From...

Smart cards: Smart move for large firms?

By Kim Gilhooly

(IDG) -- Fueled by a need to reduce the total cost of ownership for its desktops, Royal Dutch/ Shell Group is rebuilding its worldwide infrastructure around Windows 2000. By exploiting Windows 2000 Server's native public-key infrastructure (PKI) and smart-card support, the Hague-based oil and gas company expects to significantly reduce help desk support costs, increase security and, ultimately, provide users with a single sign-on to all network assets.

"We've been looking for ways to unify our [security processes] worldwide. When Microsoft built PKI and smart-card support into Windows 2000, we decided to take advantage of that," says Ken Mann, project manager for the security initiative that's under way at Shell Services International Inc., the company's Houston-based IT arm. Currently in production with 7,000 users, the system is slated to serve 85,000 users at 1,200 sites in 134 countries by year's end.

IDG.net INFOCENTER Computerworld main page Computerworld's topic-oriented communities Computerworld's IT career center Free daily newsletters Related IDG.net Stories Study: Smart card use on the rise Vendors ease smart card ambiguity Smart is not enough: Cards must also be easy and useful Features Cool gifts for cool nerds Mastering e-commerce by degrees Fast-track training puts nontechies in IT jobs Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

Shell is just one of many large firms looking to reduce support costs and bolster security by arming employees with smart cards for network access. When used as part of an infrastructure that incorporates public-key cryptography, smart cards can provide tamper-resistant storage for network passwords, private keys and other personal information. Companies can use PKI and smart cards to authenticate users requesting network access and to achieve nonrepudiation (the ability to prove that a person took a particular action).

Because smart cards store the passwords needed to access various corporate applications, the help desk doesn't have to field calls regarding forgotten passwords. That's no small advantage: According to industry estimates, up to 30% of support calls are about lost passwords, and manual password resets cost between $15 and $30 per call.

Further, by giving users a smart card and a personal identification number (PIN), organizations can achieve two-factor authentication, which provides security by granting network access only to people who can prove they're authorized by showing something they have (the smart card) and something they know (their PIN).

Companies are also increasing security by tying network access to physical access, all on one smart card.

This could ease the burden on users as well, because smart cards÷with their stored private keys, passwords and digital credentials÷can help corporations create single sign-on (SSO) access for all network resources.

New Savings, Costs

However, building an access model around smart cards and PKI can be challenging. While a smart-card system reduces support costs, it creates others: Companies must purchase the cards, as well as readers or card-ready computers, at costs varying from less than $100 to several hundred dollars per user. Businesses need a card management system to issue and revoke cards. If enterprises are going to issue digital certificates, they must establish a system to do so or use a third-party certificate authority. And they face complex integration issues as they migrate applications to PKI to allow access to network assets via SSO.

Detractors say putting passwords on one card and creating an SSO model risks giving away the keys to the kingdom, should the card be compromised. But the potential benefits and market drivers such as new privacy legislation have many large firms considering PKI and SSO initiatives.

The difficulties associated with bringing together PKI and smart cards for network access means many firms will turn to Microsoft Corp., say analysts. SSO integration problems can be minimized by the homogeneity that Microsoft brings to the enterprise.

"Single sign-on is extremely difficult to do, even in a pure Microsoft environment. Without that, it's virtually impossible," says Cate Quirk, an analyst at AMR Research Inc. in Boston.

Windows 2000 provides for integrated SSO capability by means of the Kerberos authentication protocol, according to Mike Dusche, a Microsoft product manager.

That appeals to Royal Dutch Shell. "Certainly, Microsoft isn't best-of-breed, and they've had problems with their first release of PKI [support]," says Mann. "But they are bringing it all together in one place, so we can live with the shortcomings and the knowledge that it will improve with future releases. If we went with trusted third parties for all our users and PKI, the costs would be much higher." He adds that large organizations deploying a system like Shell's, which includes readers, multifunction smart cards and card management software, can expect to get costs down to $30 to $40 per user.

Mann says that although Shell has hit "some bumps in the road" at this early stage, most will be alleviated when the company deploys its card management system. He says users generally like having one card for network log-on, building access and cafeteria billing.

Several factors drove London-based British Telecommunications PLC (BT) to deploy a PKI-supported smart-card system, including the fact that it has 60,000 employees who need remote access to network services. Though BT's dial-up approach is generally sufficient, it experienced scalability difficulties whenever the ranks of remote workers swelled.

"We wanted to make access more ubiquitous, so users could come in over any access method, not just dial-up," says Steve Brown, head of business development and utility applications at BT's Ignite communications services unit. "We decided to use digital certificates stored on smart cards, with Microsoft as the platform, and employ IPSec for encryption." The firm previously used Bedford, Mass.-based RSA Security Inc.'s SecurID token for remote access. Brown says that although that approach served the company well, users had to remember passwords, and the system didn't provide the encryption levels that BT desired.

"Our system required changing passwords every 30 days. People inevitably forget passwords, and turning to the help desk is an expensive hobby. We're trying to get away from those operational expenses," says Brown.

The company is piloting smart-card-based access for about 200 workers and plans to eventually roll out the system to 60,000 of its 130,000 employees. Brown says that SSO is a goal at BT, but progress will come in stages. "You have to bite off sensible chunks. We're saying, 'Let's get the infrastructure and the access mechanisms there and determine the priority sign-ons before we move forward.' "

Indeed, SSO doesn't come easily, and some doubt it will come at all.

"SSO became a big deal four or five years ago, when users had a lot of operating system and application accounts, but it never really worked that well," says John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc. "Today, there's much less need to give users lots of OS-level accounts. Now the issue is access to Web-based accounts. Rather than worrying about users doing SSO, companies need to worry about how they can administer user privileges centrally."

Sue Pontius, CEO of San Jose-based smart-card system vendor Spyrus Inc., says SSO is more of a goal than a reality. "Single sign-on doesn't really exist; reduced sign-on is the more appropriate term," she says. "Your goal is to raise the bar by making it easier for authorized users to access accounts and more difficult for everyone else."