Low Draw for Smart Cards

Computerworld - Employees at Post & Schell PC, a law firm in Philadelphia, need smart cards to do just about everything, from entering company facilities and using elevators to securing two-factor authentication so they can access IT applications. The firm recently started using smart cards as part of a move to bolster network and physical defenses when it relocated to a new facility.
"The big ROI we are providing our firm, our attorneys and our clients is greater security," says Lou Mazzio, Post & Schell's chief technology officer.
Like Mazzio, other users who have deployed smart cards say that the technology helps improve security, reduce password administration and support costs, and enable single sign-on to multiple applications.
But the upfront cost of a smart card infrastructure, as well as interoperability problems and the hassles involved in integrating the technology with existing infrastructures, has resulted in far slower deployment of the technology in corporate America than many had once predicted.
"The corporate market has been a tough nut to crack," says Thierry Burgess, executive vice president of sales at Oberthur Card Systems USA, the U.S. arm of one of the largest smart card vendors in the world.
Like public-key infrastructure (PKI), smart card technology is taking many years to gain widespread acceptance in private commercial enterprises, says Trent Henry, an analyst at Burton Group in Midvale, Utah. But expect to see greater adoption over the next few years, he adds.
Smart cards allow companies to store passwords, personal identification numbers and other digital credentials that let users log onto corporate networks or access facilities such as buildings and parking lots.
In Post & Schell's case, user authentication information is stored on smart cards for network access using RSA Security Inc.'s Smart Badging system. Bedford, Mass.-based RSA is also helping the firm embed user credential information on the same cards. That information is needed for physical access to Post & Schell facilities.
More Features, More Savings
The two-factor authentication enabled by such cards allows for better network and physical security, says Charles Fletcher, CIO and provost at Delaware State University in Dover. Smart cards can also help reduce some of the traditional costs associated with password resets and management because the passwords are embedded directly on the cards, he says.
Generally, the cost benefits increase as more access functions are integrated on a card, Fletcher says.
Students and employees at the university have been using smart cards since last summer to log into Windows and Web-based applications, access dorm rooms and library facilities, and pay for meals in the cafeteria. In the future, the university plans to use the smart card infrastructure, which is based on HiPath SIcurity Card technology and the HiPath MetaDirectory software suite from Siemens AG in Munich, to enable access to e-commerce and payment applications, Fletcher says.
From a physical standpoint, the embedded read/write intelligence in such cards allows access to be quickly granted, revoked or modified from a central location, says Neville Pattison, director of smart card technologies at Paris-based Axalto, which was recently spun off as an independent company from oil field services giant Schlumberger Ltd.
Schlumberger is rolling out Axalto's DexaBadge smart card technology to its 80,000 employees worldwide. The cards are being used to digitally encrypt e-mail and sign electronic documents. Schlumberger is also using the cards to enable log-in to Windows applications and virtual private network services, Pattison says.
"The smart card is the little agent of trust in the hands of an employee," Pattison says. "On behalf of the issuer, it performs security-related operations and various other operations knowing the right cardholder is present."
However, several factors have contributed to the slow adoption of smart cards in corporations, Burton Group's Henry says.
Cost is a big one. The price tag for deploying the hardware, readers, middleware and software for a smart card system can be daunting. Midsize companies can easily expect to spend $200,000 to $300,000 to get started, and even pilots cost about $70,000, says Chris Meaney, director of secure networks at Siemens. On average, companies can expect to pay $20 to $30 per user, excluding the cost of the readers, card management and PKI software, according to Burton Group.
As a result, smart cards are unlikely to make a whole lot of sense for companies with fewer than 2,000 employees, Meaney says.
Companies also need to have a PKI in place to use the encryption, electronic signing and nonrepudiation functions that are enabled by smart cards, says Henry. "There definitely is some serious cost-benefit analysis that needs to be done before companies start deploying smart cards," he says.
Technology interoperability is another big challenge, says Mary Dixon, director of the U.S. Department of Defense's Common Access Card program office, which is rolling out more than 4 million smart cards to Pentagon personnel.
Smart card infrastructures require a high degree of interoperability and synchronization among the cards, readers, access-control panels and identity directories, and that interoperability is still not fully there, Dixon says. The cards themselves come with varying memory sizes, processing capacities, scalability, operational proximity ranges and application support. And applications that are enabled to work with one vendor's smart card technologies may not always seamlessly work with another vendor's products.
Because of the size and scope of its project, the DOD decided to contract out its work to multiple technology vendors to minimize the risk of technology lock-in, Dixon says. But to ensure that smart cards, middleware and readers from multiple vendors integrated seamlessly, the DOD worked with the National Institute of Standards and Technology to develop an interoperability specification that participating vendors had to adhere to.
However, because of integration issues, "if I was going to do a small implementation of a few thousand cards, I would be inclined to go with a single vendor's card and use it as much as I could," Dixon says.
Integration Challenges
Until recently, users have also needed to do considerable integration work to tie smart card management systems into PKI networks, says Oberthur Card's Burgess.
Companies also need to have a centralized directory infrastructure in place, says Meaney. And they need to have a good process for communicating changes in the core human resources database, which is often the source of identity information, he says. That information is needed to provision, revoke or modify cards when employees are hired, move to new departments or leave the company.
The recent trend toward so-called smart tokens that can plug into standard Universal Serial Bus ports on computers could also divert attention away from traditional smart cards. Herndon, Va.-based Exostar LLC, an online trading exchange created by companies such as The Boeing Co., Raytheon Co. and Lockheed Martin Corp., is using smart tokens from Aladdin Knowledge Systems Ltd. in Chicago. The tokens allow Exostar to store digital certificates and automatically fill in log-on fields, passwords and Web site shortcuts, as well as encrypt and decrypt files and e-mails, without requiring an investment in a special card reader, says Jeff Nigriny, Exostar's chief security officer.
But there are some factors coming together that could finally begin to spur broader corporate adoption, says Herb Mehlhorn, senior product manager for RSA's smart card business.
New-generation smart card technologies based on a set of Java standards promise more interoperability and functionality, Mehlhorn says.
Massive smart card deployments by federal agencies such as the Defense Department and the Department of Transportation have begun pushing technology costs lower, he says. And companies are coming under increasing regulatory and legal pressure to demonstrate due diligence when it comes to user authentication.
The embedded PKI certificate server support in Microsoft Corp.'s Windows Server 2003 could also begin to make it easier for users to snap smart cards into PKI networks, Henry says.
"I don't think there's anyone that refutes the likelihood that smart cards will be in every wallet 10 years from now," says Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa. "It's how we get there that's going to be interesting."

DEPLOYMENT ADVICE 1 2 3 4 Next page Print From CIO.com IT Job Spotting: Top 20 Metro Areas for Tech Jobs Facebook IPO: The Heftiest Paydays 4 Ways to Prevent Domain Name Hijacking Cybersecurity Report Stresses Need for Cooperation From CSO Online Devil in the details: How to secure an offsite meeting Rogues gallery: 9 infamous social engineers Tools and templates: Sample security policies Business continuity and disaster recovery basics Additional Resources WHITE PAPER Forrester Consulting - Optimizing Users and Applications in a Mobile World Solving application issues over the WAN requires careful consideration. Based on their independent research, Forrester Consulting offers recommendations on how to tackle application performance issues, insufficient bandwidth and the inability to quickly restore users in a disaster. Read now. WHITE PAPER Enter the Security KnowledgeVault Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority. Read now. WHITE PAPER Cut Communications Costs Once and for All New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs. Read now. Top Stories FAQ: WOA vs. x86, which Windows tablet to pick? The timeline's time has come Apple files another U.S. patent suit against Samsung Iran blocks access to some outside websites, services Free Insider Guide Excel 2010 Cheat Sheet Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more. Register for FREE now! » Security White Papers Overcome Top 7 Admin Challenges of Active Directory As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,... Insiders Can Ruin Your Company. Take Action. Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in... Top Solutions and Tools to Prevent Devastating Malware Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring... X-Ray of the PCI Process-4 Proactive Steps This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into... Identity Governance: The Business Imperatives This white paper describes the business challenges and opportunities that are driving interest in Identity Governance while discussing considerations your organization should make... All Security White Papers Security Webcasts Live Webcast Playing Defense: Staying on Top of Your Disaster Recovery Game When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing... Introduction to VMware vCenter Site Recovery Manager 5 Traditional disaster recovery solutions are often too expensive, complex and unreliable to meet business requirements. As a result, IT departments are hesitant to... The Top Ten Secrets to Avoiding SAN Performance Problems Maintaining peak performance while simultaneously addressing the root cause of SAN errors is challenging. Learn the most common SAN problems and explore new... Deduplication Without Compromise Go inside Quantum's scalable, high-performance, multi-protocol new DXi deduplication appliances, designed to make backup much more effective. Discover how the new future-proof DXi6700... Director of Disk Products Discusses DXi6700 Discover how the new DXi 6700 series of deduplication appliances provide investment protection and a future-proof feature set, all while delivering fast, scalable,... Playing Defense: Staying on Top of Your Disaster Recovery Game When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing... All Security Webcasts Newsletter Sign-Up Receive the latest news test, reviews and trends on your favorite technology topics Choose a newsletter Computerworld Daily News Security Virus and Vulnerability Roundup Security: Issues & Trends Industry Tech: Communication Carriers (ISP, Telecomm, Data Comm, Cable) Tech: Computer/Network Consultant Tech: E-commerce/Internet Tech: Manufacturing - Hardware/Software Tech: Retailer/Distributor/Wholesaler (computer-related) Tech: Service Provider (MSP, BSP, ASP, ESP, Web Hosting) Tech: VAR/VAD/OEM Tech: Other Non-Tech: Advertising/Marketing/PR/Media (Publishing, Broadcast, Online) Non-Tech: Aerospace/Defense Contractor Non-Tech: Agriculture/Forestry/Fisheries Non-Tech: Business Services/Consultant Non-Tech: Construction/Architecture/Engineering Non-Tech: Education Non-Tech: Finance/Banking/Accounting Non-Tech: Government - Federal (including Military) Non-Tech: Government - State/Local Non-Tech: Healthcare/Medical/Pharmaceutical/Bio-Tech Non-Tech: Insurance/Real Estate/Legal Non-Tech: Manufacturing & Process Industries Non-Tech: Mining/Oil/Gas Non-Tech: Retailer/Wholesaler/Distributor (non-computer) Non-Tech: Travel/Hospitality/Entertainment/Recreation Non-Tech: Transportation/Utilities (Energy, Water, etc.) Non-Tech: Other Job Title IT Management: CIO, CTO, CSO IT Management: Executive VP, Senior VP IT Management: VP IT Management: Director IT Management: Manager IT Management: Supervisor IT Management: Systems Integrator IT Management: Technical Consultant Business Management: CEO, COO, Chairman, President Business Management: CFO, Controller, Treasurer Business Management: Executive VP, Senior VP, VP, GM Business Management: Director, Manager Business Management: Other Corporate, Business Manager Business Management: Consultant (Non-Technical) Other: IT Staff Other: Non-Manager Company Size 20,000 or more 10,000 - 19,999 5,000 - 9,999 1,000 - 4,999 500 - 999 100 - 499 50 - 99 Less than 50 Country United States of America Afghanistan Albania Algeria Amercian Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia-Herseg Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Cook Islands Costa Rica Cote DIvoire (Ivory Coast) Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic East Timor Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland-Malvinas Faroe Islands Fiji Finland France French Guiana French Pacific Islands (French Polynesia) French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Great Britain Greece Greenland Grenada Guadeloupe Guam Guatemala Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Holy See (Vatican City State) Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jordan Kazachstan Kenya Kiribati Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives (Maldive Islands) Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Metropolitan France Mexico Micronesia, Federated States of Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island North Korea Northern Mariana Islands Norway Oman Pakistan Palau Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Islands Poland Portugal Puerto Rico Qatar Reunion Romania Russian Federation Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and the South Sandwich Islands South Korea Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Islands Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand The Democratic Republic of the Congo Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates United States of America United States Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Viet Nam Virgin Islands (American) Virgin Islands (British) Wallis and Futuna Islands Western Sahara Yemen Yugoslavia Zaire Zambia Zimbabwe US State Alabama Alaska Arizona Arkansas California Colorado Connecticut Delaware District of Columbia Florida Georgia Hawaii Idaho Illinois Indiana Iowa Kansas Kentucky Louisiana Maine Maryland Massachusetts Michigan Minnesota Mississippi Missouri Montana Nebraska Nevada New Hampshire New Jersey New Mexico New York North Carolina North Dakota Ohio Oklahoma Oregon Pennsylvania Rhode Island South Carolina South Dakota Tennessee Texas Utah Vermont Virginia Washington West Virginia Wisconsin Wyoming Puerto Rico Virgin Islands Guam American Samoa U.S. Minor Outlying Islands Armed Forces Africa Armed Forces Americas AA Armed Forces Canada Armed Forces Europe AE Armed Forces Middle East AE Armed Forces Pacific AP Subscribe View all newsletters | Privacy Policy IT Jobs See All Jobs Post a job for $295 Go Jobs by SimplyHired Security White Papers | All Security White Papers Overcome Top 7 Admin Challenges of Active Directory Top Solutions and Tools to Prevent Devastating Malware Identity Governance: The Business Imperatives Google: Security for Google Apps Messaging & Collaboration Fundamental Principles of Network Security A Proactive Approach to Server Security ESG Examines Hybrid Deduplication ESG: Quantum Targets Disk-Based Backup Price-Performance Leadership with New DXi 2.0 Quantum DXi Solution Drives AAA Washington's Backup Success Data Deduplication for Dummies Insiders Can Ruin Your Company. Take Action. X-Ray of the PCI Process-4 Proactive Steps CA Technology Brief: CA Point of View: Content Aware Identity & Access Management An Interactive Guide: Bring Your Own Device Protection Against Modern Cybersecurity Threats Secure Internet Single Sign-On 101 Data Deduplication Background DXi Solution Provides Triple Level of Protection for ResMed's Remote Operations 7 Deduplication Questions to Consider Before Deploying Deduplication Streamlined Data Protection - The Pain of Managing Tape Backups in Branch Offices Sponsored Links Customized information views & Twitter events at New Fulcrum Point E-book: Discover Business-Ready Storage Systems For Oracle Environments Splunk translates machine data into "aha" moments for IT and the business. Converge your infrastructure with HP. Access a valuable case study in the CI Resource Center now. Panasonic Toughbook® mobile computers. Rugged. Reliable. Powerful. Protect your customers with VeriSign SSL, now from Symantec Citrix NetScaler. 2x faster 2048-bit SSL performance than F5. 50% lower SSL costs. Cisco's Unified Fabric delivers resiliency for optimal performance. Learn More The efficient small business server-from Colfax. Stop backing up. Start solving forward with CommVault® Simpana® software. Cognizant. Leading in Business, Application & Technology Services Cisco's Unified Fabric delivers resiliency for optimal performance. Learn More Still managing your projects with spreadsheets? Move your IT projects in the Cloud! M.S. in Information Studies at Northwestern University Tolly Performance Report  "Citrix NetScaler with nCore Outperforms F5 BIG-IP" ITwhitepapers.com - Access thousands of white papers on 300+ technical topics. Leverage Your Cisco infrastructure for Superior Application Performance Learn about the AMD Virtual Experience "The Definitive Guide to Security Management" Chapter 1: Introduction to Security Management Introducing: Project Icebreaker Evolving Your Data Center for the Cloud Get Ethernet speeds from 1 Mbps to 10 Gbps - Comcast Business Class ExaGrid Gets High Marks in Independent Report from ESG Converge your infrastructure with HP. Access white papers, case studies, videos and more. Redefine Software support with HP Citrix NetScaler. 2x consolidation. For less than F5. Shift up to the Cloud. Ready for the Cloud? Not with F5. Shift to Citrix NetScaler. Shift up to the Cloud. Join the Conversation. Follow Oracle EPM & BI on Twitter Today. Arm Your Defense & Offense in 2012 with the Websense Threat Report MIT Sloan Executive Education. innovation@work A better way to share files, whenever, wherever. Accellion. Share Securely on the Go. Power your Dev Teams and Accelerate Software Delivery Connect with global CIOs now at Enterprise CIO Forum Pinpoint root cause of network issues up to 90% faster Download Microsoft's latest Data Protection Management tool Not All QSAs Are Created Equal: What You Should Know Before You Buy The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability The AMD Virtual Experience Virtual Trade Show "The Definitive Guide to Security Management" Chapter 1: Introduction to Security Management Resource Center See your link here Skip to top About Us Advertise Contacts Editorial Calendar Subscribe to Computerworld Magazine Help Desk Newsletters Jobs at IDG Privacy Policy Reprints Site Map Ad Choices The IDG Network: CFOworld CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World Copyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.