By Peter Boriskin, Tyco Fire & Security

Security consultants have long applauded the concept of smart cards. Private sector deployment, however, has lagged behind government efforts because until recently there hasn’t been a widely-adopted standard. There are several international smart card standards – ISO 15693, ISO 14443 A & B, and more – leaving enterprises apprehensive about smart card installations. Many in the private sector have held back on deployment, for fear they’d choose the “wrong” standard, and be left with outdated equipment. Moreover, choosing the wrong standard could leave them out of lucrative government contracts.

Now, with federal agencies facing a looming deadline for smart card adoption, previous private sector concerns largely have been assuaged. With FIPS 201 in place, soon thousands of federal employees, military personnel, and contractors will begin to carry smart cards, with many more to follow. There will be an estimated 25 million smart cards deployed among federal, state, and local agencies and transportation workers. This will be one of the largest and most secure converged physical and network security solutions on the planet, and as such, one of the most supported by manufacturers the world over.

The proliferation of FIPS 201-compliant smart card technology will enable those in the public and private sector to achieve a high level of security and interoperability at an attractive price point. For example, many transit agencies are using smart cards to lower fare collection costs, reduce fraud, and gain better passenger data while providing passengers with a more convenient way to pay fares. The smart card acts as a “nexus” of communication among the transit system’s numerous disparate points, creating an interoperable environment. Frequent riders purchase smart cards to use for cashless vending. If the card is lost or stolen, the rider can call and have it disabled, and be given a replacement card.

Selecting smart card technology
There are a multitude of FIPS 201-compliant smart cards readily available. Organizations should make their technology determination based on interoperability, adaptability, and standardization.

Availability. Organizations may want to choose an international standards-based card. For example, the largest globally deployed smart card on the market today is Philips MIFARE card. The MIFARE product (encrypted and unencrypted versions) is available in all markets without restrictions, unlike others that have restricted algorithms in some countries.

Standardization. Businesses would be wise to avoid proprietary solutions, since this can lock them into a single-source vendor. Alternatively, MIFARE meets ISO standards for interoperability completely. This allows organizations to use these cards with all ISO-approved systems, without the need for custom integration, and use all compliant applications, not just those on the manufacturer’s approved list.

Interoperability. To a large extent, organizations today face security vulnerabilities, not due to the lack of investment in individual security technology, but rather to the lack of manageability between the different components of the security infrastructure. The security infrastructure of an organization is complex, with numerous systems playing a role in physical and IT security, however, these systems cannot easily share security events information. Choose interoperable smart card systems, facilitating the management and communication of consistent security policies. This enhances efficiency through simplified credentialing and de-provisioning, converged authentication credentials, and the ability to offer role-based security access provisioning.

Revolutionizing the smart card market
The adoption of smart cards in the government sector has already pushed other non-government organizations to implement smart cards. For example, one of the largest manufacturers of consumer goods in the world is planning to adopt a smart card system to ease maintenance issues, ensure consistent operation, and gain tighter controls across its hundreds of facilities around the world. The company is planning to link physical security with network log-in under one badge so that employees can use a single credential to gain entry to company facilities and computer networks. The interoperability of the new system also provides employees with cross-site access.

As corporate giants like this migrate to smart card applications, other non-federal government entities will follow suit, causing a warming effect in the private sector, giving corporate security managers the assurance that these smart cards will be around for the long term.

Future-proofing with multi-protocol readers
A new breed of open standard, multi-protocol readers can process multiple smart card protocols and multiple proximity cards protocols simultaneously. As a result, organizations are freed from proprietary reader technology, enabling them to use their current proximity cards as they transition to a smart card system, lessening the time and cost restraints associated with an immediate switch. In addition, organizations are able to update new standards onto the reader – ensuring the reader is “future proof”, allowing an enterprise greater overall flexibility when choosing new, more advanced smart cards.

Choosing the right smart card provider
The FIPS 201 standard has been evolving since its inception, with certain requirements changing dramatically since the initial draft. This has left many vendors clamoring to keep up. Everything from the cards, the layout and the provisioning of this technology has been refined since the concept originated.

Because of this, savvy vendors have learned to design flexibility into their products instead of hard-coding access control systems. With a flexible design, even significant changes can be solved with simple flash update adjustments instead of hardware overhauls.

The ability to future-proof investments with software updates rather than hardware overhauls will be a key competitive differentiator as organizations make their smart card technology purchases.

Although interoperability and flexibility are key components to smart card technologies, it is vital to look at the overall technology package. For example, enterprises should consider not only the provider of the card, but the reader, software, and integration capability of the products selected. It’s also important to consider the level of support you can expect from the vendor and integrator as well as their depth of technical knowledge, time spent in the security market, reputation, and number of proven installations.

Conclusion
FIPS 201, in conjunction with the advancement in security technologies such as multi-technology readers and access control software with government support, has ensured a sustainable market for smart card technology. With a huge population of federal, state, and local agency employees and contractors using smart cards, the technology is likely to endure for decades. Now is the time for organizations to educate themselves on smart card technology to ensure they are investing in technology that will deliver the greatest value, thus giving those in the private and public sectors alike the opportunity to capitalize on the government’s regulatory requirements.

Peter Boriskin is the Director of Product Management for Access Control solutions, for Tyco Fire & Security. Mr. Boriskin has been with Tyco for more than eight years, working in applications engineering, sales management and was the Director of Technology before transitioning into his current role, covering both Access and Video products. Mr. Boriskin can be reached at pboriskin@tycoint.com.