Smart Cards, Smart ROI
According to a survey of enterprises by London-based industry analysis Datamonitor, smart card security solutions not only increase the protection of physical and logical access but can also result in savings of more than $2 million for every 2,000 employees. Commissioned by Siemens Communications Inc., the survey measured the return on investment of 53 organizations with smart card deployments. Datamonitor explored current authentication practices and the potential benefits of converging logical and physical access solutions.
Verifying a user’s identity before granting access to facilities or information technology (IT) systems is hardly a new concept. Passwords, building access cards and photo IDs have been used for decades. For some applications, such as remote access to IT resources, one-time-password tokens are used to increase security. However, each has multiple associated costs such as administration, software, hardware and maintenance.
Many leading organizations have found that by deploying a stronger and more flexible form of user authentication based on smart cards, their overall costs decrease significantly. Industry and government agencies are simultaneously mandating compliance to evolving regulations to demonstrate they can control and audit the individuals that access certain resources.
Addressing such security requirements must be accomplished without becoming a burden neither on employees nor on the budgets of enterprises. Return on investment analysis is always a mitigating factor for an IT-related decision; however, little work had been done prior to the Datamonitor study to quantify the cost savings associated with an integrated smart card deployment.
Tech drives the marketSmart cards include a microchip for on-card processing capabilities and secure, portable storage for static and dynamic passwords, digital certificates and private keys, biometrics and other data. However, the deciding factor for smart cards for employee ID may be an ability to host and protect multiple applications, providing cost savings and efficiencies. A single smart card can be used for physical (facility) access and can securely store many digital credentials to access IT resources. Even with its strong security, the user experience is very much like using an ATM card – simply insert the card and enter the PIN.
Datamonitor’s survey identified both hard dollar and soft dollar savings. For example, for a 2,000 employee enterprise, an average of 23.5 password-related helpdesk queries are fulfilled by IT each day, with each query requiring nearly 2.5 minutes to fulfill. This equates, according to Datamonitor, to an average of nearly one hour of password-related helpdesk queries each day. Based on an IT staff cost of $70 per hour, this totals to a $17,420 cost for fulfillment each year.
In another cost evaluation, smart card systems could save employee time. For example, how much time do employees spend to find and enter passwords during a typical day?
Private key implementationDatamonitor’s survey also collected anecdotal evidence for the management of PKI certificates through a smart card deployment.
A prominent government department, for example, that deployed PKI estimated that between $101 and $500 per user was saved each year by managing PKI certificates through smart cards. Assuming a midpoint of $300 per user per year, this would equate to an annual savings of $600,000 for an enterprise with 2,000 employees.
Savings were also studied when smart cards were used to authenticate employees and control facility access as well as for authenticating access to IT networks and systems. On average, enterprises could save 25 percent of facility staff budget, as well as significant dollars related to more efficient building access procedures.
Such systems help simplify management processes involving card issuance, personalization, access rights, management and post-issuance. This translates into reduced staff costs, quicker building entry and other tangible savings such as reduced insurance premiums. In addition, soft dollar savings include reductions in theft and other costs associated with unwanted individuals gaining access to the enterprise and potentially conducting industrial espionage.
A comprehensive range of products and demonstrated flexibility in terms of solution offerings. Packaged solutions are available, but packaged deals may also prohibit an enterprise from adapting best-of-breed solution components.
There should be simple migration, via standards-based identity management, to support biometrics or alternative technologies as they become available or become practical to integrate.
Scalability if the enterprise needs to cover a greater number of users.
Integration with legacy systems and applications as well as with back-end mainframes and network configurations.
“Enterprises are now increasingly familiar with smart card technology, though knowledge of areas such as standards and an understanding of how smart cards can improve business processes is often lacking,” the report concluded.
Sidebar: It’s the Transition That CountsWhether smart cards are for today or tomorrow, users should not be tied to one format, contends Steve Walin, director of product development, engineered systems, GE Security.
The best strategy: a flexible, scalable, non-proprietary framework that lets you maintain your current user bases, yet upgrade access controls to meet new security requirements on your own timelines within budget.
Current 125 KHz proximity and Wiegand standards constitute the majority of the card-based access controls. The obvious reluctance to move to smart cards is primarily due to extensive investment in legacy proximity/RFID/contactless technology. However, pressure is growing to migrate to smart cards.
What’s needed for some is a reader that bridges the gap between the old and the wanted. The most crucial innovation of these readers is the ability to read existing proximity cards as well as Mifare, Vicinity and iCLASS smart cards. Not only are the multi-vendor 125 KHz proximity readers compatible with most proximity cards, but transition card readers let companies easily migrate to more secure access control when opportune. They also allow multi-national organizations that use a variety of legacy credentials to access facilities company-wide.
Data for this Security Magazine article comes in part from Aaron Zitzer of Siemens Communications Inc. To view the complete survey in the Datamonitor report, The ROI Case for Smart Cards in the Enterprise, visit http://mediaforms.siemensenterprisemedia. com/forms/_docs/Smart%20cards%20ROI%20white%20paper.pdf.