Smart cards can do a lot of heavy lifting for authentication systems. While no bigger than a credit card, they can carry not only a user's authentication credentials, but also other information like account and banking information, encryption keys and even biometric data.
In essence, smart cards resemble mini-computers, but they don't do any computing or process applications. Their sole purpose is to authenticate users. They come in many varieties and can be read either by direct insertion into a reader, or via a contactless systems, simply by wiping them across a card reader.
But for all the convenience they provide, smart card installation and deployment requires a considerable investment in software, hardware and IT staff time. Below we'll offer a brief primer on how to determine whether a smart card deployment makes sense for your company, how to plan an installation and how to pick a smart card vendor.
Smart cards and risk analysis
The first step is to conduct a thorough risk analysis of the systems that will be protected with smart cards. Because of the effort involved with deploying smart cards, they should only be considered for protecting systems hosting high-risk data, such as customer identity information, company plans, intellectual property, etc., or data that might require at least two-factor authentication for regulatory compliance. Anything less is overkill.
Smart cards also make sense for merging physical and logical security, similar to the Federal government's HSPD-12 initiative, which requires a single credential for accessing both secured facilities themselves, and computer systems once users walk through the door.
A word of caution: think twice before giving customers smart cards for external application access. The least of your concerns will be customer acceptance. When working with a large customer base,, the cost of issuing, distributing and maintaining smart cards will likely be prohibitive.
After conducting a risk analysis, define the security requirements for a smart card system. Is it for securing employee access to IT systems from their desktops, or for providing extra security when they're on the road with their laptops? Will they eventually be given to all employees to replace passwords, or only to a small group of employees for accessing high-risk systems? Will they only be used for system access, or eventually for accessing secured facilities as well? The answers to these questions will help guide both the short-term and long-term goals of the deployment.
Smart card data and logistics
Once the security requirements are established, it's time to decide what information the smart cards will store. The beauty of smart cards is their adaptability; almost anything can be loaded onto a card, but the drawback is deciding what. Some organizations include only enough information to verify identity and encryption algorithms and keys, but smart cards can also be used for processing electronic payments or verifying digital signatures. Cards can also hold other identifying credentials like an employee's photo or even fingerprints, incorporating elements of biometric identification. But remember, a smart card can only pack so much information; don't overload it.
Closely related to deciding what goes on the card is deciding how to load it. Smart cards come in two versions: reloadable and disposable. Disposable cards may be cheaper, but reloadable ones can be more practical. Reloadable cards can be reused, saving the administrative the hassle of having to manage the issuing of new cards. Business and security requirements will drive this decision.
The next issue is the logistics of issuing, distributing, maintaining and replacing cards. Unlike a user ID and password, which is a virtual credential added by a system administrator on a directory server, a smart card is a physical object that needs to be handled and maintained. Any vendor under consideration should be able to issue equipment easily and as quickly as needed. Consider these questions:
- Can lost cards be quickly decommissioned, so they don't pose a threat for malicious access, and then just as quickly replaced?
- Is there an automated system for tracking cards and who has which card?
- Can all this be done remotely, if necessary?
Also think about how the cards will mesh with existing corporate infrastructure, including desktops and networks. For example, some card readers require USB ports. Will that fit in with your desktops, or have USB ports been disabled? They'll also need to work with corporate authentication directory services, like Active Directory, let alone network infrastructure, servers and other system applications.
Some other things to think about when considering smart cards are their cultural fit within a company. Make sure to get buy-in from key stakeholders -- executives, staff who will use the cards and affected departments like IT and human resources. Cards should be easy to use, not a hassle that staff will resist. One way to get around this is to conduct staged deployments. If the first group is happy, word will spread, making the next phase of the implementation easier.
Smart cards can make authentication systems incredibly efficient. But careful planning of every stage of the deployment -- from product selection and logistics, to staff acceptance and user requirements -- is essential to make the investment pay off.
About the author:
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in Web and application security and is the author of The Little Black Book of Computer Security available from Amazon. He also has regular radio show on WIIT in Chicago on computer security and runs The IT Security Guy blog at http://www.theitsecurityguy.com.