Two Worlds Converge

A look at the role of smart cards and biometrics in today’s converging physical and logical access control systems

The microprocessor inside the smart card provides strong security by authenticating the server, and then authenticating itself dynamically without having the certificates leave the card. It can also provide session keys to encrypt communications as well as e-mail or disk encryption and digital signature.

If the card is also an employee’s access badge, there is another advantage — they have to take it with them as they move around the facility. This builds in a natural means of enforcing employee security policy adherence, which is to not leave the smart card and certificates in the PC reader.

Government, Healthcare Lead the Way

Using smart cards for network security and identity management is a trend that has been building for years. In some industries, like defense and federal contractors, it is on the cusp of becoming pervasive.

“Now that every federal employee will soon have a smart card-based Personal Identity Verification (PIV) card, the government’s attention has turned to enabling systems to recognize those cards for strong authentication, encryption and digital signature,” Vanderhoof says. “And defense and government contractors are right behind them, lining up to issue PIV-interoperable cards with identities federated across the federal bridge.”

The federal government and its legion of contractors are not the only sector working collectively to set cross-industry guidelines for creating trust in online identities. Biopharmaceutical and healthcare industry leaders formed the SAFE-BioPharma Association to help the industry achieve a common goal of a fully electronic business environment by 2012. This organization focuses on defining digital identity and signature standards that are acceptable to government regulators and can work throughout the pharmaceutical and healthcare industry.

A strong case study for universal benefits of digital identity standards comes from Pfizer, one of the industry leaders and a SAFE member. Pfizer implemented a converged physical and logical access control solution based on Gemalto smart card technology. As a regulated pharmaceutical company, they are required to conduct many studies to bring drugs to market, and their scientists must maintain signed and witnessed lab books. Until recently, those had to be paper notebooks that were passed around for review. With smart card-based digital signatures, Pfizer was able to convert those “wet” signatures to electronic ones, creating a significant return on investment (ROI) for Pfizer and increased trust in pharmaceutical practices from consumers.

Similarly, the healthcare industry is being driven by Health Insurance Portability and Accountability Act (HIPAA) guidelines to increase the security in hospitals and other healthcare providers.

“For years, it was common practice on shared workstations in hospitals that the first nurse would log-in and everyone else used that identity for the rest of the shift — that does not provide any accountability,” Thornbury says. “With HIPAA, everyone must log-in individually and log-out when they are done. As you can imagine, that takes a lot of time, so a smart card-based authentication device can be a real time saver, especially if coupled with a roaming desktop concept.”

Another issue looming on the horizon for healthcare is a Drug Enforcement Administration (DEA) initiative to require strong authentication for e-prescriptions for controlled substances. Like HIPAA, this budding requirement lends itself to smart cards and biometrics.

Chemical, energy and other critical national infrastructure industries — dams, power plants and grids — are also moving into smart card-based logical access control. Driving factors include stronger security goals, strict auditing requirements and other regulations that dictate a two-factor solution. These applications are also prime candidates for biometrics, according to Thornbury.

Providing ROI

An advantage of convergence for both security practitioners and technology providers is that there is a good ROI case to be made for logical access control — something that has always been hard to come by in physical access control, Thornbury says. Typical ROI payback elements in logical access control include password resets and support costs, audit savings and productivity gains. Particularly in today’s business environment, a clear ROI is moving logical access control and convergence to the top of IT departments’ priorities.