Play Your Cards Right

Smart cards: A path to integrating physical and logical access

  • By Joerg Borchert
  • Sep 05, 2007

EARLIER this year, information technology and computer security publications buzzed with reports that RFID-based proximity cards could be cloned. These stories generally overstated the problem, as security professionals have long understood that proximity access cards are just one part of a security solution. But by drawing attention to the issue of secure access, the news coverage highlighted the need to educate potential customers about the role of employee credentials in a well-designed risk management system. In this learning process, many organizations have the opportunity to consider the technology available for integrated access systems.

In some cases, an organization looking to improve access control security may choose to move to a two-factor authentication process. In this approach, the proximity card system is mated with a PIN-based entry system, requiring a user to hold a card and enter the PIN. A third authentication, typically biometric, also may be added to increase security in more sensitive areas. While improving physical access control, these steps do not provide parallel control of access to the computing infrastructure, which is often the most important asset of modern organizations.

Leading the Way
The current rollout of the government worker credential program provides guideposts for organizations to evaluate and implement credential systems that can truly secure both physical and logical assets. The basic reference point is FIPS-201, published by NIST, which defines the chain of trust for an identity management system and describes the smart card credential. The smart card credential is the personal identify verification (PIV) component of an integrated access solution that can serve as a model for any type of institution or commercial organization.

Today’s smart card offerings encompass a range of devices based on integrated circuit technology, ranging from memory-only devices to secure microcontrollers (MCU), which use on-chip computing capability to support security features. The secure microcontroller has emerged as the principal technology for credential systems, based on the technology’s flexibility, built-in protections for sensitive data and cost-effectiveness. Wide use by the financial industry and recent adoption as a worldwide standard for travel documentation in e-Passport programs stand as proof of the technology’s effectiveness.

While the U.S. standard does not explicitly require a secure MCU, it is the technology best-suited to implement the secure, integrated access system defined by FIPS-201. The standard does require that the intelligence on the ID credential be accessible using both a contactless—proximity-like—interface and a contact interface that requires physical connection to a reader device. This objective can be met by using two separate chips or a single, dual-interface chip.

Intelligent Interaction
The secure MCU is purpose-built to provide computing capability that can support specific applications and provide exceptionally high levels of security. It can handle advanced cryptography (encryption/decryption), store and interpret digital signatures, and interact intelligently with smart card readers via its contactless or contact interface. This intelligent interaction is useful, since the real power of the smart card credential lies in its use as part of a networked system.

For example, a smart card identity credential supports a move to a fully-automated physical access control system. In a typical implementation, access control information and cardholder databases are updated manually by a local operator. By integrating the PACS database with a PIV infrastructure, organizations gain tighter control and improved productivity in managing access.

Improved control and productivity of PACS is simply a starting point for smart card-based systems. The technology can support multiple access applications, so that a single credential can be used across an organization. Multiple authentication technologies also are supported, from basic passwords to PKI certificates, one-time passwords, biometric image templates and generation of asymmetric key pairs. This readily enables multi-factor authentication, depending on risk factors, again using a single credential.

When the flexibility of a smart card is paired with a computer network, security managers gain dynamic control of access systems. Cardholder access rights may be changed at any time to reflect change in employment status or special situations. And the link between identity and access creates the ability to track cardholder activity for such purposes as loss prevention, audit and compliance.

To achieve the full capability of an integrated access system, organizations must transition to a support infrastructure that includes smart card readers at all physical and logical access points. As with simple proximity systems, each access point may still include single- or multi-level authentication. And in most cases, logical access will require that a credential be inserted and kept inside a reader for the duration of interaction with the computing device.

A Team Effort
The move to a new card and reader infrastructure will be the most visible aspect of a smart card system implementation. But the largest change will often be in the interaction of organizational teams responsible for physical security and information technology. Teams must take a holistic view of risk management and define an identity management system that achieves organizational goals while protecting individual privacy. This starts with mutual definitions of processes for issuing an ID, maintaining up-to-date and accurate information about all cardholders, and determining authentication requirements for access to various physical and logical assets.

Far from being a new technology, smart-card based access control has emerged in the last few years as a powerful tool for risk management. In choosing smart card technology, an organization creates a tremendous opportunity to automate processes and design a system to protect both its information and physical assets. And with the recent implementation of integrated access systems by the federal government and several large corporations, security managers can draw on a wide range of resources to evaluate and validate the approach for their customers. 

Featured

  • Security Today Announces The Govies Government Security Award Winners for 2025

    Security Today is pleased to announce the 2025 winners in The Govies Government Security Awards. The awards honor outstanding government security products in a variety of categories. Read Now

  • Survey: 60 Percent of Organizations Using AI in IT Infrastructure

    Netwrix, a cybersecurity provider focused on data and identity threats, today announced the release of its annual global 2025 Cybersecurity Trends Report based on a global survey of 2,150 IT and security professionals from 121 countries. It reveals that 60% of organizations are already using artificial intelligence (AI) in their IT infrastructure and 30% are considering implementing AI. Read Now

  • New Research Reveals Global Video Surveillance Industry Perspectives on AI

    Axis Communications, the global industry leader in video surveillance, has released its latest research report, ‘The State of AI in Video Surveillance,’ which explores global industry perspectives on the use of AI in the security industry and beyond. The report reveals current attitudes on AI technologies thanks to in-depth interviews with AI experts from Axis’ global network and a comprehensive survey of more than 5,800 respondents, including distributors, channel partners, and end customers across 68 countries. The resulting insights cover AI integration and the opportunities and challenges that exist with regard to security, safety, business intelligence, and operational efficiency. Read Now

  • SIA Urges Tariff Relief for Security Industry Products

    Today, the Security Industry Association has sent a letter to U.S. Trade Representative Jamieson Greer and U.S. Secretary of Commerce Howard Lutnick requesting relief from tariffs for security industry products and asking that the Trump administration formulate a process that allows companies to apply for product-specific exemptions. The security industry is an important segment of the U.S. economy, contributing over $430 billion in total economic impact and supporting over 2.1 million jobs. Read Now

  • Report Shows Cybercriminals Continue Pivot to Stealthier Tactics

    IBM recently released the 2025 X-Force Threat Intelligence Index highlighting that cybercriminals continued to pivot to stealthier tactics, with lower-profile credential theft spiking, while ransomware attacks on enterprises declined. IBM X-Force observed an 84% increase in emails delivering infostealers in 2024 compared to the prior year, a method threat actors relied heavily on to scale identity attacks. Read Now

Most   Popular

New Products

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.

  • Hanwha QNO-7012R

    Hanwha QNO-7012R

    The Q Series cameras are equipped with an Open Platform chipset for easy and seamless integration with third-party systems and solutions, and analog video output (CVBS) support for easy camera positioning during installation. A suite of on-board intelligent video analytics covers tampering, directional/virtual line detection, defocus detection, enter/exit, and motion detection.