| By Dr. Michael Gollner
|
|
Friend or Foe? This is what IT managers and security services ask themselves nowadays if somebody ¡¯from the outside¡¯ wants to physically or virtually access the company.
|
Friend or Foe? This is what IT managers and security services ask themselves nowadays if somebody ¡®from the outside¡¯ wants to physically or virtually access the company. Is he or she an authorized employee, to which areas and systems might he or she be allowed to get access, and how can his or her identity be positively identified? In the age of companies with subsidiaries all around the globe and with online visitors whose origin cannot be clearly located in the digital net, these questions form a substantial part of an overarching corporate security concept. Fortunately, new technologies for the encryption and safe transmission of data as well as for clear identification provide highly secure solutions that are not only financially feasible, but also easy to realize and easy for the company and staff to use.
EFFECTIVE SYSTEMS FOR CLASSICAL SECURITY NEEDS
The corporate ID cards commonly used today perform important traditional security functions. They can be used to control access to buildings and secure areas as well as for time and attendance registration. They also find widespread application as electronic purses for paying in the cafeteria or buying items from vending machines. Bearing the holder¡¯s photo and name, they function as corporate ID badges. These capabilities have made the cards suitable for managing current security requirements in organisations.
NO MORE CONVENTIONAL SYSTEM
The on-going development is marked in particular by the increasing importance of teleworking and the rising number of mobile employees. Implicit in the growing flexibility of working practices is an expanding demand for focused, co-ordinated security management systems. These are systems that are versatile enough to adapt to changing infrastructures and processes within an enterprise and, at the same time, ensure comprehensive, easily monitored security in all parts of the organisation -- covering traditional areas as well as the new IT systems. The consistent integration of these IT structures has resulted in increased security requirements that can no longer be met by conventional systems.
DIVERSE LEVELS OF SECURITY FOR DIFFERENT REQUIREMENTS
In most cases today, identity checks based on passwords no longer guarantee sufficient security for company premises and networks. Passwords on their own are error-prone, often forgotten and can relatively easily be spied on. Therefore, the ¡®factor¡¯ PIN (knowledge) today is often completed by a secure token, for instance, a smart card (possession factor). Only a person in the possession of both, the token and the PIN, can gain access to the premises and to the company¡¯s IT-systems. For highly secure demands, such as the access to areas deserving to be specifically protected, additional biometric identification methods are used more and more, e.g. via fingerprint sensors.
EASE OF USE IS THE KEY FOR SUCCESS
The scenario is quite simple: One smart card only or a token based on smart card technology, a single password or a PIN and the finger that is always with you--that¡¯s what is needed to access the company premises, to log onto the IT network and systems, to legally sign emails, to pay in the cafeteria, to clock in and out, to make travel expense reports and much more of which forms everyday life in a company. Technologies such as smart card-based encryption, single sign-on solutions and digital signature processes allow for this scenario in a secure way.
In combination with contactless data transfer, the employee just passes a token or a smart card over a contactless reader to quickly authenticate him or herself. Below the line, a combination of multiple, complex applications (access control, IT system access, payment functionality, etc.) at the end results in a solution that is very easy to use for each employee.
SPECIFIC DEMANDS ON SECURITY SYSTEMS
Companies using new applications find themselves faced with a wide range of requirements:
-
Single sign-on: Users are authenticated once and can then access several different applications.
-
Positive network user authentication and centralised user management
-
Fast, secure transfer of data and digital documents
-
Digital signatures replacing handwritten signatures
-
Remote access to the corporate network via secure communication channels
-
Secure filing of digital documents
|
ID with a Brain
Employees at E.ON Energie use a card that does everything.
|
|
|
|
|
E.ON Energie, a Munich-based energy provider (Photo by Giesecke & Devrient (GmbH) |
The example of the Munich-based group E.ON Energie shows how secure and, at the same time, easy it can be to implement a company ID solution. E.ON Energie uses an access control system based on smart cards from international technology group Giesecke & Devrient (G&D). With the cards, the employees of E.ON can access not only the company premises, but also clock in and out and authenticate themselves against the company IT network.
More than 36,000 employees of the energy provider were equipped with new staff ID cards on the basis of security technology from G&D. The company has thus opted for a ¡®knowledge and possession¡¯ security strategy. To obtain authorization to access company data, an employee is not only required to remember a password or PIN, but she or he must also be in possession of the chip card that goes with it. This process is already used for bank cards with secret numbers; the next step in a process can only be taken if the card and the number correspond. In other words, both a physical and a non-physical element are required to pass through the security barrier.
The cards don¡¯t just serve as a means of payment in the cafeteria; they also identify staff on the E.ON Energie premises and within the IT infrastructure of the company. A chip card allows staff to log onto the computer, gain secure access to their personal data in the company intranet, and encrypt their e-mail messages. The new staff ID card will be issued in the form of a chip card. The first card was issued to staff starting in the summer of 2002. At the same time, the IT systems for the planned PKI applications were made ready. In November 2004, the starting gun went off for real operation and since then the personal PKI certificate contained on the staff ID card has been in active use. It wasn¡¯t until after this point that encryption and signature functions as well as access to E.ON Energie¡¯s SAP portals became possible. One of the first applications is the management of the staff master data in the ¡®my HR¡¯ portal. Here, staff can directly change their master data such as address or bank information. This is also where vacation and travel requests, registrations for the seminars of the group¡¯s catalog, and travel expenses are captured online and automatically forwarded to the person responsible for processing. Since employees always have their cards with them and can only gain access to the E.ON Energie network via their cards, unauthorized access is impossible if, for instance, they leave their work stations.
But the card is ideally equipped for more than IT applications. The traditional functions of a staff ID card, e.g., time and attendance, access monitoring and payments in the cafeteria, are all provided via contactless data exchange (RFID) between the card and the reader. ¡°The staff ID card is a multi-functional key. With it, we not only increase security in the company, but also offer flexibility and comfort for the staff,¡± points out Hans-Ulrich Fink, head of the HR/IT/Controlling division at E.ON Energie. It isn¡¯t just the 36,000 employees in Germany that use the ID card. Guests and staff from other companies receive visitor¡¯s cards. In the future, more than 10,000 employees at E.ON Energie¡¯s international subsidiaries are to be issued ID cards. In the lead-up to the project, E.ON Energie checked all the available technologies in terms of their requirements as well as in terms of high user acceptance and then opted for the StarSign product family from G&D. The reduction of IT administration costs and rapid amortization were the major deciding factors. G&D¡¯s solution is an open platform, which enables E.ON Energie to easily integrate further applications for the staff ID card. To ensure the sustainability of the solution, E.ON Energie signed a maintenance contract with G&D. This contract includes regular software upgrades and access to a hotline by mail, fax, or phone. Dr. Kai Pfitzner, CIO of E.ON Energie, emphasizes, ¡°The protection of the employee¡¯s personal data is the highest priority at the company. Through the use of chip card technology from G&D, this objective can be reached.¡±
|
Dr. Michael Gollner is Head of StarSign Product Marketing at Giesecke & Devrient GmbH (www.gi-de.com).
For more information, please send your e-mails to swm@infothe.com.
¨Ï2007 www.SecurityWorldMag.com. All rights reserved.
|
