Ever told a colleague your security password?  We’re all guilty of it.  Chances are that if you’re like much of the population, you probably don’t take security seriously enough.  You may even work in the security industry but there’s still a good chance that you’re a little relaxed about your approach to passwords.  Surveys show that more than a third of us choose passwords based on the names of our pets, partners and family, date of birth or favorite football teams.  Unsurprisingly, it doesn’t take a genius to work out what our passwords might be.  And, of course, some of us make finding out our password even easier.  How many offices have you worked in where ‘secure’ network passwords were written on bits of paper stuck to the computer screen?

This may seem relatively minor to those of us guilty of such misdemeanors, but the issue has grown in importance as macro-environmental issues such as terrorism and company infiltration put pressure on organizations to safeguard their IT systems.  They need to secure the e-business flow, ensuring that data, networks and applications are protected, and that each individual’s access to the network and the facilities is verified and authorized.  Hence, what used to be an issue for IT departments has now become something that is decided at a high management level, because a vulnerable enterprise network is also an acute business risk.

STANDARD PASSWORDS NOT GOOD ENOUGH

Standard password-based systems continually prove to be an inadequate approach to tackle enterprise security problems.  Not only can a password be easily guessed by the internal hacker, as they normally are only between four and eight digits long, but they can also be easily cracked by using a simple software program widely available on the Internet.  The fact is that any half decent cracker will figure out your network or web-application password in a matter of minutes.

In addition to high security risks, password management tends to be an expensive affair.  Gartner Group, an IT research company, has shown that 20 - 50% of calls to a company’s helpdesk are related to password resets.  Couple this with figures from Forrester research, stating that each call for a single password reset clocks in at about US$70, and before you know it a sizable chunk of your IT security budget is wasted.

Thus as compromising on security is no longer an option, most businesses are starting to grasp the inherent risks and costs and take appropriate actions.  As a result alternative technologies have surfaced to help us make the workplace more secure and convenient.

A SMARTER APPROACH TO SECURITY

In recent years the smart card has emerged as the security device of choice for strong authentication and management of passwords in the workplace.  By now, the smart card format is familiar to most people.  In the course of our daily lives, we encounter smart card technology to one degree or another -- GSM mobile subscriptions, credit cards with chip ‘n’ pin, Pay TV subscriptions and more.  Within a corporation, the smart card acts a tamper proof and highly versatile miniature computer with the core function of protecting company resources from unlawful access.

Smart cards are used as part of an identity management solution for the storage and processing of user credentials and authentication to secure networks, applications, Web servers, email communications, Internet transactions, and more.  They combine the privacy, integrity and authentication functionalities provided by cryptographic algorithms with the simplicity, portability and convenience of the ‘card’ form-factor.  Private keys, digital certificates and all sorts of personal information can be securely stored, thus preventing fraudulent use of the user’s electronic identity.

DOUBLE AUTHENTICATION

The key strength of smart cards lies in the ability to add an extra layer of authentication by combining the knowledge of a PIN with the possession of a card.  Today people are all more or less used to the idea of a PIN (Personal Identity Number), which we enter when turning on our mobile phone and using an ATM card.  We are also more capable of remembering a 4-digit number than a complicated string of characters defined by our IT departments.  Smart cards allow us to maintain the user-friendliness of basic PIN codes while still doubling the security.  When logging on the network, the employee is asked to insert their card into a reader (inbuilt or as an accessory) and then enter a PIN.  This way, they are authenticated by something they have, i.e. the card, and something they know, i.e. the PIN.  Both must be matched accurately before access to the corporate network is granted.  The card can also act as a ‘password wallet’ eliminating the need for employees to remember several passwords to multiple applications, as all of those can be accessed and managed with just one PIN protected card. 

Finally, the card automatically locks the work station when removed from the reader, which heavily reduces the risk of someone else gaining access in your absence.

HOST MULTIPLE FUNCTIONS

Many smart card-based solutions have two main functions: physical access to buildings and departments therein, and also logical access to the network.  This is why a large number of corporations are using smart card technology for enterprise security.  But beyond these traditional authentication and access control functions, it is easy to deploy further applications and value added services once that smart card infrastructure is already in place.  Such features include encryption of e-mail, digital signing of documents and web forms, attendance management, e-purse, etc.

For example, at Gemplus, they use their own technology to enter the building, to restrict access where necessary, to log on to the network and encrypt emails, but it doesn’t stop there.  They can use the very same cards in their canteen and in vending machines in order to buy lunch, coffee, etc.  They were even given a euro each, already credited onto their badges, when the system came into play, by way of introduction to the new services available.

The beauty of this approach is that there is something in it for everyone: the cardholder gets access to discounted corporate facilities, while the company has a more secure access system backed up by an audit trail of who has entered the various areas of the enterprise.

A SOUND DECISION

Interest in smart cards for enterprise-wide security is growing for a number of reasons.  On the technology front, the development of multi-application cards delivered via both contact and contactless interfaces enables businesses to use the technology throughout the enterprise for a host of applications.  Furthermore, smart cards have experienced a large boost in awareness in the corporate enterprise community in the last few years.  A recent Frost & Sullivan report showed 100% awareness among those interviewed, an extraordinary figure considering that only a few years ago most companies had never heard of smart cards.

Growing interest in the use of digital certificates on smart cards is also helping fuel demand as it allows portability of private keys rather than locking them onto a workstation, thus making PKI (Public Key Infrastructure) technology more practical.  As digital technology develops, companies of all sizes have growing requirements for secure digital communications, remote access and encryption.  By adding strong levels of authentication, more organizations can enjoy the financial benefits of operating so- called ‘hot desk’ environments, where workstations are securely and privately shared between many employees.

Many of the obstacles that were previously slowing adoption of smart cards have been removed.  One good example of this is the reader infrastructure which has become easier to deploy thanks to standardization of reader drivers in Microsoft operating systems and widespread integration of smart card interfaces into desktop PC keyboards and notebooks.  Furthermore, integration of smart cards in Microsoft environments has been simplified due to increased support in Windows 2000 & XP clients and Windows 2003 server and PKI technologies.  Thus, instead of being costly and difficult to implement, smart card technology is now emerging as a major force in the corporate community.

As a result, smart employee cards have become a household staple among large enterprises, which are recognizing the many benefits enabled by the technology.  World leading companies including Barclays, Boeing, IBM, Microsoft, Pfizer, Sun Microsystems, and many more, all operate a smart card-based identity management system for secure employee access to networks and facilities.

While the security advantages of smart card technology are impossible to argue, the smart card is also unique as an identity device in the sense that one can update information on the card after it has been issued, a.k.a. ‘post-issuance’.  By utilizing open Java Card technology, the issuer can add, update or remove employee applications and data on the over time, hence controlling and extending the card’s life-cycle.  This enables huge advantages for the issuing enterprise, who can easily introduce new technology and functions to its employees without having to replace their cards.  Needless to say the smart employee card is here to stay, and the sooner corporations learn this, the better its management will sleep at night.

Carl Norell is Marketing Communications Manager ID & Security of Gemplus (www.gemplus.com).

For more information, please send your e-mails to swm@infothe.com.

ⓒ2007 www.SecurityWorldMag.com. All rights reserved.