This month, we are reviewing smart cards. A smart card is defined as a pocket-sized device containing integrated circuitry that can process data. There are many different types of smart cards. Some contain basic circuitry and non-volatile random access memory (NVRAM) and provide very specific functions. Others have onboard microprocessors and can receive, store and transmit information.
Smart card technologies are not new, they have been around for over 10 years. The applications have evolved from access control to time-keeping/tracking to credential storage to storing certificate or token-based keys. Smart cards are still widely used for physical security in access control applications and digital time-keeping. Today, this technology has evolved to provide two-factor authentication, secure network logins, secure remote access, secure web authentications, secure email and e-transactions, and digital signature management.
Some of the cards we reviewed this month were purpose built to provide a single function, such as time clock/time tracking. Some of the solutions were focused on credential storing and provided the multifactor authentication through public key infrastructure (PKI)-based strong authentication. Others were flexible in their offering and provided identification, authentication and data storage capabilities.
The ability to store additional information on these cards provides numerous benefits. The same card that a user carries to gain access to their office can also securely authenticate them to their PC or corporate network. As well, the same card can securely provide access to various web-based or email applications, and identify users through digital signatures by storing various public key encryption certificates and digital signature credentials.
As with past reviews, we took an enterprise perspective in reviewing these products. Our focus was on ease of deployment, ease of use, centralized enrollment/pin changes/revocation, centralized management, centralized reporting, user features that can address self-enrollment and support for recovering from lost or bad cards. Some of the products focused on the end-user deployment and management of the smart card. Others had integration with Microsoft for deployment of end-user software and/or centralized PKI management. Some did provide server-side applications for deploying and managing the remote end-user and their smart cards and card readers.
Most of the products reviewed provided basic eight hours a day/five days a week web-based support. Some also offered eight hours a day/five days a week phone support. Those products that had a server-side offering provided additional options for purchasing upgraded support to cover the server software and provide up to 24/7 phone support.
As we mentioned earlier, these technologies have been around for some time. While we were somewhat surprised at the maturity of the server-side offerings for management and the documentation that accompanied these solutions, from an enterprise deployment, management and support aspect, most of the products, with a couple of exceptions, came up a bit short. We had expected the server-side management and reporting to be a little more feature rich.
That being said, we were very pleased with the offerings as an end-user security tool. The technology is a powerful and critical part of an enterprise security architecture. In addition, all the products reviewed were easy to use. They deployed quickly and were easy for the user to manage and update.
As with every security purchase, you will have numerous choices available when making your smart card purchase. You will need to decide how much server-side management you require, what encryption and certificate support you require, whether you want just network authentication with static certificate support for a few applications or require a technology that stores 30 or more certificates for all your web, email and e-commerce needs. We were happy with all the solutions we reviewed.