Product Details
Product Rating
Smartcards (2003)
Smartcards and tokens may ease the user experience and tighten security on today's distributed and complex networks. By Julian Ashbourn
Not so long ago, we used to write letters, manage financial affairs, build bridges, design cars and undertake a multitude of everyday tasks without a computer in sight. Whole generations grew up and survived quite happily without one, and they managed to achieve many great things which have subsequently stood the test of time.
Trust in the digital age
My, how times have changed. Nowadays, individuals sitting within ten feet of each other communicate by email. Transactions once undertaken in person, with all the etiquette and pleasurable human interaction involved, are now only available on line.
So, now we have more computers than we can count and everything is connected to everything else in a spaghetti of networks. In this connected world, trust is a rapidly diminishing concept, so we must seek to identify users every step of the way.
We have relied on the good old user name and password for quite some time and, indeed, in many instances this may be all that is required. In other cases though, especially when valuable intellectual property or distinctive organizational expertise is held within our networks, or financial transactions undertaken across them, we desire more robust options.
Digital certificates and data encryption offer potentially interesting functionality, providing we can find streamlined and effective ways of managing their use. Additionally, biometrics provides the promise of robust user identity verification, assuming we can integrate the verification process neatly into our operational process. What we need are coherent and flexible tools with which to manage these techniques, together with a user experience which is intuitive and repeatable without unduly burdening the user with complexity - itself a security hazard. This is more easily said than done as networks, client operating systems and applications become more powerful and more complex, making their administration equally daunting.
Furthermore, the larger and longer established the organization, the greater is the likelihood of having a mix of legacy components and software running side by side with contemporary offerings, resulting in a plethora of different passwords and login routines for the hapless user to remember.
Easing the burden all round
Smartcards and other tokens incorporating programmable chips offer some interesting options in this context. When supported by intelligently conceived software, they deliver a greatly enhanced confidence as to who is doing what within a networks.
The majority of corporate users naturally understand the requirement for security and transactional audit trails, and are happy to abide by the process in place. Sometimes though, this process spreads like a freshly opened can of worms, driving both users and systems administrators crazy while adding cost to the day-to-day operation.
Can smartcard and token technology help to bring peace and harmony to the sometimes frustrating world of computer and network access? The technology suppliers certainly hope that this will be the case and often cite reduced operational costs as a benefit of pursuing such an approach, together with significantly enhanced security.
In this Group Test we look at some of the popular techniques and associated products, from dynamic passwords to chip cards, USB tokens and even biometrics, with a broad spectrum of functionality and deployment flexibility. Some of this functionality might appeal to the individual user wishing to bring some automation to the drudgery of multiple passwords for different applications, while some will appeal to the busy system administrator seeking to simplify the logon process and reduce the password-related burden upon help desks.
Other aspects will appeal to the security manager, worried about the likelihood of unauthorized access to desktops, networks and intranet/internet sites. Whatever your particular situation and aspirations, there are products out there that can offer some interesting functionality in this context.
Our evaluation showed that the products tested are relatively straightforward in their installation and use, although any such deployment should of course be carefully considered in advance and planned for accordingly. One should also consider user instruction and, where required, proper training to ensure that users fully understand the operational process. This is particularly important where the use of biometrics is being considered.
Curiously, several of these packages did not uninstall cleanly, leaving a plethora of files and registry entries scattered around the test workstation. The conscientious systems administrator may like to undertake a thorough test of any solution being considered (preferably in a test environment) in order to understand all of the associated installation and operational issues, before committing to roll out.
