DANIEL DIERMEIER AND EVAN MEAGHER KEL720 San Francisco International Airport and Quantum Secure's SAFE for Aviation System: Making the Business Case for Corporate Security On January 22, 2008, Assistant Deputy Director of Aviation Security Kim Dickie met with her team in a conference room at San Francisco International Airport (known by its three-letter airport code, SFO) to review the challenge facing them. Steadily rising passenger counts and the increasing launch of service by low-cost carriers such as Virgin America, Southwest Airlines, and JetBlue Airways had compelled SFO's Airport Director John Martin to announce plans to renovate and reopen Terminal 2, shuttered in 2000 upon the opening of SFO's new international terminal. The $383 million project would require new heating and ventilation installations, energy-efficient architectural design, and the construction of four additional gates, but Dickie was focused on the security infrastructure requirements.1 In addition, Dickie's boss, Henry Thompson, the Associate Deputy Airport Director of Safety and Security, had a mandate to overhaul the security infrastructure of the airport, tightening loopholes around employees and passenger security, airside operations, badge credentialing, physical identity and access management, as well as investing in technology, automation, and intelligence to create a next-generation model airport. Dickie and her team saw the Terminal 2 reopening as an opportunity to start a much-needed transition to a long-term airport-wide credentialing and physical identity and access management (PIAM) system that would meet the growing need of airport risks and comply with regulations from the Transportation Security Administration (TSA).2 After months of work, she and her team had selected Quantum Secure's SAFE for Aviation software suite as the new Terminal 2 credentialing system. The infrastructure upgrades required by the renovation provided both momentum and initial support from senior executives, but Dickie still needed to justify a state-of-the-art airport credentialing system that would address airport security risks while complying with TSA regulations. Dickie and her team had a small window of opportunity to develop a business case that would convince senior management to fund the purchase. 1 \"SFO Eyes Old Terminal for Expansion,\" Oakland Tribune, September 10, 2007; \"SFO Airport Awards Contract to Upgrade Old Int'l Terminal,\" Aviation Daily, May 19, 2008. 2 The Transportation Security Administration is the U.S. governmental agency responsible for air travel security. It was created after the 9/11 attacks as part of the U.S. Department of Homeland Security. See http://www.tsa.gov. 2013 by the Kellogg School of Management at Northwestern University. This case was developed with support from the December 2009 graduates of the Executive MBA Program (EMP-76). This case was prepared by Evan Meagher '09 under the supervision of Professor Daniel Diermeier. Cases are developed solely as the basis for class discussion. Cases are not intended to serve as endorsements, sources of primary data, or illustrations of effective or ineffective management. To order copies or request permission to reproduce materials, call 800-545-7685 (or 617-783-7600 outside the United States or Canada) or e-mail custserv@hbsp.harvard.edu. No part of this publication may be reproduced, stored in a retrieval system, used in a spreadsheet, or transmitted in any form or by any meanselectronic, mechanical, photocopying, recording, or otherwisewithout the permission of Kellogg Case Publishing. This document is authorized for use only by Yongchai Raksapol (YRAKSAPO@MY.HPU.EDU). Copying or posting is an infringement of copyright. Please contact customerservice@harvardbusiness.org or 800-988-0886 for additional copies. SFO AND QUANTUM SECURE KEL720 Airport Security Security at SFO posed unique challenges. The most obvious was the more than 100,000 passengers who used the facility's ticketing and check-in lines, security screens, gates, and baggage claim every day. Less visible were the thousands of tenants, vendors, airline personnel, and third-party contractors who needed to be authenticated and whose physical access rights had to be controlled and managed dynamically based on their role and the airport's security policies. Due to the vast array of security threats, managing the identities of these people, their credentials, and their physical access to facilities, all airports were required to execute missioncritical processes, which included: Conducting background checks for new users and obtaining security clearances for access to secured locations from the TSA, the Canadian Air Transport Security Authority (CATSA), or other relevant national transportation security governing bodies; Using the American Association of Airport Executives' BASIC (Biometric Airport Security Identification Consortium) messaging integration to communicate with the Transportation Security Clearinghouse; Identify proofing, enrolling, and issuing badges, which included the management and storage of related documents, such as a copy of a passport or I-9 form; Creating flexible self-service access rights to allow approved parties to enroll their own employees and subcontractors and grant them physical access rights prior to their on-site arrival; Complying with and enforcing new security directives like SD-1542-04-08G, which governed the security protocols for transient aircraft and after-hours operations, or SD1542-04-08F, which required security threat assessments on a wider range of parties including pilots, baggage screeners, and other airport employees; Integrating with a broad variety of physical access control systems (PACS), human resources and information technology systems, and biometric employee databases so as to generate a common workflow and consistent policies across all systems; Issuing and tracking infractions to verify that violations are detected and penalized, with penalties escalating with each subsequent violation; and Performing regular identity audits to ensure that the proper people have the proper access for the proper reasons. In principle, airports could have completed these processes by creating a single notion of a user's identity for use across the entire facility and attaching that identity to a set of access rules overseen by aviation employees and airport tenants. This would have established a unified policy paradigm that issued credentials, managed rules, and modified or retracted access when the role was changed or terminated. In actuality, however, each of these procedures was handled separately, processed manually, and the results entered into separate databases. This approach led to numerous problems. For example, there was no routine way to determine if an access card had been successfully deactivated after the termination of an airport worker, nor was there any way to tell if an airport worker without the required privileges had access to a restricted area. The databases had different formats and file types, so they could not communicate with each other or be checked for internal 2 KELLOGG SCHOOL OF MANAGEMENT This document is authorized for use only by Yongchai Raksapol (YRAKSAPO@MY.HPU.EDU). Copying or posting is an infringement of copyright. Please contact customerservice@harvardbusiness.org or 800-988-0886 for additional copies. KEL720 SFO AND QUANTUM SECURE consistency, so updates lagged days or weeks behind actual changes such as terminations. These challenges were exacerbated by the fact that airport badging operators often lacked understanding of the strategic importance of following certain protocols and assessing risks. This led to inefficiencies, delays, and at times, compromised security levels. The disjointed execution of these processeswhich were often conducted out of sequence and required additional resources for correctionundermined airports' operational efficiency. (See Exhibits 1 and 2.) For example, one large international airport took three weeks to register an employee in the parking, payroll, human resources, and PACS databases. \"You'd go stand in this huge line, and you'd get to the front of the line, and they would say, 'This isn't right, come back Tuesday to fill out new forms,'\" said Ajay Jain, president and CEO of Quantum Secure, a provider of enterprise-wide security software solutions. \"The wait was so long that people were starting to leave and just abandon these job offers, thereby creating heavy strain on airport operations.\"3 The challenges did not end once a new employee was registered in the systemsany changes to access permissions required that a massive spreadsheet be printed and compared to the list used at an access point to identify any additions, deletions, or modifications. This inefficient, highly manual, and error-prone process had been the status quo in the physical access control world for decades, but development of comprehensive software solutions offered the prospect of integrating and streamlining existing procedures. Process automation not only promised improved efficiency, speed, and cost, but also improved compliance that could mitigate potentially serious legal and reputational risks. \"When you talk to a higher-level audience and outline these issues at the CXO level, that audience understands the limitations there,\" Jain said. \"They know they've got major compliance and risk issues to deal with, and they're asking, 'How do I clean that up? How do I make things accountable?'\"4 Quantum Secure and SAFE Founded in 2005 in San Jose, California, Quantum Secure was a privately held provider of software-based solutions and platforms for physical identity and access management. Quantum Secure's core offering was the SAFE software suite, a commercial off-the-shelf solution that streamlined the identity management and access provisioning processes for clients with large facilities that required rigorous physical security and access management procedures. SAFE for Aviation enabled users to create a single notion of identity across the entire airport that integrated previously fragmented manual processes as well as biometrics. This integration enabled security managers to create policies and general procedures for issuing credentials and granting access to airport facilities. SAFE's flexible system architecture and policy/rules-based framework accommodated changes and additions to rules, workflows, and policies without programming, which meant that ever-changing regulations and internal initiatives could be easily incorporated without costly upkeep and development charges. It also addressed \"insider threats\" by continuously monitoring 3 4 Phone interview with Ajay Jain, February 22, 2011. Ibid. KELLOGG SCHOOL OF MANAGEMENT 3 This document is authorized for use only by Yongchai Raksapol (YRAKSAPO@MY.HPU.EDU). Copying or posting is an infringement of copyright. Please contact customerservice@harvardbusiness.org or 800-988-0886 for additional copies. SFO AND QUANTUM SECURE KEL720 video and marrying it with analytics of access behavior to identify anomalies that could provide early warning of any potential threats. SAFE for Aviation integrated directly with the existing airport security infrastructure, obviating the need for costly replacement of existing security systems, hardware, controllers, and other products. The software integrated with all leading PACS, training systems, TSA-mandated background-check processes, and other airport-specific IT systems, allowing disparate security systems to act as a single unit. (See Exhibits 3 and 4.) In 2008, Toronto Pearson International Airport deployed the SAFE suite. Based on preliminary results, the airport expected to meet the following goals:5 Reduce the average cost of processing a badge by 28 percent, from $49 to $35; Cut average wait times by 96 percent, from 560 minutes to 20 minutes; Decrease average service time by 66 percent, from 74 minutes to 25 minutes; and Streamline the credentialing operations with full audit and compliance. Bryan Scott, the Greater Toronto Airports Authority's senior manager of security infrastructures, said, \". . . the PPCO [Pass/Permit Control Office] serves an average of 175 clients per day and more than 45,000 employees and contractors each year for a wide variety of pass/permit requests. We needed a system that could keep up with this demand, ensuring that important staff started work in a timely fashion while maintaining high levels of customer satisfaction.\"6 Selecting a Solution With the announcement that SFO would be renovating Terminal 2 to accommodate increased demand for gates from discount air carriers, Dickie's team needed to decide how to solve its PACS challenges. For decades, SFO had relied on physical access systemsthe systems that opened and closed doorsthat were not designed to implement integrated processes, such as policies related to access grant or revocation, as well as the ability to manage compliance with internal controls. Although SFO had led the industry with the installation of biometric technology at access control doors in 1990, \"it was very painful,\" Dickie said. \"We desperately wanted to move away from legacy manual processing to automating and streamlining our credential issuance process. We were also thinking to rip and replace our old physical access system at the same time.\"7 Although SFO had managed to stave off expensive hardware upgrades for many years, the evolving demands of physical security had required periodic software upgrades, a marriage of new and old that was not without occasional problems. The Terminal 2 renovation project therefore came at an opportune moment for Dickie's team, as it presented an opportunity to begin a 5 \"Quantum Secure Deploys SAFE Software Suite for Toronto Pearson International Airport,\" PR Newswire, February 3, 2008, http://www.prnewswire.com/news-releases/quantum-secure-deploys-safe-software-suite-for-toronto-pearson-international-airport65658767.html. 6 Ibid. 7 Interview with Kim Dickie, March 9, 2011. 4 KELLOGG SCHOOL OF MANAGEMENT This document is authorized for use only by Yongchai Raksapol (YRAKSAPO@MY.HPU.EDU). Copying or posting is an infringement of copyright. Please contact customerservice@harvardbusiness.org or 800-988-0886 for additional copies. KEL720 SFO AND QUANTUM SECURE migration to a new PACS on a newly opened area of the airport that did not yet face the strain of full everyday usage.8 Dickie first hired a systems integrator that shortlisted several companies and managed the request for proposal process before ultimately helping the team select a newer PACS for Terminal 2. \"We had a situation where we had a 20-year-old access control system in place, and we wanted to migrate off of it into a new platform, but we had to do it in a phased manner due to bandwidth constraints,\" Dickie said. \"Knowing that we were going to have a newer and different PACS running in Terminal 2 and the older PACS still running everywhere else in the airport, we were looking for a new badging solution that could interface with both and provide us with a muchneeded identity and credential lifecycle management systemall at once.\"9 This requirement meant that the badge provisioning software would have to communicate with the old and new PACS while being flexible enough to accommodate new TSA directives and interface with the newly deployed PACS. After a rigorous examination of the options available, Dickie and her team selected Quantum Secure's SAFE for Aviation product. They considered other vendors, but felt that Quantum Secure offered the most comprehensive solution and also provided a robust audit and compliance system. \"We talked to all the various vendors, and then to other airports, most of whom did not have a separate badging system; they just badge through the physical access control systems,\" Dickie said. \"The badges that come out in the previous process have no intelligence built in. After the physical production of the badge, all processes from pre-enrollment of an airport identity to badge assignment to access management leading to termination of the accessall processes are done manually with lots of errors and no accountability. We knew Quantum Secure had done work for Toronto, so we called them and understood how Quantum's technology is being leveraged by them. They had three PACS systems that they had to converge. We thought we had it bad with two. We got a lot of positive comments from Toronto and how they fully automated tough manual processes, including audit and compliance requirements. We placed a lot of importance on Quantum's ability and willingness to service us and deliver airport-specific functionality and enhancements as they became necessary, because in the physical security world, especially with airports, the goalposts are always moving.\"10 Calculating Return on Investment Dickie liked the operational aspects of the SAFE solution but still had to convince senior SFO executives that the tangible benefits justified the cost. Deciding the right amount to spend to achieve a given level of security was a challenging task, in large part because serious breaches of security were very rare but resulted in extremely painful consequences. The team's research identified benefits to SFO in five major areas: reduced labor and material costs, increased accuracy of recordkeeping, improved compliance with safety regulations, and avoided costs of replacing old systems by enabling integration and interoperation. 8 Ibid. Ibid. 10 Ibid. 9 KELLOGG SCHOOL OF MANAGEMENT 5 This document is authorized for use only by Yongchai Raksapol (YRAKSAPO@MY.HPU.EDU). Copying or posting is an infringement of copyright. Please contact customerservice@harvardbusiness.org or 800-988-0886 for additional copies. SFO AND QUANTUM SECURE KEL720 Labor Costs Quantum Secure supplied data about the impact of the SAFE system on Toronto Pearson's badging process over the entire user lifecycle. Upon implementing the SAFE system, Toronto Pearson estimated that its automated, interconnected identity management system would reduce the need for duplicative data entry and streamline the background-check process to onboard a new user. As a result, the time to onboard a user would fall from 9.33 man hours (560 minutes) to just 20 minutes. Dickie saw this as a significant potential cost savings if SFO's own credentialing time could be reduced from the more than six man hours it currently took. The airport credentialed approximately 20,000 new users every year, a figure Dickie expected to grow by approximately 10 percent for each of the next five years (from 2009 to 2013), the timeframe used by its finance department to calculate the payback period for capital expenditures. SAFE also enabled Toronto Pearson to increase the consistency of data entry, which reduced ID badge processing costs from $49 per card to $35 in the first year, with the potential to decrease further in subsequent years. SFO's cost was approximately $44 per badge before implementing the SAFE solution. Dickie knew this also could represent significant cost savings for the 2,000 users that would access Terminal 2 using the older PACS system in 2009, and the rest of SFO's approximately 20,000 users that ultimately would migrate to the new system in Terminal 2 as it was migrated across the rest of the airport in four equal tranches in future years. On average, identity management at SFO required approximately 15 minutes of manual processing per identity per year for each of the more than 20,000 identities. (Dickie expected this number to grow by 5 percent annually for the next five years.) Identity management consisted of changing identity records, terminating identities, changing access provisioning, replacing lost badges, and renewing old badges. Automating these tasks with SAFE was expected to reduce the time required to complete them by as much as 35 percent, which would not only increase the productivity of security personnel but also prevent users from experiencing long wait times. Material Costs The enhanced functionality of the new PACS at Terminal 2 required a new, more technologically sophisticated badge for the 2,000 users accessing the terminal in 2009. Without SAFE, any users with access to both Terminal 2 and other parts of the airport that still used the older PACS infrastructure would have to carry a new badge for Terminal 2 in addition to their old badge for the rest of the airport. The old badges cost $2.00, while the new badges for Terminal 2 cost $7.00. Based on the planned rollout of the new PACS and gradual replacement of the old PACS, Dickie estimated the number of users that would need two badges over time would be as follows: 2009 2010 2011 2012 2,000 4,000 8,000 10,000 2013 0 By implementing SAFE technology from Quantum Secure, however, SFO would eliminate the need for duplicate badges, as SAFE could enable the newer badges to continue working on the 6 KELLOGG SCHOOL OF MANAGEMENT This document is authorized for use only by Yongchai Raksapol (YRAKSAPO@MY.HPU.EDU). Copying or posting is an infringement of copyright. Please contact customerservice@harvardbusiness.org or 800-988-0886 for additional copies. KEL720 SFO AND QUANTUM SECURE older PACS system when those users accessed airport areas outside of the Terminal 2 zone (which would now use the newer PACS system). Increased Accuracy of Recordkeeping Because SAFE populated recurring fields such as social security number, name, and address across multiple pages and required certain fields to be completed before moving to the next screen, Dickie knew that one of its benefits would be far fewer missing fields and mistyped information in SFO's user database. However, the team worried that it would be difficult to place a dollar value on greater information accuracy. Dickie knew, however, that one tangible result of improved accuracy would be a reduction in the time to detect and correct errors across the airport's various databases. The badging department reported that seven employees spent one full day each month comparing user databases and attempting to correct the errors they discovered. Toronto Pearson had reported a 90 percent reduction in this activity after its SAFE implementation; Dickie anticipated that SFO's systems and processes were comparable to Toronto Pearson's before its SAFE implementation, but she estimated that 90 percent was an aggressive savings assumption and that SFO would probably enjoy a slightly lower level of savings. Increased Compliance According to Quantum Secure, the SAFE for Aviation solution had improved Toronto Pearson's compliance with various regulatory safety standards by as much as 60 percent, although it was impossible to obtain accurate data across various categories. For example, Toronto Pearson reported a drop in accidental violations of the Canadian Air Transport Security Authority's restricted area identification card program from 311 to 224 annually. Most of the reduction stemmed from eliminating violations resulting from users borrowing badges to access areas for which they lacked permission, a violation that could result in a fine of up to $10,000 CAD (approximately $8,849 USD at the time) per incident. SAFE Solution for Airports promised significant improvements.11 Unfortunately for Dickie, Toronto Pearson officials lacked accurate data on the increase in compliance to the hundreds of other regulations and the average cost of violating them. Complicating matters further, in some situations the SAFE system did not prevent violations from occurring, but rather led to more rapid detection and remediation. 11 Among other benefits, the SAFE system: (a) includes pre-defined policies for TSA compliance, badging, and operations which allows airports to enforce compliance with TSA Security Directives (SD) across diverse and disparate systems, including Customs and Border Control (CBP) regulations pertaining the airports; (b) provides in-built controls, policies, workflows, and reports to comply with SD and Regulations\"SD 1542-04-08G,\" \"Watch list matching in accordance with Part 1542 and SD 10 series,\" \"49 CFR Part 1542 directives,\" \"Requirement related to -25% SIDA badge issuance, 5% loss badge status, 10% 100% Employee Audit, Daily/Monthly STA Monitoring.\" Patented graphical policy tool allows accommodating any future addition or change to rules and workflows related current security directives and regulations; and (c) automates complex operations and monitoringSTA/CHRC Rules by Employer, Badge Expiration Notification and Renewal, Training Relationship to Privileges, Document Storage (I9, Certifications, Signatures, etc.), Not Returned Keys, Fobs and Badges. KELLOGG SCHOOL OF MANAGEMENT 7 This document is authorized for use only by Yongchai Raksapol (YRAKSAPO@MY.HPU.EDU). Copying or posting is an infringement of copyright. Please contact customerservice@harvardbusiness.org or 800-988-0886 for additional copies. SFO AND QUANTUM SECURE KEL720 The TSA fines faced by SFO were similar in magnitude to those faced by Toronto Pearson, but Dickie's team found it difficult to place a dollar value on the type of incidents SAFE could prevent. It was even more difficult for more extreme violations. Compatibility Cost Savings Because Quantum Secure had a reputation as an innovative technology provider whose products were highly scalable, Dickie was confident the SAFE solution would not soon become obsolete. In the short term, the SAFE system's ability to work with old and new PACS would allow SFO to avoid the large capital expenses of a rip-and-replace implementation. Costs and Discount Rate The SAFE system cost $250,000 upfront to install, with an annual $25,000 maintenance payment due each year from 2009 to 2013.12 The finance team whose approval was necessary to \"green light\" the purchase instructed Dickie to use a 10 percent discount rate in determining the net present value of a SAFE implementation to SFO, the internal rate of return on such a purchase, and the time period necessary for SFO to achieve a 100 percent payback on its investment.13 In addition, Dickie expected various operational advantages, including streamlined and accountable end-to-end badging operations, automatic physical access provisioning and terminations based upon policies, policy-based access with audit trail, and compliance reporting. Dickie and her team also believed that various intangible benefits could be realized, including increased employee productivity due to reduction in delays of credential processing (reduced credentialing, badging, and wait time) as well as increased customer satisfaction because of lower support cost due to automation. Making the Business Case With the necessary data assembled, Dickie's team was convinced of the various operational and compliance benefits. Additionally, they needed to quantify the tangible value of operating cost savings they believed SFO could reap from implementing the SAFE system. Dickie and her team believed these benefits, together, constituted a compelling business case. 12 Quantum Secure's SAFE suite for Aviation Software pricing has been modified or disguised to preserve confidentiality and to simplify students' pursuit of relevant learning objectives. 13 All information in the case used to calculate the return on investment of the SAFE system has been modified or disguised to preserve confidentiality and to simplify students' pursuit of relevant learning objectives, and therefore should not be interpreted in any way as an accurate depiction of Quantum Secure's pricing, the SAFE system's benefits, or SFO's operational metrics. 8 KELLOGG SCHOOL OF MANAGEMENT This document is authorized for use only by Yongchai Raksapol (YRAKSAPO@MY.HPU.EDU). Copying or posting is an infringement of copyright. Please contact customerservice@harvardbusiness.org or 800-988-0886 for additional copies. 9 KELLOGG SCHOOL OF MANAGEMENT Exhibit 1: Airport Badging: Current Manual Process and Implications SFO AND QUANTUM SECURE KEL720 This document is authorized for use only by Yongchai Raksapol (YRAKSAPO@MY.HPU.EDU). Copying or posting is an infringement of copyright. Please contact customerservice@harvardbusiness.org or 800-988-0886 for additional copies. 10 KELLOGG SCHOOL OF MANAGEMENT Exhibit 2: Airport Badging: Current Manual Process and Implications SFO AND QUANTUM SECURE KEL720 This document is authorized for use only by Yongchai Raksapol (YRAKSAPO@MY.HPU.EDU). Copying or posting is an infringement of copyright. Please contact customerservice@harvardbusiness.org or 800-988-0886 for additional copies. 11 KELLOGG SCHOOL OF MANAGEMENT Exhibit 3: Airport Badging: Automated Process with SAFE for Aviation SFO AND QUANTUM SECURE KEL720 This document is authorized for use only by Yongchai Raksapol (YRAKSAPO@MY.HPU.EDU). Copying or posting is an infringement of copyright. Please contact customerservice@harvardbusiness.org or 800-988-0886 for additional copies. 12 KELLOGG SCHOOL OF MANAGEMENT Exhibit 4: Airport Badging: Automated Process with SAFE for Aviation SFO AND QUANTUM SECURE KEL720 This document is authorized for use only by Yongchai Raksapol (YRAKSAPO@MY.HPU.EDU). Copying or posting is an infringement of copyright. Please contact customerservice@harvardbusiness.org or 800-988-0886 for additional copies