A one-card initiative is a program to use a single smart card for both physical and logical (information system) security. Before smart cards, making the physical access control system (PACS) technology decisions was simple; you basically chose what type of card and card readers to use. You could make this decision after getting educated about the current offerings at a security trade show. In contrast, deploying smart cards involves more technology selections, because the smart card contains a chip that holds data files and software.
A Miniature Computer
Card readers can't write directly to the chip in the same way, for example, that magnetic stripe card programmers write to magnetic stripes. Smart card readers have to interact with software applications on the chip to read or write data, using an application programming interface, or API.
Because a smart card chip is a miniature computer (see Figure 1), the decisions relating to smart card deployment are similar to the decisions we make when we choose personal computers or mobile phones like the Treo® or Pocket PC®. How much memory should be on the chip? What kind of operating system should it use? What kind of software applications will we run on it? What kind of interface should we use to get data on and off the chip?
You no longer simply select a card and card reader; you select a card product line consisting of products made by different vendors, including
• plastic card
• operating system
• card management software (to manage the data on the cards)
If you are a security manager responsible for selecting PACS technology, you won't have to deal with the bulk of the technology issues relating to smart card chips. These issues will fall on your counterpart in IT, because they relate to IT security technology.
At this point you may be asking, “But what about convergence? Are you advocating for separate physical security and IT silos?” That question leads to a very important point. The technology decisions don't revolve around physical security or IT silos, they revolve around how you want to use the smart chip (i.e. computer) capabilities of the card.
Applications Should Guide Your Choices
Applications will determine your smart card product line requirements, much as applications often determine your choice of a personal computer, to continue the simile. If your applications are for commercial video editing or high-end graphics production for marketing, you are likely to select a Mac and the latest Mac operating system. If your applications are for typical office work like word processing and financial spreadsheets, you'll probably select a Windows PC.
This is the way it should be. You select a technology not based primarily upon its reputation as the latest or most popular or most technically advanced technology, but based upon what you need the technology to do.
Fred Subala, manager of The Boeing Company's one-card initiative, SecureBadge, asks a full set of questions about any security technology selection. What am I considering doing? Why am I considering doing it? Is there a viable alternative? When does it need to be done, and why then? What approach should I take (phased, parallel, pilot phase or proof-of-concept first) and why? How much will I have to spend total? In the end, what exactly am I getting for my money?
Subala adds that in answering these questions it is important to keep in mind that there are only two reasons for launching any security initiative:
• To improve the quality of security
• To reduce the cost of security
What IT Needs to Know
There are many ways of applying smart cards that improve the quality of security and reduce its cost.
• Physical access control
• Information system access control
• E-mail encryption
• Digital signatures for documents