Smart Card Technology Slowly Making Corporate Inroads

In the 14 years that she’s worked at Sun Microsystems, Susan Bickford has accumulated a lot of company cards. There’s the card that gets her in the door of her office building. Her corporate credit card. The company phone card. A Sun health benefits plan card. But if Bickford has her way, instead of a wallet full of plastic, she may soon be carrying just one card.

Bickford, Sun’s Director of Corporate Technology Services, heads up the company’s JavaBadge program, which aims to use one single smart card to replace a host of different functions. Initially, says Bickford, Sun — like many companies which are exploring smart card technology — will focus on security uses. Bickford uses her JavaBadge to enter her building in the morning. When she gets to her office, she inserts it into a smart card reader built into her computer, which identifies her to the system and, after requesting that she type in a PIN, allows her to log onto the Sun network.

Sun has used cards with magnetic strips as employee identification for years. But the mag strip on those card tends to wear off, and the data on it can get scrambled if placed too close to powerful magnets. And, most significantly, they can only hold a few hundred characters of data. Smart cards, on the other hand, typically store up to 32,000 bytes, and 64K cards are now starting to enter the market.

That means they can hold enough information to store a biometric identifier, such as a fingerprint or iris scan, along with the of the card holder’s Public Key Infrastructure (PKI) data, which let them digitally sign documents and send and receive encrypted email.

Sun kicked off its smart card program early this year with a small pilot program involving about 200 users. This summer, says Bickford, it will give the new cards to 5,000 employees at one of its campuses, and if all goes well, will roll the cards out to the rest of the company in the fall. Sun has about 40,000 employees.

Sun is not the only company turning to smart cards:

  • Austin, Tex.-based Schlumberger, one of the largest smart card manufacturers, has given smart card-based ID badges to 20,000 of its own employees, and expects to outfit the rest of its 80,000 workers by the end of this year. Employees wave the cards at a contactless reader to open building doors, and then insert the cards into their PC to get access to the network. The cards also contain PKI encryption technology for secure email.
  • Royal Dutch Shell is also using Schlumberger smart cards to give workers access to company buildings as well as the corporate network. The new cards will let employees of the Hague-based energy giant log on to the network through their Compaq PCs running Microsoft Windows 2000, as well as through Citrix-based thin clients. Shell, which began deploying the smart card system in April 2001, hopes that the program will help reduce desktop operating costs by up to 50%, primarily by reducing the amount of time help-desk employees spend dealing with lost passwords.
  • Goldman Sachs, the New York City-based financial powerhouse, has combined its employee ID card with an “electronic purse.” Workers can use the same card to enter a company building in New York, park their vehicle in London, and eat at the cafeteria in Tokyo. The company plans to add network access capabilities to the card in the future.

  • A Management Challenge for IT

    As smart card technology becomes more common, it is becoming easier to implement it. Smart card readers are now standard equipment on several models of Sun workstations, including the Sun Ray diskless workstation, and the Sun Blade. Hewlett-Packard is also offering workstations with built-in card readers.

    But the technology poses other challenges. For one thing, the multi purpose nature of the cards means that IT departments don’t necessarily own the technology by themselves. At Sun, the smart card program emerged several years ago when the company began realizing that different groups across the company were looking at using cards for widely different purposes.

    “The IT department wanted to start deploying PKI certificates throughout the company, and was looking at a card just for that,” says Bickford. “At the same time, finance and human resources were looking at cashless campus cards, and the corporate security people wanted to move from the mag strip readers on our doors to contactless proximity readers, which have less wear and tear and need less maintenance.”

    There can be “lots of logistical issues” in implementing a smart card project, says Lolie Kull, who manages the smart card project for the Bureau of Diplomatic Security at the U.S. State Department.

    The State Department has provided about 20,000 of its employees with smart cards, which will be used to control entry to government buildings and embassies, as well as network access. So far, however, only the State Department’s main Harry S. Truman office building in Washington, D.C. has been equipped with readers for the new cards. Installing readers on the remaining State Department facilities may take up to a year, says Kull, during which time employees who use more than one building will have to carry two cards.

    Triple Threat to Hackers

    There is also the question of security. The industry, not surprisingly, claims smart cards are safe. But in May, two researchers at Cambridge University reported that they had used duct tape, an camera flash and a standard laboratory microscope to read hidden data from a smart card.

    Many industry experts say that method of attacking smart cards does not pose a threat, and claim that they may actually be more difficult to hack than other technologies. Smart cards pose a triple-threat to potential hackers, says Albert Leung, Business Development Manager for Java Card technology at Sun Microsystems. “Smart cards can combine three different types of authentication: what you know, like a password, what you carry physically — the card itself — and what you are, if you require a biometric measure like a fingerprint or retina scan.”