Smart card deployments quadrupled last year with some of the largest companies in the world and the U.S. government signing up to use the technology. Shahin Shadfar, information security product manager for Schlumberger, recently completed smart card deployment at Chevron Texaco and shared some insider tips.
"A lot of this advice is based on common sense, but when you are in the heat of the battle you would be surprised about how difficult that it is to come by," Shadfar said at last month's RSA Conference in San Francisco.
1. Don't just think about the technology alone. Think process. Implement a simple system that works 99.9% of the time rather that a complex system that works 97% of the time. "Because that 3% will kill you."
2. Don't do it without a good card management system. "You have to think more about process than function. For example, what are the workflows for card creation? How do you issue a temporary card? How can you unblock a card remotely?"
3. Don't underestimate the effects of cultural change. "Geeks think smart cards are cool but everybody else thinks that they are a piece of crap." So make it part of the employee's job to adopt the technology.
4. Don't do it everywhere at once. Implement one location at a time.
5. Don't overload it. While adding more applications to the smart card eventually leads to better ROI, keep it simple so long as you can. Start out with physical access and computer log-on and add more capabilities such as e-mail encryption, VPN and electronic payments one by one.
6. Don't do it without the support of the chiefs. Obvious perhaps, but successful smart card deployment will take the support of many groups of people, such as executives, HR, staff and contractors.
7. Don't use return on investment as the only incentive. The most important reason to deploy smart cards is to increase security. Saving money is the second reason.
8. Don't rush. The new processes (of using smart cards) typically take longer to implement than the technology. "Multiply your project management time by four."
9. Don't neglect compliance with other projects. "In a lot of cases, the IT department at the last minute tries and fails to synchronize the card program with the other system, such as directory services."
10. Don't go it alone. Smart card deployment involves many technologies, such as physical access and card management systems, directories, middleware, biometrics devices, card readers and so on. Outsource some of the complexity, such as public key cryptography, to save project time and tap outside expertise.
About the author
Niall McKay is a San Francisco-based writer and radio journalist. He is frequent contributor to Security Wire Perspectives and Information Security magazine.