Corporate ID - A Concept Note
Introduction
What do IBM, Microsoft, NEC, Nissan, Schlumberger, Shell and Sun Microsystems have in common, besides being large, multinational corporations? They are all issuing smart cards to tens of thousands of their employees as ID cards.
Other big companies are starting down the same path, having issued smart cards to thousands of employees for computer access, building security, or both. This includes American Express, General Electric, Pfizer and Taiwanese manufacturer First International Computers. U.S. airplane maker Boeing Co. plans to begin testing smart cards soon.
Companies are following Shell’s lead in combining the smart card with the traditional photo ID badge and with technologies for controlling who enters company buildings. While older technologies, including wireless "prox" cards, have been mainly used for physical access control, more companies are turning to contactless smart cards that offer greater security and data storage.
London-based research firm Datamonitor predicts substantial growth in the number of smart cards issued by big enterprises–corporations and government agencies–to their employees for identification. The category is expected to grow from 14 million cards in 2002 to 36 million in 2006, a compound annual growth rate of 27%.
Functionalities
The cards are expected to serve a multitude of purposes ranging from ID to physical and logical access control to e-payments within the premises.
Physical Access
The biggest use of smart card IDs besides network security is physical access control. Until recently, other technologies have mainly controlled building entrances and doors - mag-stripe cards, Wiegand cards and wireless proximity cards that communicate a card’s serial number via radio signal to a door controller.
Increasingly, however, corporations are asking for contactless smart card chips for physical access.
Probably the biggest reason customers want a contactless smart card chip is to store biometric data. That would allow a company to authenticate an individual’s identity by matching a physical characteristic, such as a finger image, with biometric data stored on the chip at enrollment. Proximity card chips lack the memory to store such data.
Another advantage of contactless smart cards is greater security, because they can encrypt data and carry out a mutual authentication with a reader before revealing employee data. A "prox" card, by contrast, will broadcast its serial number to any compatible reader, potentially allowing unauthorized individuals to capture the data and create a phony card.
A third advantage is that card-reading devices can write new data to a contactless smart card chip. For instance, a pharmaceuticals company might want to record each time an employee enters a particular facility. That way, if there is a risk of contamination, an employee who has been in building A could be barred from building B.
Smart card chips, which can carry PINs as well as biometrics, also allow organizations to adjust their security as conditions warrant.
Logical Access
Smart cards also have a security component. When the card is removed from a workstation’s card reader, the connection to the user’s data is severed. That means intruders cannot sneak in and use an employee’s computer to gain access to corporate data while the employee is at lunch.
Shell has successfully used the smart cards to allow employees to pull down the data they need from "thin client" workstations in the company’s 1,200 work sites at some 240 Shell companies in more than 120 countries. An employee can go to any workstation, insert their smart card and access any data they are entitled to see. It’s made mobility a lot easier.
E-payments
Several companies put an electronic purse on the card to use in company cafeterias. That reduces cash-handling and offers convenience for workers.
Major Challenge
But the question arises - Why so few? Why aren’t more companies adopting this technology? The problem is – where do you stick a smart card? Computers aren’t built for a smart card. You have to add another box, which is another expense and another maintenance item. This is precisely where the problem lies.
That problem would go away if computers came with built-in smart card readers, but major PC makers have not seen the customer demand to justify the additional expense.
That now is changing, at least when it comes to enterprise customers like government agencies and big corporations. U.S.-based Dell Computer Corp., the No. 1 PC maker worldwide in the first quarter of 2003, this year launched its new line of enterprise-oriented Latitude notebook computers, all with a smart card slot as standard equipment.
Dell saw that smart cards were becoming increasingly standardized and that information security was a growing concern among customers. And it cost Dell less than $10 more per machine to add the smart card readers.
Dell is not alone. Acer offers three TravelMate laptops with smart card readers. Fujitsu-Siemens desktops for the corporate market and high-end Lifebook laptops can be ordered with chip cards readers.
Alternative Technologies
The penetration of computers with smart card readers remains low, leading companies that want to authenticate remote users to consider alternatives that do not require the addition of smart card readers.
One option is to put a smart card chip into a plastic token about the size of a door key that plugs directly into the USB ports now standard on PCs. Since these tokens carry smart card chips, they have all the processing power and memory of a smart card, but need no card reader.
However the fact remains that tokens are single-function devices, whereas a smart card can be a photo ID and hold passwords, certificates and biometrics. The smart card solves multiple problems and it has room for growth.
Indeed, many of the companies issuing smart cards to employees are putting other functions on the card, some of them on the chip and others on mag stripes or bar codes.
It’s too soon to say the tide has turned definitively toward smart cards. But the technology is clearly making waves in the corporate ID card arena.
|
