printer friendly version

Facing up to a new world order

Ever told a colleague your security password? We are all guilty of it. Chances are that if you are like much of the population, you probably do not take security seriously enough. You may even work in the security industry but there is still a good chance that you are a little too relaxed about your approach to passwords. To further underline this statement, a recent report shows that a whopping 70% of the people surveyed (Infosecurity Europe study 2004) would happily reveal their password in exchange for a bar of chocolate... Not a sweet deal for IT security departments.

More than a third of us choose passwords based on the names of our pets, partners, family, date of birth or favourite football teams. Unsurprisingly, it does not take a genius to work out what our passwords might be. And, of course, some of us make finding out our password even easier. How many offices have you worked in where 'secure' network passwords were written on bits of paper stuck to the computer screen?

These questions may seem trivial, but they are becoming increasingly important as macro-environmental issues such as terrorism and company infiltration put pressure on organisations to beef up their levels of security and trust. What used to be an issue for IT departments has now become something that is decided at a high management level, because a vulnerable enterprise network is also an acute business risk.

Today, businesses are starting to wake up to the fact that if they do not adequately protect their infrastructure they could be targets of an attack that might prove financially costly - not to mention a major PR disaster. Paying lip service to security is no longer an option with most businesses now understanding the inherent risks of operating an insecure system.

A smarter way to protect your business

Today's widespread use of information systems and Internet technology has revolutionised the way we work, communicate and conduct business, providing phenomenal cost, time and resource savings. However, in spite of the endless advantages created by the new generation of IT-based communications, we have also become more exposed to threats on sensitive and confidential corporate data. While most companies tend to focus on external threats, recent reports claim that 80% of network intrusions result from insider abuse of network access (CSI 2003). Standard password-based systems continually prove an inadequate approach to engage these problems, which is why alternative technologies have emerged to help us make the workplace more secure.

Smartcards are recognised by many large organisations as the most secure and reliable form of electronic identification, acting as the cardholder's access key to information and services in both on- and off-line mode. With the ability to store, protect and modify information written to the card's microchip, smartcards offer unparalleled flexibility and options for information sharing and transfer. The card's dynamic ability to communicate with information systems expedites traditionally lengthy identification processes, virtually eliminating paperwork and manual data entry, while streamlining operations and reducing costs.

Within a corporation, smartcards allow secure and convenient access to company networks from any fixed or wireless terminal. Whether it is from an office workstation, or remote access via a VPN or WLAN for travellers and remote workers, there is a need for security in terms of access control, protecting user identity, mutual authentication, confidentiality, session integrity and reliable key exchange, in order to prevent a third party from unlawful access to intellectual property assets.

The smartcard's ability to store and manage employee identity credentials, passwords and encryption keys, in combination with a compelling and easy-to-use form factor, opens up possibilities that standard username/password solutions - both from a security and convenience standpoint - cannot compete with. Not only are basic password systems insecure, but due to their proliferation they also create additional overheads. A recent survey (Infosecurity Europe 2004) shows that on average people have four different passwords to remember, some of us have even more. As soon as one is lost or forgotten, a company's help desk staff must spend time issuing a new one. Figures from market analysts such as Gartner Group and Forrester Research put the cost of resetting a password at about $50, while a survey from software giant Computer Associates estimated 70% of help desk calls concern password replacements.

Smart employee cards can engage this issue in a secure and user-friendly fashion. Rather than having to remember several passwords to multiple applications, employees can instead use their smartcard to manage all of those with just one PIN. More importantly, the 2-factor authentication achieved through something you have - the card, and something you know - the PIN, drastically reduces the risk of someone else accessing your computer, as the card automatically locks your workstation when removed from the reader. Moreover, smartcard-based solutions can add new security services beyond traditional authentication, such as digital signing and encryption of e-mail, documents and web forms.

More than security

Already, a large number of corporations are using smartcard technology for enterprise security. As mentioned above, such cards may act as a means of accessing computer networks, but the very same badge can also be used for building access, or even for basic purchases in the corporate canteen or vending machines.

The beauty of this approach is that there is something in it for everyone: the card holder gets access to discounted corporate facilities, while the company has a more secure access system backed up by an audit trail of who has entered the various areas of the enterprise.

For example, IBM uses smartcard technology for both employee security and vending. Other technology companies now adopting smartcards for enterprise security include SUN Microsystems, which uses a solution called JavaBadge for network and physical security. Meanwhile, Microsoft operates a scheme that is used by more than 25 000 employees, as well as contractors and other authorised users, for physical access control and remote access to Microsoft's corporate network.

Of course, we should probably expect the big names in the technology world to be consumers of strong authentication technology. But it does not end there. A raft of other organisations, spanning car manufacturers, pharmaceutical firms and aviation companies are using or have signed agreements to adopt the technology. Also, as the business climate changes, the use of smartcards as a means of employee ID is no longer restricted to the major corporations demanding volumes in the tens of thousands. The new IT era, with its subsequent impact on communication and information sharing, has significantly raised the bar for creating secure corporate environments. As a result, companies of all sizes are now beginning to evaluate the technology. A Frost & Sullivan study in 2003 found that over a third of the Fortune 500 companies interviewed plan to implement smartcards to enhance network security by 2006.

Multiple applications

During 2003, one of the biggest contract announcements for enterprise-wide smartcards came from Boeing, which announced plans to issue chip-based identity cards from Gemplus to more than 200 000 employees, contractors and partners worldwide over a five-year period. These cards are based on Java Card technology for optimised multi-application capacity, and will initially provide access to both systems and buildings.

Of the car manufacturers embracing smartcard technology, Mercedes in Italy has issued employees with cards to control access to the car storage area. Nissan, meanwhile, is expected to roll out smartcard technology to 100 000 employees worldwide. These cards will be used for data storage, access control and ID applications. Volkswagen is using digital certificates based on PKI technology and smartcards to enable their employees to send secure e-mails, log in to SAP and other business systems, and create electronic signatures.

A sound decision

Interest in smartcards for enterprise-wide security is hotting up for a number of reasons. On the technology front, the development of multi-application cards delivered via both contact and contactless interfaces enables businesses to use the technology throughout the enterprise for a host of applications. Furthermore, smartcards have experienced a large boost in awareness in the corporate enterprise community in the last few years. A recent Frost & Sullivan report showed a 100% awareness among those interviewed, an extraordinary figure considering that only three years ago most companies had never heard of smartcards.

Growing interest in the use of digital certificates on multi-application cards is also helping fuel demand. Such technical developments are making the business case more desirable - and an increasing number of organisations can see the advantage of deploying a single card that addresses needs as varied as logical and physical access control, e-purse, time and attendance management, employee profiles and access to corporate leisure facilities. As digital technology develops, companies of all sizes have growing requirements for secure digital communications, remote access and encryption. By adding strong levels of authentication, such developments are enabling more organisations to enjoy the financial benefits of operating 'hot desk' environments.

Many of the obstacles that were previously slowing adoption of smartcards have been now removed. Reader infrastructure has become easier to deploy thanks to standardisation of reader drivers in Microsoft operating systems and widespread integration of smartcard interfaces into desktop PC keyboards and notebooks. In addition, integration of smartcards in Microsoft environments has been simplified due to increased support in Windows 2000 & XP clients and Windows 2003 server and PKI technologies. For remote authentication, smartcards are now able to replace one-time passwords through SSL and IPSEC based VPNs.

Another important advantage of smartcard technology is its capability to be added into an existing legacy system for physical access. A contact chip for logical security services can easily be embedded in already issued proximity or magnetic stripe cards, hence preserving previous security investments and fully utilising current resources without disruption.

Instead of being costly to implement, smartcard technology is now emerging as a major force, thanks to its capability to host several functions on one identification device, which in turn promotes user friendliness and helps lower administration and support costs.

Share this article:

Further reading: