Low Draw for Smart Cards

Computerworld - Employees at Post & Schell PC, a law firm in Philadelphia, need smart cards to do just about everything, from entering company facilities and using elevators to securing two-factor authentication so they can access IT applications. The firm recently started using smart cards as part of a move to bolster network and physical defenses when it relocated to a new facility.
"The big ROI we are providing our firm, our attorneys and our clients is greater security," says Lou Mazzio, Post & Schell's chief technology officer.
Like Mazzio, other users who have deployed smart cards say that the technology helps improve security, reduce password administration and support costs, and enable single sign-on to multiple applications.
But the upfront cost of a smart card infrastructure, as well as interoperability problems and the hassles involved in integrating the technology with existing infrastructures, has resulted in far slower deployment of the technology in corporate America than many had once predicted.
"The corporate market has been a tough nut to crack," says Thierry Burgess, executive vice president of sales at Oberthur Card Systems USA, the U.S. arm of one of the largest smart card vendors in the world.
Like public-key infrastructure (PKI), smart card technology is taking many years to gain widespread acceptance in private commercial enterprises, says Trent Henry, an analyst at Burton Group in Midvale, Utah. But expect to see greater adoption over the next few years, he adds.
Smart cards allow companies to store passwords, personal identification numbers and other digital credentials that let users log onto corporate networks or access facilities such as buildings and parking lots.
In Post & Schell's case, user authentication information is stored on smart cards for network access using RSA Security Inc.'s Smart Badging system. Bedford, Mass.-based RSA is also helping the firm embed user credential information on the same cards. That information is needed for physical access to Post & Schell facilities.
More Features, More Savings
The two-factor authentication enabled by such cards allows for better network and physical security, says Charles Fletcher, CIO and provost at Delaware State University in Dover. Smart cards can also help reduce some of the traditional costs associated with password resets and management because the passwords are embedded directly on the cards, he says.
Generally, the cost benefits increase as more access functions are integrated on a card, Fletcher says.
Students and employees at the university have been using smart cards since last summer to log into Windows and Web-based applications, access dorm rooms and library facilities, and pay for meals in the cafeteria. In the future, the university plans to use the smart card infrastructure, which is based on HiPath SIcurity Card technology and the HiPath MetaDirectory software suite from Siemens AG in Munich, to enable access to e-commerce and payment applications, Fletcher says.
From a physical standpoint, the embedded read/write intelligence in such cards allows access to be quickly granted, revoked or modified from a central location, says Neville Pattison, director of smart card technologies at Paris-based Axalto, which was recently spun off as an independent company from oil field services giant Schlumberger Ltd.
Schlumberger is rolling out Axalto's DexaBadge smart card technology to its 80,000 employees worldwide. The cards are being used to digitally encrypt e-mail and sign electronic documents. Schlumberger is also using the cards to enable log-in to Windows applications and virtual private network services, Pattison says.
"The smart card is the little agent of trust in the hands of an employee," Pattison says. "On behalf of the issuer, it performs security-related operations and various other operations knowing the right cardholder is present."
However, several factors have contributed to the slow adoption of smart cards in corporations, Burton Group's Henry says.
Cost is a big one. The price tag for deploying the hardware, readers, middleware and software for a smart card system can be daunting. Midsize companies can easily expect to spend $200,000 to $300,000 to get started, and even pilots cost about $70,000, says Chris Meaney, director of secure networks at Siemens. On average, companies can expect to pay $20 to $30 per user, excluding the cost of the readers, card management and PKI software, according to Burton Group.
As a result, smart cards are unlikely to make a whole lot of sense for companies with fewer than 2,000 employees, Meaney says.
Companies also need to have a PKI in place to use the encryption, electronic signing and nonrepudiation functions that are enabled by smart cards, says Henry. "There definitely is some serious cost-benefit analysis that needs to be done before companies start deploying smart cards," he says.
Technology interoperability is another big challenge, says Mary Dixon, director of the U.S. Department of Defense's Common Access Card program office, which is rolling out more than 4 million smart cards to Pentagon personnel.
Smart card infrastructures require a high degree of interoperability and synchronization among the cards, readers, access-control panels and identity directories, and that interoperability is still not fully there, Dixon says. The cards themselves come with varying memory sizes, processing capacities, scalability, operational proximity ranges and application support. And applications that are enabled to work with one vendor's smart card technologies may not always seamlessly work with another vendor's products.
Because of the size and scope of its project, the DOD decided to contract out its work to multiple technology vendors to minimize the risk of technology lock-in, Dixon says. But to ensure that smart cards, middleware and readers from multiple vendors integrated seamlessly, the DOD worked with the National Institute of Standards and Technology to develop an interoperability specification that participating vendors had to adhere to.
However, because of integration issues, "if I was going to do a small implementation of a few thousand cards, I would be inclined to go with a single vendor's card and use it as much as I could," Dixon says.
Integration Challenges
Until recently, users have also needed to do considerable integration work to tie smart card management systems into PKI networks, says Oberthur Card's Burgess.
Companies also need to have a centralized directory infrastructure in place, says Meaney. And they need to have a good process for communicating changes in the core human resources database, which is often the source of identity information, he says. That information is needed to provision, revoke or modify cards when employees are hired, move to new departments or leave the company.
The recent trend toward so-called smart tokens that can plug into standard Universal Serial Bus ports on computers could also divert attention away from traditional smart cards. Herndon, Va.-based Exostar LLC, an online trading exchange created by companies such as The Boeing Co., Raytheon Co. and Lockheed Martin Corp., is using smart tokens from Aladdin Knowledge Systems Ltd. in Chicago. The tokens allow Exostar to store digital certificates and automatically fill in log-on fields, passwords and Web site shortcuts, as well as encrypt and decrypt files and e-mails, without requiring an investment in a special card reader, says Jeff Nigriny, Exostar's chief security officer.
But there are some factors coming together that could finally begin to spur broader corporate adoption, says Herb Mehlhorn, senior product manager for RSA's smart card business.
New-generation smart card technologies based on a set of Java standards promise more interoperability and functionality, Mehlhorn says.
Massive smart card deployments by federal agencies such as the Defense Department and the Department of Transportation have begun pushing technology costs lower, he says. And companies are coming under increasing regulatory and legal pressure to demonstrate due diligence when it comes to user authentication.
The embedded PKI certificate server support in Microsoft Corp.'s Windows Server 2003 could also begin to make it easier for users to snap smart cards into PKI networks, Henry says.
"I don't think there's anyone that refutes the likelihood that smart cards will be in every wallet 10 years from now," says Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa. "It's how we get there that's going to be interesting."

DEPLOYMENT ADVICE 1 2 3 4 Next » Recommend Digg Twitter ShareThis Email Print Send Feedback Reprints Additional Resources POLL RESULTS Leading IT Pros Weigh In on Top IT Issues Accelerate your knowledge of the IT world you inhabit by viewing the results of a series of polls taken by your IT peers. These polls of 100+ IT professionals each are available for full viewing. They cover key topics such as virtualization, processor performance, green IT, cloud computing and many others. Be a part of the buzz. WHITE PAPER For Best Results, Think Beyond the Box Technology is complex. Keeping it running productively shouldn't be. To that end, you want to minimize the number of solutions needed in-house to simplify operations, maintenance, and support. Kodak offers a best-practices model. One company provides support for both scanner and software, for fast problem resolution without vendor finger-pointing. Download now! WHITE PAPER Accelerating the Path to Demand Intelligence with a Demand Signal Repository Utilizing demand intelligence improves the precision of pricing, product assortments, channel/store placement, and promotion, which are all essential for sustainable revenue management performance. Learn more, download this free whitepaper today. White Papers & Webcasts Mitigating Litigation Risk with Email Management Tools Does your company have an email retention policy that protects it when litigation occurs? IDC discusses effective email retention policies and the role...   Managing And Protecting Your Ever Increasing Mobile Assets Learn best practices for desktop and application virtualization, computer security, and computer life-cycle management.... Protecting Content During Business Disruption: Are You Covered? Learn how ECM is helping Tulane University and the 13th Judicial Circuit Court implement disaster readiness programs....   Why Compliance Pays This OnDemand webcast explores the relationship that firms with best compliance records have higher revenue, greater customer retention, lower financial losses from data... Beyond PCI Checklists: Securing Cardholder Data with Tripwire's Enhanced File Integrity Monitoring How do organizations pass their PCI DSS audits yet still suffer security breaches? Paying attention to PCI DSS checklists only partially secures the...   Best Practices for Managing Business Risks from the Use of IT (Source: Symantec) Based on exhaustive benchmarks conducted by the IT Policy Compliance, this session highlights the relationship between business risks and use of... Authentication as a Service by Forrester Research Authentication-as-a-Service: understand the benefits of two factor authentication and the best ways to implement it....   Sun OpenSSO Enterprise Webinar (Source: Sun) This webinar replay discusses Sun OpenSSO Enterprise innovation--the single, open-source solution that helps your business solve the challenges around internal access... Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs Since the adoption of SOX, much has been learned about IT compliance. Discover how to make SOX efforts more effective in "Sustaining Sox...   Agile Enterprise Content Management (ECM) for Rapid ROI (Source: IBM) Content rich business processes are a core feature of daily operations at just about any organization today. Very often these essential... All White Papers | All Webcasts Computerworld Reports An Interactive eBook: Enterprise Security The Business Case for Server Virtualization Computerworld Technology Briefing: Intelligent Users Use Business Intelligence All Computerworld Reports Sign up to receive updates on the latest Security resources   White Papers Mitigating Litigation Risk with Email Management Tools Beyond PCI Checklists: Securing Cardholder Data with Tripwire's Enhanced File Integrity Monitoring Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs Keep it Clean: Maintaining the Integrity of your CMDB through Change Detection Configuration Assessment: Choosing the Right Solution Ponemon Study: The Business Risk of Lost Laptops Centralized Data Backup and Your WAN The Hidden Dangers of Spam Best Practices for Backing Up VMware® with Veritas NetBackup™ Symantec Security Compliance Brochure Protecting Content During Business Disruption: Are You Covered? Authentication as a Service by Forrester Research IDC White Paper: CCM for IT Compliance and Risk Management The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164 Addressing Compliance Initiatives with Tripwire and the Center for Internet Security Airport Insecurity: The Case of Lost Laptops An All-in-One Approach to Web Security Open Source Security Myths Dispelled IT Compliance Interactive Tools Solution Overview: Symantec Control Compliance Suite 9.0 Sponsored Links HP StorageWorks products-control, consolidation and confidence. 64-page prescriptive guide to security, compliance, and IT operations. Looking to add Unix/Linux functionality to Windows? FREE guide to saving up to 95% on network hardware costs. Start saving today! Enhance your career with a Boston University online Master's in CIS Find IT jobs in the Healthcare industry on Dice.com Network Tools Made By Engineers for Engineers Live Webcast: Building a More Productive Organization  A User Perspective With the NEW KODAK i700 Series Scanners get full speed at 300dpi! ITwhitepapers.com - Access thousands of white papers on 300+ technical topics. Leverage Your Cisco infrastructure for Superior Application Performance Learn about the AMD Virtual Experience Introducing: Project Icebreaker Introducing the new HP ProLiant G6 server family Wait for the upturn, or get ready for it with Capgemini's Technovision study. Download it here. Instantly know your IT service state - anytime, anywhere @ AccelOps.net Try the best rules engine free! Decisions.FICO.com Learn How to Create a High Performance Workplace Thrill Dad this Fathers Day and save up to 66% plus 4 FREE Caramel Apple Tartlets from Omaha Steaks. ESET NOD32 with ThreatSense(R) - Get your free trial now! Join the conversation about the hottest IT trends with Computerworld on Twitter. Create business data you can believe in with data governance Not All QSAs Are Created Equal: What You Should Know Before You Buy The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability The AMD Virtual Experience Virtual Trade Show About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.