Low Draw for Smart Cards

Computerworld - Employees at Post & Schell PC, a law firm in Philadelphia, need smart cards to do just about everything, from entering company facilities and using elevators to securing two-factor authentication so they can access IT applications. The firm recently started using smart cards as part of a move to bolster network and physical defenses when it relocated to a new facility.
"The big ROI we are providing our firm, our attorneys and our clients is greater security," says Lou Mazzio, Post & Schell's chief technology officer.
Like Mazzio, other users who have deployed smart cards say that the technology helps improve security, reduce password administration and support costs, and enable single sign-on to multiple applications.
But the upfront cost of a smart card infrastructure, as well as interoperability problems and the hassles involved in integrating the technology with existing infrastructures, has resulted in far slower deployment of the technology in corporate America than many had once predicted.
"The corporate market has been a tough nut to crack," says Thierry Burgess, executive vice president of sales at Oberthur Card Systems USA, the U.S. arm of one of the largest smart card vendors in the world.
Like public-key infrastructure (PKI), smart card technology is taking many years to gain widespread acceptance in private commercial enterprises, says Trent Henry, an analyst at Burton Group in Midvale, Utah. But expect to see greater adoption over the next few years, he adds.
Smart cards allow companies to store passwords, personal identification numbers and other digital credentials that let users log onto corporate networks or access facilities such as buildings and parking lots.
In Post & Schell's case, user authentication information is stored on smart cards for network access using RSA Security Inc.'s Smart Badging system. Bedford, Mass.-based RSA is also helping the firm embed user credential information on the same cards. That information is needed for physical access to Post & Schell facilities.
More Features, More Savings
The two-factor authentication enabled by such cards allows for better network and physical security, says Charles Fletcher, CIO and provost at Delaware State University in Dover. Smart cards can also help reduce some of the traditional costs associated with password resets and management because the passwords are embedded directly on the cards, he says.
Generally, the cost benefits increase as more access functions are integrated on a card, Fletcher says.
Students and employees at the university have been using smart cards since last summer to log into Windows and Web-based applications, access dorm rooms and library facilities, and pay for meals in the cafeteria. In the future, the university plans to use the smart card infrastructure, which is based on HiPath SIcurity Card technology and the HiPath MetaDirectory software suite from Siemens AG in Munich, to enable access to e-commerce and payment applications, Fletcher says.
From a physical standpoint, the embedded read/write intelligence in such cards allows access to be quickly granted, revoked or modified from a central location, says Neville Pattison, director of smart card technologies at Paris-based Axalto, which was recently spun off as an independent company from oil field services giant Schlumberger Ltd.
Schlumberger is rolling out Axalto's DexaBadge smart card technology to its 80,000 employees worldwide. The cards are being used to digitally encrypt e-mail and sign electronic documents. Schlumberger is also using the cards to enable log-in to Windows applications and virtual private network services, Pattison says.
"The smart card is the little agent of trust in the hands of an employee," Pattison says. "On behalf of the issuer, it performs security-related operations and various other operations knowing the right cardholder is present."
However, several factors have contributed to the slow adoption of smart cards in corporations, Burton Group's Henry says.
Cost is a big one. The price tag for deploying the hardware, readers, middleware and software for a smart card system can be daunting. Midsize companies can easily expect to spend $200,000 to $300,000 to get started, and even pilots cost about $70,000, says Chris Meaney, director of secure networks at Siemens. On average, companies can expect to pay $20 to $30 per user, excluding the cost of the readers, card management and PKI software, according to Burton Group.
As a result, smart cards are unlikely to make a whole lot of sense for companies with fewer than 2,000 employees, Meaney says.
Companies also need to have a PKI in place to use the encryption, electronic signing and nonrepudiation functions that are enabled by smart cards, says Henry. "There definitely is some serious cost-benefit analysis that needs to be done before companies start deploying smart cards," he says.
Technology interoperability is another big challenge, says Mary Dixon, director of the U.S. Department of Defense's Common Access Card program office, which is rolling out more than 4 million smart cards to Pentagon personnel.
Smart card infrastructures require a high degree of interoperability and synchronization among the cards, readers, access-control panels and identity directories, and that interoperability is still not fully there, Dixon says. The cards themselves come with varying memory sizes, processing capacities, scalability, operational proximity ranges and application support. And applications that are enabled to work with one vendor's smart card technologies may not always seamlessly work with another vendor's products.
Because of the size and scope of its project, the DOD decided to contract out its work to multiple technology vendors to minimize the risk of technology lock-in, Dixon says. But to ensure that smart cards, middleware and readers from multiple vendors integrated seamlessly, the DOD worked with the National Institute of Standards and Technology to develop an interoperability specification that participating vendors had to adhere to.
However, because of integration issues, "if I was going to do a small implementation of a few thousand cards, I would be inclined to go with a single vendor's card and use it as much as I could," Dixon says.
Integration Challenges
Until recently, users have also needed to do considerable integration work to tie smart card management systems into PKI networks, says Oberthur Card's Burgess.
Companies also need to have a centralized directory infrastructure in place, says Meaney. And they need to have a good process for communicating changes in the core human resources database, which is often the source of identity information, he says. That information is needed to provision, revoke or modify cards when employees are hired, move to new departments or leave the company.
The recent trend toward so-called smart tokens that can plug into standard Universal Serial Bus ports on computers could also divert attention away from traditional smart cards. Herndon, Va.-based Exostar LLC, an online trading exchange created by companies such as The Boeing Co., Raytheon Co. and Lockheed Martin Corp., is using smart tokens from Aladdin Knowledge Systems Ltd. in Chicago. The tokens allow Exostar to store digital certificates and automatically fill in log-on fields, passwords and Web site shortcuts, as well as encrypt and decrypt files and e-mails, without requiring an investment in a special card reader, says Jeff Nigriny, Exostar's chief security officer.
But there are some factors coming together that could finally begin to spur broader corporate adoption, says Herb Mehlhorn, senior product manager for RSA's smart card business.
New-generation smart card technologies based on a set of Java standards promise more interoperability and functionality, Mehlhorn says.
Massive smart card deployments by federal agencies such as the Defense Department and the Department of Transportation have begun pushing technology costs lower, he says. And companies are coming under increasing regulatory and legal pressure to demonstrate due diligence when it comes to user authentication.
The embedded PKI certificate server support in Microsoft Corp.'s Windows Server 2003 could also begin to make it easier for users to snap smart cards into PKI networks, Henry says.
"I don't think there's anyone that refutes the likelihood that smart cards will be in every wallet 10 years from now," says Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa. "It's how we get there that's going to be interesting."

DEPLOYMENT ADVICE 1 2 3 4 Next » Recommend Digg Twitter ShareThis Email Print Send Feedback Reprints Jump to comments Security Additional Resources WHITE PAPER Do You Know the 7 Steps to Successful Data Migration? Approximately 60 percent of data migration projects overrun time or budget, while some fail completely. Download this white paper, "Enhancing Your Chance for Successful Data Migration," to learn the critical steps you need to take to execute a data migration project with minimum cost and risk to your business. WHITE PAPER Total Cost of Ownership of Server Computing Vs. PCs Read the Gartner research note to learn why the TCO of a server-based computing deployment used to deliver all applications to users is around 50% lower than that of an unmanaged desktop deployment. WHITE PAPER IDC White Paper: Linux in a Global Recession Economic downturns have a tendency to accelerate emerging technologies, boost the adoption of effective solutions, and punish solutions that are not cost competitive or that are out of synch with industry trends. This IDC White Paper presents the results of an IDC survey of 330 companies in Western Europe, Asia/Pacific and the Americas that measures the receptiveness to Linux and takes into consideration changing views driven by the disruptive economic environment that businesses face today. White Papers & Webcasts Share our Strength Download Now   Lower the Cost and Complexity of a Mobile Workforce through Automation Download This Resource Now! Top 10 Things to Know about Data Protection Download Now   Managing Mobility: Improve Data Security, Compliance and Manageability Download This Resource Now! Top 10 Actions a CIO Can Take to Prepare for a Hurricane Download Now   Managing Secure File Transfer to Save Time, Money and IT Resources Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with... Ponemon Study: The Business Risk of a Lost Laptop Download Now   Security Convergence Equals Network Security Cost Savings Listen to IBM Internet Security Systems' take on network security convergence. Airport Insecurity: The Case of Lost Laptops Download Now   Disaster Recovery 2008: Reduced Costs and Improved Performance How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this... All White Papers | All Webcasts Computerworld Reports 8 Questions To Ask About Your Intrusion-Security Solution Computerworld Technology Briefings IT Service Management Computerworld Briefing - Analytics: The Art and Science of Better All Computerworld Reports Sign up to receive updates on the latest Security resources   White Papers Share our Strength Top 10 Actions a CIO Can Take to Prepare for a Hurricane Airport Insecurity: The Case of Lost Laptops Optimizing Information Insight: How to Make Fast, Reliable Decisions Based on Consolidated Information Encompassing All Your Data Retooling IT for a Mobile Workforce: The Importance of Automation The Forrester Wave™: Web Filtering, Q2 2009 PCI DSS Compliance in the UNIX/Linux Datacenter Environment A Process-based Approach to Protecting Privileged Accounts & Meeting Regulatory Compliance From Trust to Process: Closing the Risk Gap in Privileged Access Control Can Heuristic Technology Help Your Company Fight Viruses? Top 10 Things to Know about Data Protection Ponemon Study: The Business Risk of a Lost Laptop Mitigating Litigation Risk with Email Management Tools Solving On-premise Email Challenges with On-demand Services Leverage the full power of VMware The Forrester Wave™: Email Filtering, Q2 2009 Privileged Access Lifecycle Management: How PALM Enables Security, Compliance, and Efficiency for Enterprise IT Preventing Data Breaches in Privileged Accounts Using Access Control The State of PCI DSS Compliance at Organizations Today Why Email Must Operate 24/7 and How to Make This Happen Sponsored Links Play NetApp's New Data Defense Game. Return on Information: Google Enterprise Search pays you back. Get the facts. How Do You Rank as an Innovation Leader? Download Recent Study. See how AT&T can help protect your network. 3 Innovations. 3 Free Downloads. Free trials of Windows 7, Windows Server 2008 R2 and Exchange Server 2010. Citrix NetScaler with nCore Outperforms F5 BIG-IP - Learn More 64-page prescriptive guide to security, compliance, and IT operations. Streamline IT Costs. Boost Performance with WAN Optimization Enterprise Network & Server Monitoring Software. Cross over to Traverse... Increase UPS efficiency without sacrificing protection Crystal Reports Server: Single server access to reports & dashboards Create new opportunities. See business making progress now ESET NOD32 with ThreatSense(R) - Get your free trial now! Looking to add Unix/Linux functionality to Windows? Join the conversation about the hottest IT trends with Computerworld on Twitter. ITwhitepapers.com - Access thousands of white papers on 300+ technical topics. Leverage Your Cisco infrastructure for Superior Application Performance Learn about the AMD Virtual Experience Introducing: Project Icebreaker Stay informed with custom newsletters from Tech Dispenser New DW Options and Price Points. View Teradata Platform Family Data Sheet. To get a better view of your entire data center, you need a better vantage point. Improve your vision with Hitachi IT Operations Analyzer - Free 30 day trial Play NetApp's New Data Defense Game. Take the Netezza TwinFin TestDrive! NetScaler VPX : Harness the Power of Virtualized Web App Delivery Get more enterprise mobility value for up to 25% less. Unified Communications: Thoughts, Strategies and Predictions. Join the discussion. NYUs M.S. in Management and Systems. Offered Online and On-site. Crystal Reports Server: More options. Not more money. Parallelism is not just for HPC. Create rich apps from desktop to device. Get the eval. Tolly Performance Report  "Citrix NetScaler with nCore Outperforms F5 BIG-IP" Save up to 61% plus Free Cheesecake Find IT jobs in the Healthcare industry on Dice.com With the NEW KODAK i700 Series Scanners get full speed at 300dpi! Not All QSAs Are Created Equal: What You Should Know Before You Buy The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability The AMD Virtual Experience Virtual Trade Show About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.