 |
 |
 |
 |
January 2005 • Volume 9 Number 13
|
 |
|
Feature of the Month Building the Business Case for Smart ID Cards
For smart cards to be adopted, the technology investment must be supported by the appropriate business case, which requires consideration of both tangible and intangible benefits. Intangible Benefits Businesses invest in strong authentication technology for two main reasons:
Regulatory Compliance. Businesses are increasingly required to enhance their authentication processes to comply with external requirements. Such external requirements include new legislation or regulations (for example, HIPAA, Sarbanes-Oxley) and other government or industry standards. In such cases, businesses typically are required to demonstrate that they meet certain prescribed standards. Failure to comply with these standards may result in significant financial penalties. The requirement to upgrade information systems to offer stronger authentication is commonly seen by senior management as the cost of doing business in a given sector or market. In addition, privacy violations can result in significant penalties. Strategic Positioning. Smart cards form part of the security backbone of an enterprise. In that respect, they are no different from directory servers, VPNs, intrusion detection systems, or firewalls. Businesses are starting to recognize that to maintain a competitive advantage, they need to ensure that their intellectual assets are well defended. Certain businesses have established a Chief Security Officer (CSO) position to ensure that security concerns are addressed in a holistic manner. To be effective, the CSO position typically reports to the CEO. Smart cards are attractive within such an environment, since they act as a bridge between the physical and logical security domains. Tangible Benefits It is highly probable that an organization considering a smart card deployment will have a legacy infrastructure, typically including the following:
Organizations often consider a combined physical-logical access system based on smart cards. These cards include a contactless interface to support building access and a contact interface to support logical access. Historically, these two components have been physically separate, but there is a growing trend for both functions to be supported on a dual-interface chip with significant processing and data storage capability. The benefits of such a system include the following:
Simplified User Management. Significant expense is associated with the maintenance of traditional password-based authentication systems. For example, the Aberdeen Group has found that the cost of configuring and maintaining password systems for small companies averages $100 to $150 per user per year. Costs for a mid-tier company average $200, and a large enterprise spends an average of $300 to $350 per user per year. In fact, it is not uncommon for IT departments to levy an internal charge for handling password maintenance. Smart card management systems offer "self-service" capabilities that can reduce the administrative overhead associated with password management. While secrets (such as PINs) still need to be managed, a smart card management system typically includes an unattended user management capability that can significantly decrease the expense associated with the maintenance of these secrets. Elimination of OTP Tokens. OTP tokens are expensive to acquire and manage and have a significant failure rate. The typical cost for an OTP token can approach $100 per year per user. Smart cards offer equivalent functionality but at a reduced total cost of ownership. Reduction of Overall Infrastructure. Combining logical and physical access applications in a single token offers organizations an opportunity to eliminate redundant technology. Typically, smart-card-based systems can be positioned as an upgrade to, rather than a replacement for, current physical access systems. Increased Productivity. The introduction of smart cards commonly coincides with other initiatives designed to simplify business workflow, thereby increasing employee productivity and efficiency. Stronger authentication generally increases the efficiency of various internal and external services, yielding a measurable improvement in profitability. Such improvements can be multiplied if trading partners also use the same or interoperable software. Investment Smart cards and smart card-associated systems do represent an investment. The level of investment depends on a number of factors, including the organization's current infrastructure and the authentication technique that is being implemented. The expenditures described below are required to acquire and deploy a smart card-based authentication system. Smart Card Tokens. Smart cards themselves are more expensive than legacy ID cards. A premium of $5 to $10 per card is typical for smart cards. Smart Card Readers. It is now not uncommon for computers to be delivered with built-in smart card readers. For legacy systems, a typical external smart card reader that attaches to a computer's USB port can be acquired for about $15 (in volume). Smart card-based USB tokens can plug directly into a computer's USB port, requiring no additional hardware investment. Middleware. To enable the smart card authentication process, middleware must be installed on each user's workstation. Costs range from $2 to $10 per seat, depending on the authentication technique being implemented. Smart Card Management System. A smart card management system supports the issuance and life-cycle management of smart cards and the credentials stored on them. Systems vary in capability and complexity depending on the authentication technique supported and can range from $5 to $50 per user. Authentication Technique Infrastructure. When used for logical access, smart cards implement an organization's selected authentication technique or combination of techniques. Techniques can include passwords of various types, symmetric-key-based authentication, asymmetric-key-based authentication, and biometrics. The cost of the infrastructure to support the chosen authentication technique needs to be considered. Smart cards provide an advantage. Their ability to support multiple authentication techniques on a single ID card allows an organization to implement authentication of the strength required to meet the organization's security requirements. The ability to add applications to smart cards after initial issuance allows organizations to begin using smart cards for simple password storage and add stronger authentication techniques as desired, without reinvesting in cards and readers. Other Project Costs. Deploying a new identity management system can be a large-scale IT project. Investment will be required in business process reengineering, user training, and support, as well as for initial system configuration and deployment and project management. The table below summarizes key potential benefits, savings, and costs that should be considered when implementing a smart card-based logical access solution. Smart Card Logical Access Systems - Savings and Costs
Summary Smart cards are becoming the preferred method for logical access, not only for their increased security, but also for their ease of use, broad application coverage, ease of integration with the IT infrastructure, and multi-purpose functionality. Smart card-based logical access allows organizations to issue a single ID card that supports logical access, physical access, and secure data storage, along with other applications. By combining multiple applications on a single ID card, organizations can reduce cost, increase end-user convenience, and provide enhanced security for different applications. Smart card technology provides organizations with cost-effective logical access. Smart cards deliver a positive business case for implementing any authentication technology. Improved user productivity, reduced password administration costs, decreased exposure to risk, and streamlined business processes all contribute to a significant positive return on investment. References "Fortune 500 Companies' Preference for Corporate Security Applications," Frost & Sullivan, Feb. 17, 2003 "Ask the Analyst: Passwords Are Gobbling Up your Profits," Jim Hurley, Aberdeen Group, May 1, 2003 This article is an extract from the Smart Card Alliance report, "Logical Access Security: The Role of Smart Cards in Strong Authentication," researched and written by the Smart Card Alliance Secure Personal Identification Task Force. Individuals from 22 member organizations were involved in the development of the white paper. Lead contributors included representatives from Axalto, CardLogix, Gemplus, Honeywell Access Systems (OmniTek), IBM, Identix, Litronic, a SAFLINK Company, Lockheed Martin, MartSoft Corporation, Northrop Grumman Corporation, SafeNet, SCM Microsystems, Smart Commerce, Inc., Sun Microsystems, VeriSign and XTec, Incorporated. The full report and additional information about smart cards and the role that they play in secure identification and other applications can be found on the Smart Card Alliance web site at www.smartcardalliance.org.
|
|
Many enterprises are currently considering the use of smart cards to support strong authentication for secure logical access. A recent study of U.S. Fortune 500 companies revealed the following: 