Be Smart About IDs
A GROWING NUMBER of organizations are adopting smart cards for both physical and network access. Many are also deploying them for an expanding set of additional purposes.
The cards can provide significant security benefits. Used as an authentication method for network access, for example, the credentials can be far stronger than commonly used passwords. In many cases, using a single card for multiple purposes can also be convenient for employees.
Two firms, Unisys and the Albert Einstein Health Network, appear to have realized particular benefits thanks to the well-planned manner in which they implemented their card solutions. The companies emphasize the importance of communicating early and regularly with executives throughout their organizations to improve project efficiencies. The firms have also emphasized the importance of product piloting and employee training.
The companies are using the credentials for several cutting-edge types of functions, including computer access, attendance and payroll purposes, and for company vending. Some of their implementation insights and new found benefits are described below.
Unisys began looking for stronger authentication options several years ago because a growing number of the company’s approximately 30,000 employees were becoming increasingly mobile and relying more heavily on laptops. With numerous federal clients and operating in more than 100 countries, Unisys was increasingly concerned about data protection.
Access control is also a core Unisys competency, says Patricia Titus, chief information security officer at the firm’s Unisys Federal Systems (UFS) subsidiary. The company wanted to demonstrate its expertise and effectiveness.
Starting at the company in 2008, Titus and other colleagues began examining ways to bolster authentication methods. The group looked particularly at logical access possibilities. Remote authentication risks were a top concern.
Smart cards offered the ability to move closer to a unified physical/logical credential. The company had already been using a USB-based smart card system to help secure certain critical applications. Unisys had, and still has, software that flags suspicious remote log-ins. But an active physical card is an exponentially stronger identifier, says Titus. So expanding use of smart cards beyond critical applications was a logical next step.
The company wanted to use the cards for physical access to the facility or internal secured areas as well as for access to employees’ desktop computers. Staff would be required to use the credentials, for example, when moving around an office building. Removing a card from a work station would also cause the machine to lock down, preventing the risk of “anyone sitting at someone else’s desk and stealing sensitive information,” Titus notes.
Unisys chose a dual-technology smart card from HID Global that included a magnetic stripe and two embedded chip pairs containing smart card technology from Aladdin Knowledge Systems. One reason Unisys chose Aladdin was that its technology would work with a range of third-party hardware and software, says Bryan Ichikawa, vice president of UFS’s Identity Solutions practice. It also supported numerous possible smart card functions.
In one way, Unisys had a good architectural foundation for the project: the company had a preexisting enterprise public key infrastructure (PKI). The company had implemented it mainly to encrypt and decrypt as well as to digitally sign e-mail. Unisys had also been using a smart card-based system to provide access to certain critical applications, says Ichikawa. The company knew how smart cards can strengthen the encryption process by securely storing encryption keys, Ichikawa says.
Company staff tested the smart cards and readers extensively before providing the technology to employees, says Titus.
Unisys then began the rollout in the company’s Reston, Virginia, headquarters before expanding it to different facilities and departments, Titus says. One advantage of this phased approach was that helpdesk staff could better respond to employees’ questions and concerns; the company could also learn about potential challenges.
The smart cards were distributed by the physical security department. The latter had been supportive of the new efforts, including the notion of a single credential for all physical facilities, Titus says. The cards would be married with Microsoft Active Directory for both physical and network access, categorizing users into “groups.”
Training challenge. The most challenging part of introducing the new cards was employee training, Titus says. Employees were a little resistant to change at first. Introducing new cards “does not always make you popular,” she notes.
To facilitate the transition, the rollout was assisted by strong support from high-level executives, which helped motivate employees, Titus says. Additionally, users were told how the card could benefit their particular business needs. With sales staff, for instance, the company explained how the cards could keep a hacker from stealing sales proposals or other valuable documents, she says.
Perhaps most helpful, though, was the creation of in-house instructional videos. Unisys placed YouTube style videos on the company’s Intranet. The videos featured real employees discussing some of the new card system’s benefits as well as providing “watch as they do” instructions and examples showing, for example, how users needed to insert cards into readers to download onto the card a digital certificate and to configure their card. Written documentation was also provided, but the videos made an “exponential” difference in training, Titus says.
It also took employees a little while to get used to keeping track of the cards. In the beginning, there were many cases of employees misplacing their cards, says Ichikawa. But after one or two occasions, this “usually resolved itself.”
Strong adoption. The rollout took about six months, says Titus. As of this summer, most employees with laptops were using smart card readers. A small portion were also using fobs, which Unisys has provided employees in cases where smart cards were impractical. An example could be when employees prefer to use their own laptop as opposed to a company-issued model, Titus says. Unisys is trying to expand employee telecommuting options, she says, and “we don’t want to force people to use a device they’re not comfortable with.” Employees can still gain network access without either device but only to company e-mail.
The devices have reduced the number of passwords employees need. Helpdesk calls regarding passwords are declining as well, which Titus expects to save the company money over time. The access card has also, in many cases, made it easier for employees to enter different company offices, she says.
Albert Einstein Healthcare Network
One main reason Albert Einstein Healthcare Network (AEHN) decided, a few years ago, to implement a new card access system was that the Philadelphia-based company was splitting from its parent organization, Jefferson Health System.
Until then, AEHN had been using a swipe card access system. The need for new identifications also seemed to be an opportunity to take advantage of newer access card technology, says Russell Jones,
network director for protective services. Switching to contactless cards, for example, which did not require actual swiping, could provide benefits including user convenience. Adding smart card technology could also open up a host of new potential card uses.
But introducing new credentials to the company’s approximately 7,500 employees, working in five hospitals and other medical buildings in the region, could be challenging.
Planning. An initial project goal was to meet and communicate with key executives throughout the company, he says. It was important to bring parties together to boost the project’s efficiency and to discuss issues such as “the end product, the expectations, and the schedule.” Input was needed from executives working in areas ranging from physical security and software development to business operations and systems architecture, to human resources and marketing.
An initial decision reached by Jones and other executives was to use HID Global for the new cards and readers. HID had supplied the company with its existing Wiegand card swiping system. The company had worked well with HID and the vendor appeared to offer a breadth of options in areas such as card technology, software, and support. AEHN chose HID’s Global’s iCLASS technology readers and smart cards.
Added functions. The company also decided to equip the new cards with technology that could be used with time, attendance, and payroll, says Jones. One reason was that a majority of the company’s employees worked on an hourly basis, he says.
To help with software integration and manufacturing the new credentials, AEHN also decided to enlist an HID service called Identity on Demand (IoD). A major part of software development involved integrating AEHN’s Kronos system with the new card and reader technology. The project also involved creating bar codes and attaching them to the cards. Kronos numbers identifying employees were placed inside the bar codes.
IoD initially printed about 50 cards, which Jones and other colleagues tested for about two months, he says. Jones and others paid particular attention to the accuracy of the time and attendance readers and how well they integrated with payroll, he says. If significant payroll problems ever developed, he says, it could be a “disaster”…. far worse than access control issues, because people have to be paid. The testers, therefore, wanted to make sure the system worked “100 percent of the time.”
Before the official rollout, employees were also contacted by executives from departments including marketing, he says. Employees were told about the change and about some of its main benefits. They were also told the change “would not be too difficult,” but that human resources, IT, and other staff would be available for support and questions.
The official rollout took place in stages; cards were introduced by building facility and by department. Human resources issued new credentials and collected the old cards, and sometimes showed employees how to use the new attendance readers. The process went smoothly. “Very few” attendance or payroll issues have arisen since the rollout, Jones says.
Card vending. Shortly after the new cards’ introduction, Jones and other staff stepped up efforts on an additional project: enabling the cards to buy cafeteria food. A main goal was user convenience, Jones says, but additional benefits could include a decreased risk of theft as less cash would change hands.
Jones says he placed much of the responsibility for moving over to card-based purchases with AEHN’s food vendors. Jones provided the vendors with the new company cards and asked the vendors “to make them work.” The cards use standard technology, he says, making it easier for the vendors to purchase compliant devices.
Vendors installed readers that could work with the cards within a few months, says Jones. About 75 percent of employees use their IDs for cafeteria purchases, he says. Lunch lines are noticeably shorter, he adds, “especially during busy times.”
Adding attendance and payroll functionality as well as vending capabilities have each added an additional “security layer” to the access system, he says. Integrating new functions into a single backend application makes it simpler to investigate, for example, if a card may have been inappropriately used, he says.
As with Unisys, the company has found that in many situations, employees appreciate the convenience of using one credential for multiple purposes.
Both companies have also found that new card initiatives can benefit from proper planning, communication, and scheduling. For Jones, such elements’ importance “could perhaps be the top [lesson] that I could impart.” Both Jones and Unisys agree on the importance of product testing and strong employee training and support.
Jones says AEHN, for one, is likely to add additional security-related functions to the company’s cards. The company is currently piloting a program in which physicians use the cards for network access, for example. New smart card projects can be time-consuming, he says, but “when benefits include more connectivity, convenience, and security, everybody wins.”
John Wagley is an associate editor at Security Management.