Top 10 don'ts for smart card deployment

Smart card deployments quadrupled last year with some of the largest companies in the world and the U.S. government signing up to use the technology. Shahin Shadfar, information security product manager for Schlumberger, recently completed smart card deployment at Chevron Texaco and shared some insider tips.

"A lot of this advice is based on common sense, but when you are in the heat of the battle you would be surprised about how difficult that it is to come by," Shadfar said at last month's RSA Conference in San Francisco.

1. Don't just think about the technology alone. Think process. Implement a simple system that works 99.9% of the time rather that a complex system that works 97% of the time. "Because that 3% will kill you."

2. Don't do it without a good card management system. "You have to think more about process than function. For example, what are the workflows for card creation? How do you issue a temporary card? How can you unblock a card remotely?"

3. Don't underestimate the effects of cultural change. "Geeks think smart cards are cool but everybody else thinks that they are a piece of crap." So make it part of the employee's job to adopt the technology.

4. Don't do it everywhere at once. Implement one location at a time.

5. Don't overload it. While adding more applications to the smart card eventually leads to better ROI, keep it simple so long as you can. Start out with physical access and computer log-on and add more capabilities such as e-mail encryption, VPN and electronic payments one by one.

6. Don't do it without the support of the chiefs. Obvious perhaps, but successful smart card deployment will take the support of many groups of people, such as executives, HR, staff and contractors.

7. Don't use return on investment as the only incentive. The most important reason to deploy smart cards is to increase security. Saving money is the second reason.

8. Don't rush. The new processes (of using smart cards) typically take longer to implement than the technology. "Multiply your project management time by four."

9. Don't neglect compliance with other projects. "In a lot of cases, the IT department at the last minute tries and fails to synchronize the card program with the other system, such as directory services."

10. Don't go it alone. Smart card deployment involves many technologies, such as physical access and card management systems, directories, middleware, biometrics devices, card readers and so on. Outsource some of the complexity, such as public key cryptography, to save project time and tap outside expertise.

About the author
Niall McKay is a San Francisco-based writer and radio journalist. He is frequent contributor to Security Wire Perspectives and Information Security magazine.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Tech Tips,   Security Token and Smart Card Technology,   Enterprise Identity and Access Management,   User Authentication Services,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Tech Tips Video: The foundation of an email security strategy The 5 A's of functional SAN security Effective storage security policies Smart options for safeguarding stored data Outfox SOX: How to make regulations work for you Roberta Bragg's 10 Windows hardening tips in 10 minutes Using free network intrusion detection and prevention tools to stop hacks Hacker techniques and exploits: Prevent system fingerprinting, probing How to stop hacker theft: Employee awareness, risk assessment policies Information Security Decisions Fall 2004: Speaker presentations Security Token and Smart Card Technology First Data, RSA push tokenization for payment processing How to log in to multiple servers with federated single sign-on (SSO) Best Authentication Products Are 'strong authentication' methods strong enough for compliance? Risk management must include physical-logical security convergence RSA researcher Ari Juels: RFID tags may be easily hacked Portable security storage device could replace OTP devices Can you combine RFID tag technology with GPS to track stolen goods? Security token and smart card authentication Embedded smart card chips are open to hack attacks RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary authentication server  (SearchSecurity.com) Chameleon Card  (SearchSecurity.com) key chain  (SearchSecurity.com) key fob  (SearchSecurity.com) key string  (SearchSecurity.com) national identity card  (SearchSecurity.com) security token  (SearchSecurity.com) smart card  (SearchSecurity.com) tokenization  (SearchSecurity.com) two-factor authentication  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.