Smart Uses for Smart Cards

Feb. 16, 2011
Tim McKnight and Russell Koste of Northrop Grumman take an award-winning approach to high assurance credentialing

The landscape of critical business assets has changed significantly since the first electronic access cards were introduced about 50 years ago. Personal computers and networking did not exist - let alone the Internet, mobile phones, digital pocket cameras, USB drives and gigabit capacity memory chips smaller than a flattened pea. Typewriters themselves held no or little data - you could only read some recently typed text from a then-modern plastic typewriter ribbon cartridge.

Today, electronic computing devices (whose non-electronic predecessors were formerly known as "business machines") are both physical assets to be protected, and generators of information assets that require safeguarding.

According to the White House Cyberspace Policy Review, between 2008 and 2009, American business losses due to cyber attacks had grown to more than $1 trillion of intellectual property. Other sources report that identity fraud ($54 billion in 2009), falsification of information, electronic money theft and reported electronic data breaches (up 33 percent in 2010 to more than 16 million records) are all on the rise. The convenience of card-based payments and electronic transactions (including via mobile phones) fuels an expanding base of targets for attackers. In spite of this trend, the application of strong security measures lags. As an example, in 2009, out of a set of 498 breaches, only six reported that they had either encryption or other strong security features protecting the exposed data. However, physical security requires beefing up, too. In 2009 paper breaches accounted for nearly 26 percent of known breaches.

Thus, many companies are looking to smart cards to provide higher levels of authentication for both physical and logical access to critical information and assets. Although the next paragraph starts off with some comments about the smart card computer chips, this article is not about smart card technology details. Instead, it is a discussion about smart card initiatives, and presents some key aspects of an award-winning smart card project in an attempt to convince you of one thing: now is the time to start examining how an identity assurance and smart card program, based on existing standards and technology, can help you establish the kind of security capabilities that your organization needs.

More than Just a Card

Nearly all of us are familiar with the image of the small golden electrical contact tabs of the chip that resides on a smart card. It is amazing to realize that the chip on the bulk of today's smart cards has more processing power than the processor chip of the original IBM PC and early personal computers. Smart cards need computer processing power so they can perform the kinds of calculations needed for cryptography (data encoding, including encryption) used to perform secure communications with other devices.

Additionally, for contactless communication, smart cards contain a tiny radio transmitter and several wires that serve as an antenna, as illustrated in the figure below. Note: this is the primary reason why you do not punch a hole in the card to insert a clip or lanyard string. Special clips exist for use with smart cards.

It is specifically because smart cards are computers in a card - and because they can exchange data in a highly secure way - that smart card programs require a strong identity management system and a more advanced card management system than cards of traditional physical access control technologies. The levels of high assurance achieved are a combination of all of these things. It is not simply the cards themselves that require the improved identity and card management systems. Physical and logical access control systems and business systems can now leverage a combination of technology and process for very high assurance of identity, data integrity and privacy protection.

New Requirements for New Levels of Security

To trust and use the card for critical transactions requires establishing and maintaining high levels of identity assurance in card issuance. This is the basis of the requirement for a strong cardholder registration program, including the people and process parts like background checks, separation of roles like applicant, sponsor (approver) and issuer, and in-person identity verification - much more than just the technology aspect.

The identity information that is used to link an individual to a card can no longer be scattered in multiple independent systems across the organization. This is the reason a single strong and well-managed identity management system and authoritative identity data source are required.

To prevent counterfeiting of the card, and to enable the card to perform data security functions such as encryption and electronic data verification, it is required that the systems putting data onto the card and reading data from the card employ highly secure methods of data exchange. The use of the card is not static. In many organizations, there are several hundred to thousands of applications that will use the smart card. What information goes onto the card must be designed and managed both for security reasons and to ensure that all the proper functionality is available.

What's more, the cards can be used as both a physical and electronic credential. Thus, it is no longer just an access card, but a credential. This multi-purpose capability further emphasizes the requirement for a strong identity and credential management system, including the people and process - not just technology.

Examining the entire picture of how smart cards must be deployed and maintained to be of full value, it is obvious there are many roles and responsibilities involved in the issuance and use of the card that simply do not exist (and for the most part were not needed) for yesterday's access control cards.

ICAM: Beyond Access Control

The existence of these requirements is why a new term has come into use: Identity, Credential and Access Management (ICAM). In the IT world, before smart card technology had reached its current level of deployment, the focus was on Identity and Access Management (IAM). After a while, it became apparent that the Credential part of the picture warranted just as much attention. Thus, the ICAM term came into being and became more widely known through a 220-page publication titled Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance.

This document can be downloaded on the Web; page 8 contains an ICAM conceptual diagram that clearly illustrates the key concepts, roles and responsibilities, as well as the technology and process infrastructure that are all part of a sound smart ICAM program.

A sound ICAM infrastructure (people, process and technology) provides the long-term organizational capability to improve physical and logical asset protection in risk-tailored, asset-focused ways.

Success with High Assurance Credentials

In Nov. 2010, Northrop Grumman Corp. was presented with the Information Security Executive (ISE)(tm) North America Project of the Year Award for the Northrop Grumman OneBadge program. Sponsored by Tech Exec Networks (TEN), the award recognizes achievements in risk management, data asset protection, compliance, privacy and network security in the United States and Canada.

Northrop Grumman leveraged its experience helping government agencies with FIPS-201 smart card deployments. FIPS-201 (Federal Information Processing Standards Publication 201) is a United States federal government standard that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors. Smart cards issued under the FIPS-201 standards are often referred to as "PIV cards."

TEN cited Northrop Grumman's project for, "successfully demonstrating a commercial enterprise's ability to turn the merits of a federal directive into a successful internal deployment." That is one of the main assertions of this article: that any organization can and should apply the federal standards and guidance to have a highly successful and business-beneficial smart credential program.

In previous years, many corporate smart card programs were designed as three-year programs, but ultimately stretched out into five years (or had their scopes cut back) because of learning curve factors, lack of guidance, and being ill-prepared to deal with the identity, credential and access management policy and process changes that accompany the technology deployment.

So how did Northrop Grumman manage to issue more than 100,000 smart cards in an award-winning, 18-month program? According to Tim McKnight, Northrop Grumman's Vice President and Chief Information Security Officer, and Russell Koste, Director of Identity and Access Management for Northrop Grumman Information Systems, the following four factors were key elements of their approach:

- Leveraging the smart card project experience of government agencies.
- Using a pilot project for hands-on experience and to assess future resources that may be needed.
- Fully committing to the rollout effort, and updating the execution plan to apply sufficient resources in the most effective manner.
- Educating employees, addressing technology and privacy concerns in advance.

To accomplish these factors, first, Northrop Grumman was able to build on its experience with Department of Defense (DoD) and Government Services Administration (GSA) smart card programs, where it played an integral role.

With that knowledge, and having 120,000 employees to issue smart credentials to, Northrop Grumman leadership decided to take an approach that they recommend to any organization considering a smart credential - start with a small scope for credential issuance and then proceed to the larger program with much more knowledge, experience and resources at hand.

"We started in 2006 looking first to privileged users (those with administrative privileges) as an example of high-value targets to protect," McKnight says. "This took place over a 12-month period of time. We were then able to take what would otherwise have been a 3- to 4-year program and implement it in 18 months."

McKnight also explains that one major change from other projects they had seen was to combine the enrollment and registration with the card activation into a single step. This enabled the company to achieve its time frame and schedule. Northrop still maintained two-person control over the issuance process - that is, a separation of the roles so that the enrollment officer is not also the issuer.

To accelerate the larger rollout, Northrop performed a 3- to 4-month surge, issuing 10,000 cards per month using more than 100 operators. "We determined that we needed mobile capability to get to remote and small sites," says Koste, "so, we put together a mobile issuance platform."

When asked about employee response to the program, McKnight said, "We did a lot of education about privacy and the strategic imperatives of this security program. As a result less than two dozen employees raised concerns during the issuance process."

Koste says that single sign-on, remote access, secure e-mail and access to DoD Web applications were important processes enabled by the use of the card's authentication functions for information systems.

"Our privileged users' pilot had 300 internal applications to support," he says. "The enterprise has thousands of applications, such as our ERP instances, time entry systems and even federated access to our externally hosted travel system. The systems that Northrop has in place now allow for governance related to applications, where that did not exist in the past."

The success of the Northrop Grumman project shows that the combination of existing standards and guidance, current-day technology, and lessons learned from the increasing number of smart credential programs provide organizations with the materials they need to achieve success with their own Identity, Credential and Access Management programs. Click here to see a U.S. ID timeline.

Ray Bernard is the principal consultant for Ray Bernard Consulting Services (RBCS). His full bio is on Page 18.
Sal D'Agostino, CSCIP, is CEO of IDmachines LLC, a provider of design, integration, strategy and education services for the identity, credential, access, machine learning/analytics and technology transfer markets. Mr. D'Agostino is Secretary of the Smart Card Alliance Identity Council; Secretary of the Physical Access Control council; Vice-Chair of the SIA PIV Working Group; member of the ASIS Information Security Council and a member of the Kantara Initiative. He blogs at