With the recent sting of very public and highly publicized IT compromises, many IT security stake holders are re-evaluating their overall security strategy. It is inevitable that at some point in that evaluation, the idea of implementing multifactor authentication will be considered.
Smartcards are often discussed and quickly dismissed as an alternative to existing multifactor schemes. However, in recent years there have been many changes to the smartcard product offering that include reductions in total cost and easier implementation into heterogeneous environments.
The first step to a successful smartcard deployment is determining what kind of software the organization needs to move forward. The obvious requirements include cards, card readers and associated drivers and software. An organization will also need to look at a smartcard management system and possibly card printers.
Finding good resources to assist with a smartcard project can be difficult and all too often I find that customers engage CSS too late in the process. This often leads to having to rethink certain decisions that have been made or creating an assumption that is not yet fully vetted. Engaging with an organization early in the deployment that possesses significant smartcard roll-out experience can reduce mistakes and costly assumptions allowing for a faster and better end user experience when cards are deployed.
2. Smartcard Selection
It seems that everyone wants to sell you smartcards these days, however, BEWARE, NOT ALL CARDS ARE CREATED EQUAL. There are options with respects to card operating systems, middleware requirements, OS compatibility, form factor and card space. All of these should be carefully considered to ensure the correct smartcard for your organization.
The most common mistake I see organizations making today is looking only at the per card cost and not taking into account what else is required to make the card operate in the environment. If the selected smartcart requires additional software to run in a windows environment (typically referred to as PKCS 11 middleware) then it is likely going to cost you significantly more over 5 years than one that does not. Here is a quick calculation to show the differences in cost:
|Java Smartcard requiring PKCS #11 Middleware||Base CSP Smartcard|
|Cost to acquire Smartcard||15.00||25.00|
|Cost for each seat of Middleware||35.00||Included in Windows|
|Maintenance Cost year 1 to 5 for Middleware (20 % of list)||35.00||Included in Windows|
|Total Cost Per user||85.00||25.00|
NOTE: Example does not include cost associated to patching and deployment efforts, which would drive the middleware costs even higher
The above chart clearly demonstrates the cost of the card is only a small percentage of the total cost to the organization.
3. Smartcard Management System
Equally as important to the selection of the smartcard is the selection of the smartcard management system. Once again these come in many different shapes and sizes and the obvious choices are not always the best.
The smartcard management system manages the life cycle of the smartcard in an organization. It provides a platform by which day to day operations can be performed in support of the smartcard technology. These operations would include resetting PINs, unblocking cards and managing the certificates on a card, etc.
Most smartcard vendors offer a vendor specific smartcard management system which is likely not the best option for most organizations. First and foremost, it locks your organization to a specific card manufacturer and while that might not seem important as first, in a few years’ time when a new type of card, form factor or feature, is available from another manufacturer, you won’t want to have to support multi-card management platforms. Also, depending on the complexity of your organization, there might be a need to support different types of smartcards immediately. For example a lower cost base CSP card for windows and PKCS11 cards for Linux and UNIX machines.
4. Scope – Walk before you try to run
Smartcards can be used for many beneficial purposes in an organization. They can be used for 2 factor log on, VPN access and they can be combined with technology for physical access or be used as payment cards for the cafeteria.
While most organizations have an end goal to eliminate the use of passwords for log on, many smartcard projects get stuck in the IT group because the impact of the change is not considered properly.
Start by deploying cards to a small group for a specific purpose. Perhaps IT admins for logging onto servers or executives to eliminate password based attacks at high value information. Deploying 1000’s of smartcards and insisting everyone use them the next day to log on will likely result in a low adoption rate and negative feedback. Remember in this example, you are asking people to log on without a password, something most people have never done. That is a big change for a non-technical person.
Like every other IT project, planning is critical to a successful smartcard deployment. Working with a team that has previous expertise in smartcard deployments can significantly reduce the common reasons why smartcard deployments fail. Proper communications and training are critical to a successful deployment.
Equally important is making sure the entire life cycle of the smartcard is taken into account. All too often we have seen organizations spend time and money getting cards deployed but very little time spent on renewal or replacements. Leveraging the proper technology to fit with your existing environment and processes will reduce complexity.
CSS consultants have worked with customers worldwide to successfully deploy over 100,000 smartcards. We work with strategic partners and the customer to ensure the best possible smartcard solution for your organization. We pride ourselves in offering quality assistance to address the uniqueness of each environment and organizational concerns.