Why and how corporate America is playing the Smart Card

Apr 1, 2007 12:00 PM, By Michael Fickes

The era of the smart card is well under way. Large multi-national corporations are leading the charge toward realization of the full potential of the cards that can do it all.

According to Randy Vanderhoof, executive director of the Smart Card Alliance in Princeton, N.J., companies using smart cards on a large scale today include Boeing, Microsoft, Sun Microsystems, Procter & Gamble and a number of others.

“Today's smart card users are predominantly larger companies with multiple locations and thousands of employees moving back and forth among facilities. They need security and interoperability — so that employees from office A can use the same physical and logical credential in office B,” says Vanderhoof.

There are plenty of obstacles to smart card adoption — not the least of which is cost.

For a company with 100,000 to 200,000 employees, cards alone could cost plenty.

Add thousands of readers, other hardware and software, and the cost of adopting smart card technology is significant. Users might wonder if there isn't a less expensive way to achieve interoperability.

First Things First: Why Switch To Smart Cards?

Smart cards offer a host of benefits unavailable from older access control systems.

Increasingly interoperable smart card technology enables personnel and contractors working for multi-office corporations to move back and forth among offices in dozens or more company facilities without compromising security or having to hang around the front door until someone determines whether or not to open up. But easy interoperability is only one reason to investigate smart cards.

Equally important, smart cards can control access to computer networks, without forcing employees to carry two access control devices. And the logical access capability of smart cards provides an attractive economic benefit. “Logical access has a return on investment story,” says Andy Bulkley, product manager for controllers and readers at GE Security in Bradenton, Fla. “They eliminate the cost of resetting passwords, while providing additional security.”

“Today's smart card solutions are converged credentials,” says Thomas Flynn, director of marketing with the enterprise security group of Gemalto, an Amsterdam-based digital security firm whose U.S. headquarters are located in Arlington, Va. “Convergence combines physical and logical access on a single card. Physical access might involve attaching a magnetic stripe or proximity-card antenna to a card containing a contact chip that goes into a slot on the computer to authenticate you to the network. We're working with these kinds of smart cards now for large corporations.”

Smart cards also enable one-, two-, and three-factor authentication for departments that need additional layers of security. Also importantly, smart cards make biometric authentication practical through match-on-reader and match-on-card strategies (see sidebar) that do not require maintaining a database of biometric templates viewed by some as a threat to privacy.

Finally, smart cards enable employers to provide a host of conveniences for employees, from food services and vending to credit, debit and banking services.

Early Adopter: Boeing

In 2003, Chicago-based Boeing implemented a five-year program to convert to smart cards. Since then, Siemens Information and Communication Networks Inc., Boca Raton, Fla., has been delivering smart cards to 200,000 Boeing employees, contractors, and partners. The cards provide access to Boeing facilities and information networks.

“By marrying our efforts to enhance physical and information security, we improve our overall level of protection against intrusion while streamlining management of identify information,” says Sharon Lindley, SecureBadge program director in the Boeing Shared Services Group.

In a presentation to the Smart Card Alliance Annual Conference in 2003, Lindley said that a number of business issues drove Boeing to implement smart cards. Thanks to acquisitions made over the years, the company had accumulated numerous identity management systems. Executives wanted to find a standard identity management process for the company, an undertaking that would require a new identification badge.

Officials also wanted to replace password access to its networks with a stronger, more efficient single sign-on system.

According to a description of Boeing's strategy published by the Smart Card Alliance, the Boeing card contains a personal identification number (PIN), a biometric, and a public key infrastructure (PKI) authentication capability that can support multi-factor authentication. Expansion plans include the implementation of applications to support data and email encryption, electronic signatures, cafeteria payments, personal data storage, and role-based access.

Early Adopter: Microsoft

Redmond, Wash.-based Microsoft Corp. initiated a smart card project in 2000 and began rolling out a single card for physical and logical access to more than 61,000 employees working in more than 400 locations around the world, according to the Smart Card Alliance. Microsoft completed the project by the end of 2002.

The goal was to implement two-factor authentication for remote access to company networks. Microsoft considered biometrics, hardware tokens, and other identity management technologies for the project and selected smart cards.

The company says that smart cards have strengthened security through two-factor authentication (card plus PIN). Microsoft's smart cards support additional applications including security certificates, digital e-mail signatures, document signatures, personal data storage and personal payment systems.

What's The Best Way To Launch Smart Cards?

Smart card technology has been around for a decade. Early adopters such as Boeing and Microsoft decided that the technology solved expensive business problems, provided a return on investment, and installed the technology fairly early. As security demands grow more urgent, large and mid-sized companies using proximity technology today are investigating converged smart card access control. But how will these companies convert from proximity to smart card technology without breaking their budgets?

“Most companies integrate smart cards by finding a migration path,” Vanderhoof says.

Take the case of a large pharmaceutical company with more than 100,000 employees and a worldwide network of dozens of offices recently converted to smart cards by embedding contact chips in the company's physical access proximity cards.

The initial goal of the conversion was to sign documents digitally, in order to streamline regulatory filings with the Federal Drug Administration (FDA) that often require thousands of signatures and hours of time.

After investigating the convergence trend of physical and logical access, the company decided to add two-factor logical access capability to the chips — the card plus a PIN. Eventually, the cards came to include a secure log-on, PKI authentication, digital signatures, remote employee access to virtual private networks (VPNs), and single sign-on to Web and desktop applications.

“Smart cards can be multi-technology cards,” Vanderhoof says. “There is no need to tie all of the card's functionality to the chip. In this case, the company built its legacy proximity physical access systems into their new ID badges and added the chip. Now as they migrate from the old proximity card door control systems to a more advanced contactless biometrics enabled access system, they can keep both systems operating in parallel.”

Irvine, Calif.-based HID Global Corp. has developed a migration technique that pares down the cost of issuing smart cards.

One of the most expensive elements of a smart card program involves loading applications and data onto the cards. Most smart card systems require individuals to visit multiple locations to program the card. The HID solution, called Asure ID iDIRECTOR, allows end-users to load smart cards when they are issued.

“It is a significant step toward simplifying the issuance of multi-application smart cards,” says Chris Sincock, vice president, sales and marketing for HID Identity. “For end-users, this means a streamlined process that reduces costs.”

GE Security, among other companies, has developed a migration path to smart cards in the form of a transition reader. “When we looked at the problem of moving from proximity to smart card readers, we decided to develop a transition reader capable of reading both kinds of cards,” Bulkley says. “These readers create a bridge from 125 KHz prox cards to 13.56 MHz smart cards.

“When a new building comes on line, you can install new transition series readers. Existing prox badges will work in the facility as well as new credentials issued as smart cards. Over time, it is possible to change out the reader infrastructure while maintaining wiring and controllers and other physical access system hardware.”

HID Global also offers a transition reader featuring both prox and contactless smart card technologies. The multi-technology RP40 offers a migration path to companies moving up from HID Prox to iCLASS credentials. Installation is simplified by the fact that the RP40 requires the same wiring connections and 5 or 12 volt power as the company's Prox reader.

What If You Don't Want To Be An Early Adapter?

What if you don't need interoperable cards? You might want one of the other benefits offered by smart cards: converged physical and logical access, generally tighter security, or one-, two-, and three-factor authentication. How about vending and cafeteria services or credit, debit, and banking services for employees?

Not right now? There are other factors attracting companies to smart cards today.

“Smart card adoption by the private sector is also being driven by Homeland Security Presidential Directive (HSPD) 12 and Federal Information Processing Standard (FIPS) 201,” says Gemalto's Flynn.

HSPD 12 and FIPS 201 refer to the U.S. government plan to equip all federal employees and contractors with smart cards capable of providing interoperable physical and logical access to all federal facilities.

“This is a standard that we believe will spill into the commercial space,” continues Flynn. “Certainly it will push defense contractors and organizations that do business with the federal government to adopt smart cards.

Adds Bulkley of GE: “One reason large companies have become the early adopters is because they will get the biggest bang for the buck on logical access ROI.”

While the savings might be smaller for smaller companies, it might also be worthwhile.

Smart cards also enable special auditing needs. Who, for example, has had access to sensitive financial files? The Sarbanes-Oxley Act of 2002 requires financial services companies to track that information carefully and to certify the reliability of financial filings. The Health Insurance Portability and Accountability Act requires health care organizations to audit access to individual health care records as a way of protecting personal privacy. Smart cards can handle both of these needs.

In fact, market research confirms growth in smart card access control applications. According to a report prepared for the Smart Card Alliance by Frost & Sullivan of Palo Alto, Calif., 183 million smart cards went into circulation during 2006. The largest users were subscriber identity modules (SIMs) used in cell phones, credit and debit cards, and government programs. Access control applications accounted for just 2.9 percent of the market or 5.3 million cards.

Frost & Sullivan projects that the overall smart card market will grow at a 27 percent compound annual growth rate through 2010, with smart cards used for access control nearly doubling market share.

MATCH-ON-CARD

A Biometric Privacy Solution

One key benefit of smart cards is to make biometric access control a practical security option.

Generally considered a method of second or third factor authentication, a biometric solution is rarely selected for one-factor (card only) authentication systems. As a result, only a subset of individuals registered in the access control system will use biometric authentication. That makes it more difficult to justify the higher cost of biometric authentication compared, for example, to using a personal identification number (PIN). “I think cost is the primary obstacle for enterprises to overcome in implementing biometrics,” says Randy Vanderhoof, executive director of the Smart Card Alliance in Princeton Junction, N.J.

Before smart cards, biometric systems required large relatively expensive databases holding biometric files for employees. Door access hardware included a card reader and a biometric reader. An employee would present a card to a reader or tap a personal identification number (PIN) onto a keypad and then present a biometric in the form of a fingerprint, hand, or iris.

If the system accepted the card, it would then compare the biometric offered at the reader to the biometrics stored in a database of those allowed access to the door. If a match was found, the door clicked open.

It took too much time to compare the user's biometric with all the others, find the match, and open the door. It also cost a lot to set up and maintain the database. Worse, people didn't like storing biometric data about themselves in an electronic database that might be compromised and create privacy risks. At the end of the day, biometrics just didn't seem worth the trouble for any but the highest security applications.

Smart cards have changed all of that by eliminating the need for a slow, expensive database operation.

A smart card can store encrypted data capable of recreating a biometric image or template. A cardholder then presents his or her card and a biometric at the door, and the reader compares the biometric stored on the card with the individual's biometric. When the reader confirms a match, it opens the door.

Called match-on-reader, the technique works quickly and eliminates the cost of maintaining a database.

Privacy advocates have questioned the technique, however, suggesting that reader memories are not necessarily secure and that criminals that are expert at identity theft may find ways to steal biometric information from readers.

To deal with the objection, the industry developed a match-on-card technique. In a match-on-card system, the biometric reader immediately transfers the biometric data to the smart card, which is equipped with sufficient security to prevent theft. Upon receiving the biometric, the card matches that biometric with the one stored in its memory. If they match, the card exchanges a key with the reader, and the reader opens the door.

“Match on card is the gold standard,” Vanderhoof says. “It not only provides both a secure authentication between the reader and the card, it also prevents the biometric from being stolen, copied, read or altered — because the data never leaves the security of the card.”

Vanderhoof also cautions that the match-on-card method costs more than match-on-reader. It requires a more expensive card and a more sophisticated reader capable of exchanging keys. Finally, the technique slows the transaction because of the number of times data has to move back and forth between the card and the reader. “As always,” he says, “there are trade-offs.”

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue