The benefits are compelling, but let's face facts: implementing a common authenticator requires much heavy lifting and can take several years. There are various dimensions to the problem, including:
- Smart card personalization and distribution
- Upgrade of physical access control systems
- Emergency access procedures
The process of making the smart card ready for the user is called personalization. The procedure includes: printing the user's picture, installing applets and PKI (X.509) certificates, and binding the smart card to both the user and the physical access system.
In most cases, a smart card management system (CMS) is a deployment requirement. Important considerations when evaluating a CMS include:
- Platform support. This is necessary for vendor physical access systems, smart card and printer products.
- Remote applet distribution capabilities. Java card applets provide most smart card functionality, and the CMS can deliver new applets after the smart cards have been distributed to the users.
- Key escrow and recovery capabilities. Such features can recreate the user's PKI credentials on a new smart card in the event that the previous card is destroyed or lost.
- Provisioning system integration. Integration provides a single authoritative source of identity information and consistent access rights.
- Administrative delegation and scoping capabilities. These components enable the secure management of smart cards across the organizational hierarchy.
It's easy to see why the distribution of smart cards to an organization's employees is considered "heavy lifting." The process can take months or even years, and the many important details require careful planning. The distribution of smart cards to "virtual" employees, those that rarely visit a campus, requires special attention.
Upgrade of physical access control systems
It's a toss-up as to which activity causes more organizational heartburn: the distribution of smart cards, or the upgrading of the physical access systems across an organization's campuses. Organizations may have a wide spectrum of physical access technologies across their environments, from keys to magnetic stripes to biometric authenticators to contactless tools. As part of the planning process, an organization should inventory its campus-wide physical access system and determine what upgrades are necessary for the implementation of a common authenticator.
Emergency access procedures
It's a fact of life: users will forget their smart card at home. Without them, they cannot access applications, workstations, buildings, and maybe the parking lot or the bathroom. With proper emergency access measures, such an error should only be a temporary one. The organizational challenge is to implement emergency access procedures that give forgetful, card-less users timely access to resources. The access processes must also do so in a cost-effective manner. Some tricks of the trade include:
- Self-service kiosks in the building entrance where employees can authenticate and get a temporary smart card.
- IT software management tools that temporarily allow the user to authenticate with a password instead of a smart card. Examples include: Windows workstation policy management tools and Web access management products (e.g., CA's SiteMinder).
- Physical access readers with PIN pads that enable the user to temporarily authenticate with an identification number.
Even in the face of the many details mentioned above, planning for a common authenticator appears more daunting than it really is. If the organization defines achievable milestones and exercises vigilance against the temptation of expanding and redefining the objective of the project, implementation is possible.
About the author:
Mark Diodati, CPA, CISA, CISSP, MCP, CISM, has served as vice president of worldwide IAM for CA, as well as senior product manager for RSA Security's smart card, SSO, UNIX security, mobile PKI and file encryption products. He has had extensive experience implementing information security systems for the financial services industry since starting his career at Arthur Andersen & Co. He is a frequent speaker at information security conferences, a contributor to numerous publications, and has been referenced as an authority on IAM in a number of academic and industry research publications.
This was first published in September 2007