitoring video and marrying it with analytics of access behavior to identify anomalies that could provide early warning of any potential threats. SAFE for Aviation integrated directly with the existing airport security infrastructure, obviating the need for costly replacement of existing security systems, hardware, controllers, and other products. The software integrated with all leading PACS, training systems, TSA-mandated background-check processes, and other airport-specific IT systems, allowing disparate security systems to act as a single unit. (See Exhibits 3 and 4.) In 2008, Toronto Pearson International Airport deployed the SAFE suite. Based on preliminary results, the airport expected to meet the following goals:" Reduce the average cost of processing a badge by 28 percent, from $49 to $35; Cut average wait times by 96 percent, from 560 minutes to 20 minutes; Decrease average service time by 66 percent, from 74 minutes to 25 minutes; and Streamline the credentialing operations with full audit and compliance. Bryan Scott, the Greater Toronto Airports Authority's senior manager of security infrastructures, said, ". . . the PPCO [Pass/Permit Control Office] serves an average of 175 clients per day and more than 45,000 employees and contractors each year for a wide variety of pass/permit requests. We needed a system that could keep up with this demand, ensuring that important staff started work in a timely fashion while maintaining high levels of customer satisfaction." Selecting a Solution With the announcement that SFO would be renovating Terminal 2 to accommodate increased demand for gates from discount air carriers, Dickie's team needed to decide how to solve its PACS challenges. For decades, SFO had relied on physical access systems-the systems that opened and closed doors-that were not designed to implement integrated processes, such as policies related to access grant or revocation, as well as the ability to manage compliance with internal controls.Although SFO had led the industry with the installation of biometric technology at access control doors in 1990, "it was very painful," Dickie said. "We desperately wanted to move away from legacy manual processing to automating and streamlining our credential issuance process. We were also thinking to rip and replace our old physical access system at the same time." Although SFO had managed to stave off expensive hardware upgrades for many years, the evolving demands of physical security had required periodic software upgrades, a marriage of new and old that was not without occasional problems. The Terminal 2 renovation project therefore came at an opportune moment for Dickie's team, as it presented an opportunity to begin a "Quantum Secure Deploys SAFE Software Suite for Toronto Pearson International Airport," PR Newswire, February 3, 2008, http:/www.prnewswire.comews-releases/quantum-secure-deploys-safe-software-suite-for-toronto-pearson-international-airport- 65658767.html. Ibid. "Interview with Kim Dickie, March 9, 201 1. KELLOGG SCHOOL OF MANAGEMENT 5-312-503 SFO AND QUANTUM SECURE migration to a new PACS on a newly opened area of the airport that did not yet face the strain of full everyday usage.Dickie rst hired a systems integrator that shortlisted several companies and managed the request for proposal process before ultimately helping the team select a newer PACE for Terminal 1- \"We had a situation where we had a E-year-old access control system in place, and we wanted to migrate off of it into a new platform, but we had to do it in a phased manner due to bandwidth constrain ,\" Dickie said. \"Knowing that we were going to have a newer and different PACE running in Terminal 2 and re older PACE still running everywhere else in re airport, we were looking for a new badging solution that could interface with both and provide us with a much- needed identity and credential lifecycle management systemall at once-"9 This requirement meant that the badge provisioning software would have to communicate with the old and new PACE while being exible enough to accommodate new TEA directives and interface with the newly deployed PACS- After a rigorous examination of the options available, Dickie and her team selected Quantum Secure's SAFE for Aviation product- They considered other vendors, but felt iat Quantum Secure offered the most comprehensive solution and also provided a robust audit and compliance system- \"We talked to all the various vendors, and ien to other airports, most of whom did not have a separate badging system; 'iey just badge through the physical access control systems,\" Dickie said- \"The badges that come out in the previous process have no intelligence built in- After the physical production of the badge, all processes from pro-enrollment of an airport identity to badge assignment to access management leading to termination of the accessall processes are done manually with lots of errors and no accountability. We knew Quantum Secure had done work for Toronto, so we called them and understood how Quannun's technology is being leveraged by them- They had three PACE systems that iey had to converge- We 'iought we had it had with two. We got a lot of positive comments from Toronto and how 'd'ley fully automated tough manual processes, including audit and compliance requirements. We placed a lot of importance on Quantum's ability and willingness to service us and deliver airport-specic functionality and enhancements as they became necessary, because in re physical security world, especially with airports, the goalposts are always moving-"m Calculating Return on Investment Dickie liked the operational aspects of the SAFE solution but still had to convince senior SFO executives that the tangible benefits justified the cost. Deciding the right amount to spend to achieve a given level of security was a challenging task, in large part because serious breaches of security were very rare but resulted in extremely painful consequences. The team's research identified benefits to SFO in five major areas: reduced labor and material costs, increased accuracy of recordkeeping, improved compliance with safety regulations, and avoided costs of replacing old systems by enabling integration and interoperation. Ibid " Ibid " Ibid. KELLOGG SCHOOL OF MANAGEMENT 5 SFO AND QUANTUM SECURE 5-312-503Labor Costs Quantum Secure supplied data about the impact of the SAFE system on Toronto Pearson's badging process over the entire user lifecycle. Upon implementing the SAFE system, Toronto Pearson estimated that its automated, interconnected identity management system would reduce the need for duplicative data entry and streamline the background-check process to onboard a new user. As a result, the time to onboard a user would fall from 9.33 man hours (560 minutes) to just 20 minutes. Dickie saw this as a significant potential cost savings if SFO's own credentialing time could be reduced from the more than six man hours it currently took. The airport credentialed approximately 20,000 new users every year, a figure Dickie expected to grow by approximately 10 percent for each of the next five years (from 2009 to 2013), the timeframe used by its finance department to calculate the payback period for capital expenditures. SAFE also enabled Toronto Pearson to increase the consistency of data entry, which reduced ID badge processing costs from $49 per card to $35 in the first year, with the potential to decrease further in subsequent years. SFO's cost was approximately $44 per badge before implementing the SAFE solution. Dickie knew this also could represent significant cost savings for the 2,000 users that would access Terminal 2 using the older PACS system in 2009, and the rest of SFO's approximately 20,000 users that ultimately would migrate to the new system in Terminal 2 as it was migrated across the rest of the airport in four equal tranches in future years. On average, identity management at SFO required approximately 15 minutes of manual processing per identity per year for each of the more than 20,000 identities. (Dickie expected this number to grow by 5 percent annually for the next five years.) Identity management consisted of changing identity records, terminating identities, changing access provisioning, replacing lost badges, and renewing old badges. Automating these tasks with SAFE was expected to reduce the time required to complete them by as much as 35 percent, which would not only increase the productivity of security personnel but also prevent users from experiencing long wait times.Mata-Hat Costs The enhanced functionality of the new PACE at Terminal 2 required a new, more technologically sophisticated badge for the l users accessing the terminal in zoos. Wl'ltlt SAFE, any users with access to both Terminal 2 and other parts of the airport that still used the older PACE infrastructure would have to carry a new badge for Terminal 2 in addition to their old badge for the rest of the airport. The old badges cost $2.130, while the new badges for Terminal 2 cost $1M. Based on the planned rollout of the new PACE and gradual replacement of the old PACE, Dickie estimated the number of users that would need two badges over time would be as follows: zoos 2010 EH 2012 3313 2,.IIID that") EDGE! 1D.IIICI CI By implementing SAFE technology from Quantum Secure, however, SFD would eliminate he need for duplicate badges, as SAFE could enable the newer badges to continue working on me E- KELLCH'JG SCHGEIL L'IFMKNAGEMENT 5-311-53 SFII] AND QUANTUM Secures older PACE system when those users accessed airport areas outside of the Terminal 2 zone [which would now use the newer PACE system}. Increased Accuracy of Recordkeeping Because SAFE populated recurring fields such as social security number, name, and address across multiple pages and required certain fields to be completed before moving to the next screen, Dickie knew that one of its benefits would be far fewer missing fields and mistyped information in SFO's user database. However, the team worried that it would be difficult to place a dollar value on greater information accuracy. Dickie knew, however, that one tangible result of improved accuracy would be a reduction in the time to detect and correct errors across the airport's various databases. The badging department reported that seven employees spent one full day each month comparing user databases and attempting to correct the errors they discovered. Toronto Pearson had reported a 90 percent reduction in this activity after its SAFE implementation; Dickie anticipated that SFO's systems and processes were comparable to Toronto Pearson's before its SAFE implementation, but she estimated that 90 percent was an aggressive savings assumption and that SFO would probably enjoy a slightly lower level of savings. Increased Compliance According to Quantum Secure, the SAFE for Aviation solution had improved Toronto Pearson's compliance with various regulatory safety standards by as much as 60 percent, although it was impossible to obtain accurate data across various categories. For example, Toronto Pearson reported a drop in accidental violations of the Canadian Air Transport Security Authority's restricted area identification card program from 311 to 224 annually. Most of the reduction stemmed from eliminating violations resulting from users borrowing badges to access areas for which they lacked permission, a violation that could result in a fine of up to $10,000 CAD (approximately $8,849 USD at the time) per incident. SAFE Solution for Airports promised significant improvements." Unfortunately for Dickie, Toronto Pearson officials lacked accurate data on the increase in compliance to the hundreds of other regulations and the average cost of violating them. Complicating matters further, in some situations the SAFE system did not prevent violations from occurring, but rather led to more rapid detection and remediation.The TSA fines faced by SFO were similar in magnitude to those faced by Toronto Pearson, but Dickie's team found it difficult to place a dollar value on the type of incidents SAFE could prevent. It was even more difficult for more extreme violations. Compatibility Cost Savings Because Quantum Secure had a reputation as an innovative technology provider whose products were highly scalable, Dickie was confident the SAFE solution would not soon become obsolete. In the short term, the SAFE system's ability to work with old and new PACS would allow SFO to avoid the large capital expenses of a rip-and-replace implementation. Costs and Discount Rate The SAFE system cost $250,000 upfront to install, with an annual $25,000 maintenance payment due each year from 2009 to 2013. The finance team whose approval was necessary to "green light" the purchase instructed Dickie to use a 10 percent discount rate in determining the net present value of a SAFE implementation to SFO, the internal rate of return on such a purchase, and the time period necessary for SFO to achieve a 100 percent payback on its investment." In addition, Dickie expected various operational advantages, including streamlined and accountable end-to-end badging operations, automatic physical access provisioning and terminations based upon policies, policy-based access with audit trail, and compliance reporting Dickie and her team also believed that various intangible benefits could be realized, including increased employee productivity due to reduction in delays of credential processing (reduced credentialing, badging, and wait time) as well as increased customer satisfaction because of lower support cost due to automation.Making the Business Case With the necessary data assembled, Dickie's team was convinced of the various operational and compliance benefits. Additionally, they needed to quantify the tangible value of operating cost savings they believed SFO could reap from implementing the SAFE system. Dickie and her team believed these benefits, together, constituted a compelling business case.Discount Rate Purchase Cost OnBoarding Labor Costs Current Time Cost (labor hours) New Time Cost (labor hours} Savings (labor hours} Hourly.r cost of labor hour Dollar Savings per user Users Dollar Savings from Onboarding Badge Processing Costs Toronto lD Processing Cost Reduction ('56) SFO Current Badge Processing Cost SFO Savings Per Badge Processed Users with new badges processed SFO Savings on Badge Processing |_l Year 0 1 2 3 4 5 2000| 2009 2010 2011 2012 2013 |$ (250,000)] $ (25,000) $ (25,000) $ (25,000) $ (25,000) $ (25,000) 0.00 $0.00 2,000 ' 2,200 2,420 2,662 2,928 $ $ $ S $ $0.00 2,000 4,500 4,500 4,500 4,500 $ $ $ S $ Ongoing Identity Management Activity Costs Reduction in Labor Time Spent on Identity Management Hourly cost of labor Hours spent annually per user on Identity Management Dollar Savings per user Users Dollar Savings from Ongonig Identity Management Activity Costs :l $0.00 Material Costs Savings Cost of new badges New badge purchases avoided through purchase of SAFE Total cost savings from reduced new badge purchases Incremental badges made unnecessary Percentage of badges lost each year Badge losses avoided Cost of lost badge Lost badge savings n llf - n. n. 20,000 21,000 22,050 23,153 24,310 _ g _ g, _ _ _ _ $ _ $ _ _ _ 2,000 4,000 8,000 10,000 8% 8% 8% 8% 8% 180 320 640 800 0 $2.00 $2.00 $2.00 $2.00 $2.00 $320.00 $1,800.00 $0.00 $040.00' $1,280.00 RecordKeeping Accuracy Savings Labor Hours spent each month on error detection Hourly cost of labor hour Reduction in labor hours spent on detection Savings in monthly labor hours Annual labor hour savings Value of labor savings Increased Compliance Savings Likelihood of a compliance violation without SAFE Likelihood of a compliance violation with SAFE Change in likelihood of a compliance violation Cost of a compliance valuation Value of compliance savings Compatibilityr Cost Savings Savings from avoiding rip-and-replace implementation H 0% H 0 $0.00 $0.00 0 $0.00 $0.00 $0.00 $0.00 0 $0.00 $0.00 0 $0.00 $0. 00 Total Cash Outflows for Purchase (250,000) (25,000) $ (25,000) $ (25,000) (25,000) (25,000) Total Savings from Purchase 320 640 1,280 1,600 Net Cash Flow from Purchase (250,000) (24,680) $ (24,360) (23,720) (23,400) (25,000) Discounted Cash Flow from purchase (250,000) (24,680) $ (24,360) $ (23,720) $ (23,400) $ (25,000) IRR from Purchase N/A NPV of Purchase $ (371,160)
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started