Technology News  |   Industry News  |   Product News  |   Business News  |   Event News  |
  CCTV Surveillance  |   Access Control  |   Biometric ID  |   Alarm & Detection  |   Security Parts & Devices  |   Integration & Convergence  |
  Corporate & Office  |   Education & Institutional  |   Financial  |   Game & Casino  |   Government & Public  |   Homeland Security  |   Hospital & Entertainment  |   IT Asset & Technology  |
  CCTV Surveillance  |   Access Control  |   Biometric ID  |   Alarm & Detection  |   Security Parts & Devices  |   Integration & Convergence  |
  CCTV Surveillance  |   Access Control  |   Biometric ID  |   Alarm & Detection  |   Security Parts & Devices  |   Integration & Convergence  |   Consulting & Services  |
  Edit Member Profile  |  Edit Company Profile  |  Change Password  |  My Resources Profiles  
  2009 MAR Issue   |   What is Digital Magazine?  |  How to use  |  Archives  |    
 
  SecurityWorldMag.com

SecurityWorld Online Magazine

CCTV Surveillance

Access Control

Biometric ID

Alarm & Detection

Security Parts & Devices

Integration & Convergence

Access Control

Smart Card: On to a Single Card

Unifying Physical & Logical Access Control

Significant activities are underway in both government and industry to implement new access control systems that verify a person? identity and privileges before granting the person physical access (to a building or place) or logical access (to information or other online resources). Key requirements for these systems include more secure access control, improved user convenience, simpler identity verification processes, and lower overall management and administration costs. The convergence of government and commercial needs and the availability of secure, standards-based smart card solutions are driving the implementation of smart card-based access control systems. Smart card technology enables access control systems to implement more secure identity verification for both physical and logical access and provides a technology platform for adding new applications that further enhance user convenience and simplify business processes.

By Jochi Fuchs

 

 

STRONGER AUTHENTICATION

 

Increased security risks, combined with the weakness and inefficiency of the user name and password model, are now driving the need for smart card-based logical access control.

Smart cards store large amounts of data, carry out on-card functions such as encryption and digital signatures, and interact intelligently with a smart card reader.

Smart cards provide a proven cost-effective solution.  Further, they can be integrated with competing technologies to derive maximum benefit as they are highly flexible and can be easily modified and upgraded to complement other systems.

 

TWO FACTOR AUTHENTICATION

 

Already widely implemented, smart cards provide higher assurance via two-factor authentication it requires something the user knows (a password) and something the user has (the smart card).  Smart cards also provide stronger authentication by virtue of being based on Public Key Infrastructure (PKI).  PKI is the architecture of trust that supports a certificate-based public key cryptographic system.  PKI uses a combination of public and private keys to authenticate identity, and includes digital certificates, a certificate issuance authority and a registration authority.

 

Combining Physical & Logical Access

With card-based physical access already in place at many enterprises, the next logical step is to afford the same level of protection for information assets.  Physical access control provides a first line of defense, but a multi-layered approach is required for truly proactive security.  As such, there is a compelling argument to implement smart cards for logical access.  In fact, businesses stand to realize the most benefits in cost savings, ease of use and increased security by combining physical and logical access control onto one platform.  Instead of adding technological and management complexities by having separate access control systems for physical facilities and electronic data, it makes the most sense to combine the two for higher assurance, cost savings, efficiency and ease of use.

Since more than one access application can be carried on a single smart card, employees can use one card to access physical and logical resources without carrying multiple credentials.  From the doorways to the desktops, one convenient solution provides the secure identity management, strong authentication and access control necessary to safeguard both physical and intellectual assets.

Combining physical and logical access builds an infrastructure of increased trust.  Deploying smart cards to employees, partners and other key individuals is a proactive enterprise approach to higher assurance.

 

Reinforced Security at Lower Cost

Smart cards provide significant ROI in terms of both cost savings and increased security, supporting system components can be networked, allowing separate functional areas in an organization to exchange and coordinate information automatically and in real time around the world.  For organizations that already have smart card-based physical access in place, they can simply expand card use to protect network resources and benefit from an easily scalable solution.  Legacy systems, including physical access system components, can be leveraged for investment protection while providing increased security for logical access.  Enterprises can also reduce their IT support costs with the implementation of smart cards.  Although the perceived low cost of user names and passwords has contributed to their popularity, the real expense occurs on the back end with support and password management costs.

Considering the ramifications of unauthorized access to data, it is concerning that most enterprises are still only using user names and passwords for logical access control.  A specific user name and password is created for each user, and for each application that he or she requires access to.  This creates two major problems.  First, user names and passwords are the lowest form of authentication that exists.  They are easily compromised often written down and easy to share with others -- and therefore do not provide the high level of assurance necessary to protect critical data.  Secondly, passwords are a headache for both users and IT staff.  Employees have so many passwords that they invariably forget them and have to call the help desk to either remember or reset them.  This drains valuable IT time and resources, resulting in lost productivity and higher support costs for the organization.

 

HOW MUCH DOES IT COST?

 

The pricing of corporate ID cards depends on the complexity of the environments they are deployed in. US$80 per user is a reasonable estimate for introducing smart cards for network security.  This includes the cost of cards, readers and software (middleware) for the client PC.

The cryptographic contact smart cards (64KB) cost around US$10 each depending on volume.  Add another US$5-7 for the physical access chip to the card price, resulting US$16 per card.  The middleware ranges from US$10-US$20 per seat depending on features and volume discount.

The PC card reader pricing depends on whether USB (US$20) or PCMCIA (US$50) interface is used.  Add to all this the integration, deployment and testing, the price tag could easily go beyond US$80 per user.

In addition to the network access infrastructure, door readers also need to be deployed or upgraded. The cost of such deployment ranges from US$2500 - US$5000 per door, depending on location, wiring and construction required.  When upgrading the door readers.

Ease of use is another compelling argument for combining physical and logical access on a single platform.  Users will not have to carry multiple credentials and they will not have to remember multiple passwords or PINs to access applications and data.  Instead, they will have one smart card that they can use for everything.  Smart card-based physical and logical access control provides a superior foundation for secure identity management.  Enterprises can protect their assets and employees personal information, while addressing regulatory requirements and reducing potential liability.  As it stands today, smart cards are the most viable way to bring security out to the edge of the enterprise.

 

PUBLIC KEY AUTHENTICATION

 

Public key authentication is much more powerful than simple passwords.  In a public key system, each user has two keys: a private key and a public key.  Only the user knows the private key, and the public key is available to anyone (e.g., a Web site) that wishes to do business with the user.  The user prepares Digitally signed messages with his private key and the Web site checks the validity of these signatures with the users public key.  In this manner the Web site can check that the signature was produced by the user, yet the Web site does not have the private key that was used to generate the signature.  This is very different from password systems where both the user and the Web site have the password.  In a public key system, the user can and must keep the private key secret -- no one else knows the value of the private key, yet any merchant or partner can check the validity of digital signature by knowing the users public key.

 

TWO BENEFITS OF PUBLIC KEY SYSTEMS

 

First there is no secret information at the Web server, so the user is not required to trust the servers administrator.  A user can use the same private/public key pair for all of her e-commerce, since the private key is always a secret no matter how many partners know the public key.

Second, only the user knows the private key.  This allows the merchant or business partner to use the digital signature in a court of law to prove that the user and only the user could have generated the digital signature.  This feature is called non-repudiation: the signer cannot repudiate the message he signed.  In this manner the digital signature plays a similar role to the hand written signature on a contract -- it provides a mechanism for the user to commit, which is an absolute necessity for e-commerce.

Because the smart card carries your private key, if someone steals your smart card they essentially steal your electronic identity. 

Most smart card systems solve this problem by requiring a personal identification number, PIN, to activate the smart card: a thief must steal your smart card and PIN in order to impersonate you.  Designing a secure access system includes considerations beyond the choice of credential and reader.  Appropriate system design requires a full definition of system requirements, including required functionality and security policy, and must take into account factors such as cost, requirements to integrate with and migrate from legacy systems, and the effect of implementation on the users and the organization.

 

AWAKENING THE INDUSTRY

 

In recent years, the security industry has begun to awaken to the problem of uncoordinated physical and IT security.  Consultants are studying the problematic connection between physical and logical security.  IT security people and physical security people pursuing different goals.

Individual companies have taken up the cause.  Athena Smartcard Solutions, for example, succeeded to link physical and IT security with ASECard Unified Badge, a card that combines the ASECard Crypto CPU contact chip with a ISO 14443 (Type A, B or C) contactless chip embedded an a magnetic stripe.

 

SECURE PHYSICAL AND LOGICAL ACCESS

 

The choice of an access credential must address the concerns of a variety of functional areas in an organization.  Executive management needs to secure both physical and logical access.

Badges for employees can support a range of security profiles depending on the level of access required by the employee.  For example, some badges may provide only limited facility and network access while other badges provide special access to restricted areas and use contactless or contact smart card chips to support: biometric templates that authenticate the user to the card; secure challenge-response algorithms that authenticate the card and reader to each other.  Linking the physical access and IT databases provides the potential for suspicious activities to be identified immediately.  For example, if a computer is accessed by an employee who has left the building, the IT department can be notified immediately and investigate the activity.  Similarly, security can be notified if a computer in a restricted area is accessed by an employee who is not authorized to be in that area.  Joint communication between the physical and logical access systems enables companies to protect confidential data and identify security issues.  Access control systems must address employer and employee needs and meet legal requirements. 

 

ONE BADGE DOES IT ALL

 

An organization may want to use a single process to manage an employees authorizations, accesses, and privileges.  Linking the CMS, IT, and physical access databases means that an employee can make one trip to one department to receive a badge containing all required information.  The CMS database may indicate what access privileges need to be assigned.  The IT software can check the CMS database and assign the required passwords and certificates.  A digital photo can be taken.  With this information, a blank card can then be inserted into the badge printer, all required information can be downloaded onto the card, and the card can be initialized and printed.  The employee receives the badge within minutes and starts working with it immediately.

Security concerns, cost control objectives, corporate efficiencies, and advances in security technology have all been significant factors in the integration of logical and physical access systems.  The synergies and benefits of creating such a union are great.

Clearly, smart cards are the right choice to bring about the convergence for access to buildings, networks and PCs.  They provide the versatility and security needed for large enterprises.  Successful deployment requires extensive planning combined with senior corporate sponsorship and buy-in from executive management.

Securing access to confidential data and information is a continuing challenge for most organizations.  Both private enterprises and government agencies are increasingly implementing smart card-based access control systems.  A smart card-based system provides benefits throughout an organization, improving security and user convenience, while lowering overall management and administration costs.  Smart card technology provides a flexible, cost-effective platform not only for physical access control, but also for new applications and processes that can benefit the entire organization.

 

Jochi Fuchs is Director of Business Development and Partner, Athena Smartcard Solutions  (www.athena-scs.com).

 

For more information, please send your e-mails to swm@infothe.com.

2007 www.SecurityWorldMag.com. All rights reserved.

 

 

 

 
 

     Starting Point for Enterprise Identity Device Deployment

     Audi Gets Smart in ID Security



125Khz EM4102, ...
RFID Tags with ...
Conactless Card...
Home l New Product Showcase l Gold Suppliers l Trade Shows l email Newsletter l About SWM l Help l Site Map l Partnerships l Privacy Policy | Newsletter
Publisher: Choi Jung-sik | Edited by: Lee Sang-yul | Youth Protection Officer: Lee Sang-yul
Copyright Notice 2004-2007 www.SecurityWorldMag.com Corporation and its licensors. All rights reserved.