Feature of the Month
Securing Logical Access: Smart Cards and Strong Authentication
Virtually every day another news story highlights the importance of network security - corporate networks are breached, databases are accessed by unauthorized individuals, and identities are stolen and used to conduct fraudulent transactions. As a result, both businesses and governments are evaluating or implementing new identity management systems to provide more secure logical access.
Logical access is the process by which individuals are permitted to use computer systems and the networks to which these systems are attached. The objective of secure logical access is to ensure that these devices and networks, and the services they provide, are available only to those individuals who are entitled to use them. Entitlement is typically based on some sort of predetermined relationship between the network or system owner and the user, as a paying subscriber, an employee, a customer, or some other type of binding relationship.
The system that supports delivery of such networked services represents a significant investment; in fact, this system may represent the single largest asset that the owning organization has. These assets require protection from unauthorized use by individuals or entities who may diminish or destroy their value. Therefore, controlling access to these assets is of paramount importance to virtually all organizations that rely on information technology (IT) systems to accomplish their objectives.
Current Methods for Accessing Computer Networks
The most widely implemented method for controlling logical access is the user ID-password combination. Users provide the user ID (usually the user's name) and a secret that only the user knows (usually a password). A simple database lookup determines that the password is attached to the user ID, authenticates the user's identity, and grants access. Each system or application typically assigns a unique user ID and password combination to each user and then determines access controls for that user based on the unique ID.
Over time, however, this type of authentication has proven to be weak and inefficient. User IDs and passwords can be compromised relatively easily through a variety of well-known techniques. When such information is obtained by criminal elements, it can be used to achieve unauthorized and illegal entry into a network. The results of compromised access controls can be disastrous for the network owner and for the user whose network or system identity is stolen. In addition, user identities are typically managed application by application, creating operational inefficiencies as the number of systems and applications in an organization grows and introducing security vulnerabilities as it becomes increasingly difficult to control policies governing the use of those identities.
Fortunately, new technologies are available that can strengthen the authentication process supporting access control and provide a higher level of assurance that users are who they claim to be and that the identity credentials presented are valid. These technologies generally employ encryption techniques, biometric data of some sort, and/or the possession of a physical token or credential to improve the effectiveness of access control systems. Unlike the use of a single factor (i.e., user ID-password combination), strong authentication requires the use of two or three factors to validate identity.
Factors would include some combination of:
- Something you know (a password or personal identification number that only you know),
- Something you have (a physical item or token in your possession), and
- Something you are (a unique physical quality or behavior that differentiates you from all other individuals).
Using stronger authentication technologies and multiple authentication factors mitigates potential loss due to unauthorized access to network assets.
Drivers for Stronger Logical Access Methods
Compromised security is not the only reason for seeking improved logical access control techniques. Other drawbacks of the user ID-password combination include high administrative costs, inadequate ability to manage different risks, and inability to leverage the additional security that is now being built into computer systems and applications.
Administrative Costs. As users access increasing numbers of network services, each requiring a separate user ID and password, the user's ability to manage and remember required access information breaks down. As a result, users either write the information down, which makes it vulnerable, or call their network administrators. Administrators must regularly deal with service calls from users who have forgotten their user ID-password combination.
Such service calls are expensive and are becoming more so, as the services provided through a multitude of expanding networks increase. Several sources estimate that a single call to an administrator to reset a forgotten password costs approximately $40. The costs associated with supporting this method of authentication and access control are driving network administrators to look for solutions that are more efficient, as well as more secure.
Security Risks. Recently, reports of unauthorized individuals breaking into computer networks to steal information for financial or political purposes have multiplied. In the private sector, the impact of such security breaches is measured in terms of both financial loss and loss of customer confidence. In government circles, the risk is magnified by the potential effect on national security and the impact on the public's trust and confidence in critical government institutions.
As more intrusions take place, the ability to quantify their negative impact is improving. Institutions in both the public and private sector are better able to analyze the costs and benefits of investing in new technologies to improve network security, including technologies to improve access control, and are able to justify doing so based on solid return on investment.
Risks of Legal and Regulatory Noncompliance. In the aftermath of the September 11 terrorist attacks, a significant amount of new legislation was passed, primarily aimed at improving the security of computer networks owned and managed by the Federal Government. Additional legislation promotes the adoption of systems that deliver government services electronically. One critical part of these initiatives is support for the logical authentication of individuals trying to access such services.
As a result, network security and the mechanisms by which users are granted access to government-controlled assets have moved to the top of the government agenda. Policy and implementation guidelines define the various levels of authentication that are needed based on the sensitivity of the information being accessed, and a variety of candidate technology options have been identified, ranging from user IDs and passwords to public key infrastructure (PKI), biometrics, and smart cards. Many U.S. government agencies have already put in place programs to issue smart ID cards that support stronger authentication techniques for both physical and logical access.
The government already requires contractors to meet government-specified standards for security technologies, policies, and practices. The trend is for the private sector to adopt technologies and practices put in place by the government, not only as an example of best practices, but also as a means of mitigating any legal risk that may be incurred by nonconformance. Businesses are also subject to a number of new requirements for access control and audit, as a result of new laws or regulations such as the Gramm-Leach-Bliley Act, HIPAA, the Sarbanes-Oxley Act, and the USA Patriot Act.
Privacy and Identity Theft. According to the Federal Trade Commission, in the last 5 years 27.3 million Americans were victims of identity theft, with businesses and financial institutions losing nearly $48 billion to identity theft and consumer victims reporting $5 billion in out-of-pocket expenses. Attacks on consumers' computers, through "phishing" and other virus and "spyware" attacks, constitute new ways to steal usernames and passwords. Gartner reports that more than 1.4 million U.S. adults have suffered from identity theft fraud due to phishing attacks, costing banks and card issuers $1.2 billion in direct losses in the past year.
As privacy and identity theft become larger issues (and are addressed by legislation at the state and national level), the private sector will have to move toward stricter controls on customer databases and the personal information that companies are entrusted to protect. Companies will need to control access to sensitive information and ensure that such information is only accessible to those with the proper authorization.
Technology Evolution and Migration. Because of the increasing demand by IT users for improved access control mechanisms, IT solution providers are building more security into their products to provide native support for modern authentication solutions. For example, support for PKI logon and encrypted and digitally signed e-mail is now native to Windows. More and more products from a wide variety of vendors enable the use of PKI, biometric, and smart card technologies to support strong authentication methods using multiple factors.
As computer systems are refreshed and upgraded over time, support for strong authentication through multiple technological approaches will be more readily available. The result should be increasingly widespread use of strong authentication techniques, higher levels of security assurance, and greater user convenience.
The Role of Smart Cards
Smart card technology provides the foundation for privacy, trust and security in logical access applications. As a cryptographic device, the microcontroller at the heart of the smart card can support a number of security applications and technologies. Smart cards offer secure data storage and support any or all of the authentication techniques commonly used to secure logical access, including:
- Support for PKI and asymmetric key applications (e.g., digital signatures, e-mail message encryption), on-card key generation, and protection for the privacy of the user's private key
- Secure storage for biometric templates
- Secure storage for user IDs and passwords
- Support for one-time password generation
- Secure storage for symmetric keys
- Support for other applications, such as physical access control or financial transactions
Smart card technology significantly strengthens security, protecting both the electronic credential used to authenticate an individual for logical access and the physical device. Since the credential is permanently stored on the card, it is never available in software or on the network for an unauthorized user to steal. Smart cards build protection into the physical device by supporting tamper-resistant features and active security techniques for encrypting communications. Smart card technology is also available in multiple form factors (plastic card, Universal Serial Bus (USB) device, or mobile phone Subscriber Identification Module (SIM) chip), supports both contact and contactless interfaces and has a wide variety of readers available.
Smart cards are becoming the preferred method for logical access, not only for their increased security, but also for their ease of use, broad application coverage, ease of integration with the IT infrastructure, and multi-purpose functionality. Both Microsoft® Windows® and Unix® operating systems offer a significant level of smart-card-related support and functionality, through either built-in (out-of-the-box) support or commercial add-on software packages. Smart-card-based logical access allows organizations to issue a single ID card that supports logical access, physical access, and secure data storage, along with other applications. For example, the same smart ID card can allow an individual to enter a building securely, log onto the corporate network securely, sign documents securely, encrypt e-mail and transactions, and pay for lunch at the organization's cafeteria. By combining multiple applications on a single ID card, organizations can reduce cost, increase end-user convenience, and provide enhanced security for different applications.
Smart card technology provides organizations with cost-effective, secure logical access. Smart cards deliver a positive business case for implementing any authentication technology. Improved user productivity, reduced password administration costs, decreased exposure to risk, and streamlined business processes all contribute to a significant positive return on investment.
"FTC Releases Survey of Identity Theft in U.S. 27.3 Million Victims in Past 5 Years, Billions in Losses for Businesses and Consumers," Federal Trade Commission press release, Sept. 3, 2003, http://www.ftc.gov/opa/2003/09/idtheft.htm
"Phishing Victims Likely Will Suffer Identity Theft Fraud," Gartner press release, May 14, 2004, http://www3.gartner.com/5_about/press_releases/asset_71087_11.jsp
Photos provided by Atmel, Axalto, Datakey, Gemplus, Honeywell, and SCM Microsystems. Additional information about smart card readers can be found in the Smart Card Alliance smart card reader catalog at www.smartcardalliance.org .
This article is an extract from the new Smart Card Alliance report, "Logical Access Security: The Role of Smart Cards in Strong Authentication," researched and written by the Smart Card Alliance Secure Personal Identification Task Force. Individuals from 22 member organizations were involved in the development of the white paper. Lead contributors included representatives from Axalto, CardLogix, Datakey, Gemplus, Honeywell Access Systems (OmniTek), IBM, Identix, Litronic, a SAFLINK Company, Lockheed Martin, MartSoft Corporation, Northrop Grumman Corporation, SCM Microsystems, Smart Commerce, Inc., Sun Microsystems, VeriSign and XTec, Incorporated.
Written for decision makers in enterprises and government agencies, the full report discusses current trends and issues with logical access, reviews alternative approaches for authentication and presents key considerations that organizations should take into account when implementing stronger authentication for logical access. The benefits of using smart cards for logical access are presented, along with key business case factors that should be considered when deciding to invest in new technology for strong authentication. The report also describes the support provided for smart cards by the Microsoft Windows and Unix operating systems. Included in the report are several profiles of organizations currently using smart ID cards for logical access - Boeing, Microsoft, Rabobank, Shell Group, Sun Microsystems, U.S. Department of Defense and U.S. Department of State.
The full report and additional information about smart cards and the role that they play in secure identification and other applications can be found on the Smart Card Alliance web site at www.smartcardalliance.org.
Microsoft, Windows are either registered trademarks or trademarks of Microsoft Corporation in the U.S. and/or other countries.
Unix is a registered trademark of The Open Group.