Increased security risks, combined with the weakness and inefficiency of the user name and password model, are now driving the need for smart card-based logical access control.
Smart cards store large amounts of data, carry out on-card functions such as encryption and digital signatures, and interact intelligently with a smart card reader.
Smart cards provide a proven cost-effective solution. Further, they can be integrated with competing technologies to derive maximum benefit as they are highly flexible and can be easily modified and upgraded to complement other systems.
TWO FACTOR AUTHENTICATION
Already widely implemented, smart cards provide higher assurance via two-factor authentication it requires something the user knows (a password) and something the user has (the smart card). Smart cards also provide stronger authentication by virtue of being based on Public Key Infrastructure (PKI). PKI is the architecture of trust that supports a certificate-based public key cryptographic system. PKI uses a combination of public and private keys to authenticate identity, and includes digital certificates, a certificate issuance authority and a registration authority.
Combining Physical & Logical Access
With card-based physical access already in place at many enterprises, the next logical step is to afford the same level of protection for information assets. Physical access control provides a first line of defense, but a multi-layered approach is required for truly proactive security. As such, there is a compelling argument to implement smart cards for logical access. In fact, businesses stand to realize the most benefits in cost savings, ease of use and increased security by combining physical and logical access control onto one platform. Instead of adding technological and management complexities by having separate access control systems for physical facilities and electronic data, it makes the most sense to combine the two for higher assurance, cost savings, efficiency and ease of use.
Since more than one access application can be carried on a single smart card, employees can use one card to access physical and logical resources without carrying multiple credentials. From the doorways to the desktops, one convenient solution provides the secure identity management, strong authentication and access control necessary to safeguard both physical and intellectual assets.
Combining physical and logical access builds an infrastructure of increased trust. Deploying smart cards to employees, partners and other key individuals is a proactive enterprise approach to higher assurance.
Reinforced Security at Lower Cost
Smart cards provide significant ROI in terms of both cost savings and increased security, supporting system components can be networked, allowing separate functional areas in an organization to exchange and coordinate information automatically and in real time around the world. For organizations that already have smart card-based physical access in place, they can simply expand card use to protect network resources and benefit from an easily scalable solution. Legacy systems, including physical access system components, can be leveraged for investment protection while providing increased security for logical access. Enterprises can also reduce their IT support costs with the implementation of smart cards. Although the perceived low cost of user names and passwords has contributed to their popularity, the real expense occurs on the back end with support and password management costs.
Considering the ramifications of unauthorized access to data, it is concerning that most enterprises are still only using user names and passwords for logical access control. A specific user name and password is created for each user, and for each application that he or she requires access to. This creates two major problems. First, user names and passwords are the lowest form of authentication that exists. They are easily compromised often written down and easy to share with others -- and therefore do not provide the high level of assurance necessary to protect critical data. Secondly, passwords are a headache for both users and IT staff. Employees have so many passwords that they invariably forget them and have to call the help desk to either remember or reset them. This drains valuable IT time and resources, resulting in lost productivity and higher support costs for the organization.
HOW MUCH DOES IT COST?
The pricing of corporate ID cards depends on the complexity of the environments they are deployed in. US$80 per user is a reasonable estimate for introducing smart cards for network security. This includes the cost of cards, readers and software (middleware) for the client PC.
The cryptographic contact smart cards (64KB) cost around US$10 each depending on volume. Add another US$5-7 for the physical access chip to the card price, resulting ¡ÂUS$16 per card. The middleware ranges from US$10-US$20 per seat depending on features and volume discount.
The PC card reader pricing depends on whether USB (¡ÂUS$20) or PCMCIA (¡ÂUS$50) interface is used. Add to all this the integration, deployment and testing, the price tag could easily go beyond US$80 per user.
In addition to the network access infrastructure, door readers also need to be deployed or upgraded. The cost of such deployment ranges from US$2500 - US$5000 per door, depending on location, wiring and construction required. When upgrading the door readers.
Ease of use is another compelling argument for combining physical and logical access on a single platform. Users will not have to carry multiple credentials and they will not have to remember multiple passwords or PINs to access applications and data. Instead, they will have one smart card that they can use for everything. Smart card-based physical and logical access control provides a superior foundation for secure identity management. Enterprises can protect their assets and employees¡¯ personal information, while addressing regulatory requirements and reducing potential liability. As it stands today, smart cards are the most viable way to bring security out to the edge of the enterprise.
PUBLIC KEY AUTHENTICATION
Public key authentication is much more powerful than simple passwords. In a public key system, each user has two keys: a private key and a public key. Only the user knows the private key, and the public key is available to anyone (e.g., a Web site) that wishes to do business with the user. The user prepares ¡°Digitally signed¡± messages with his private key and the Web site checks the validity of these signatures with the user¡¯s public key. In this manner the Web site can check that the signature was produced by the user, yet the Web site does not have the private key that was used to generate the signature. This is very different from password systems where both the user and the Web site have the password. In a public key system, the user can and must keep the private key secret -- no one else knows the value of the private key, yet any merchant or partner can check the validity of digital signature by knowing the user¡¯s public key.
TWO BENEFITS OF PUBLIC KEY SYSTEMS
First there is no secret information at the Web server, so the user is not required to trust the server¡¯s administrator. A user can use the same private/public key pair for all of her e-commerce, since the private key is always a secret no matter how many partners know the public key.
Second, only the user knows the private key. This allows the merchant or business partner to use the digital signature in a court of law to prove that the user and only the user could have generated the digital signature. This feature is called non-repudiation: the signer cannot repudiate the message he signed. In this manner the digital signature plays a similar role to the hand written signature on a contract -- it provides a mechanism for the user to commit, which is an absolute necessity for e-commerce.
Because the smart card carries your private key, if someone steals your smart card they essentially steal your electronic identity.
Most smart card systems solve this problem by requiring a personal identification number, PIN, to activate the smart card: a thief must steal your smart card and PIN in order to impersonate you. Designing a secure access system includes considerations beyond the choice of credential and reader. Appropriate system design requires a full definition of system requirements, including required functionality and security policy, and must take into account factors such as cost, requirements to integrate with and migrate from legacy systems, and the effect of implementation on the users and the organization.
AWAKENING THE INDUSTRY
In recent years, the security industry has begun to awaken to the problem of uncoordinated physical and IT security. Consultants are studying the problematic connection between physical and logical security. IT security people and physical security people pursuing different goals.
Individual companies have taken up the cause. Athena Smartcard Solutions, for example, succeeded to link physical and IT security with ASECard Unified Badge, a card that combines the ASECard Crypto CPU contact chip with a ISO 14443 (Type A, B or C) contactless chip embedded an a magnetic stripe.
SECURE PHYSICAL AND LOGICAL ACCESS
The choice of an access credential must address the concerns of a variety of functional areas in an organization. Executive management needs to secure both physical and logical access.
Badges for employees can support a range of security profiles depending on the level of access required by the employee. For example, some badges may provide only limited facility and network access while other badges provide special access to restricted areas and use contactless or contact smart card chips to support: biometric templates that authenticate the user to the card; secure challenge-response algorithms that authenticate the card and reader to each other. Linking the physical access and IT databases provides the potential for suspicious activities to be identified immediately. For example, if a computer is accessed by an employee who has left the building, the IT department can be notified immediately and investigate the activity. Similarly, security can be notified if a computer in a restricted area is accessed by an employee who is not authorized to be in that area. Joint communication between the physical and logical access systems enables companies to protect confidential data and identify security issues. Access control systems must address employer and employee needs and meet legal requirements.
ONE BADGE DOES IT ALL
An organization may want to use a single process to manage an employee¡¯s authorizations, accesses, and privileges. Linking the CMS, IT, and physical access databases means that an employee can make one trip to one department to receive a badge containing all required information. The CMS database may indicate what access privileges need to be assigned. The IT software can check the CMS database and assign the required passwords and certificates. A digital photo can be taken. With this information, a blank card can then be inserted into the badge printer, all required information can be downloaded onto the card, and the card can be initialized and printed. The employee receives the badge within minutes and starts working with it immediately.
Security concerns, cost control objectives, corporate efficiencies, and advances in security technology have all been significant factors in the integration of logical and physical access systems. The synergies and benefits of creating such a union are great.
Clearly, smart cards are the right choice to bring about the convergence for access to buildings, networks and PCs. They provide the versatility and security needed for large enterprises. Successful deployment requires extensive planning combined with senior corporate sponsorship and buy-in from executive management.
Securing access to confidential data and information is a continuing challenge for most organizations. Both private enterprises and government agencies are increasingly implementing smart card-based access control systems. A smart card-based system provides benefits throughout an organization, improving security and user convenience, while lowering overall management and administration costs. Smart card technology provides a flexible, cost-effective platform not only for physical access control, but also for new applications and processes that can benefit the entire organization.