Smart Card Security
Mar 3, 2009 Smart Card
Smart cards provide computing and business systems the enormous benefit of portable and secure storage of data and value. At the same time, the integration of smart cards into your system introduces its own security management issues, as people access card data far and wide in a variety of applications.
The following is a basic discussion of system security and smart cards, designed to familiarize you with the terminology and concepts you need in order to start your security planning.
What Is Security?
Security is basically the protection of something valuable to ensure that it is not stolen, lost, or altered. The term “data security” governs an extremely wide range of applications and touches everyone’s daily life. Concerns over data security are at an all-time high, due to the rapid advancement of technology into virtually every transaction, from parking meters to national defense.
Data is created, updated, exchanged and stored via networks. A network is any computing system where users are highly interactive and interdependent and by definition, not all in the same physical place. In any network, diversity abounds, certainly in terms of types of data, but also types of users. For that reason, a system of security is essential to maintain computing and network functions, keep sensitive data secret, or simply maintain worker safety. Any one company might provide an example of these multiple security concerns: Take, for instance, a pharmaceutical manufacturer:
Type Of Data
Security Concern
Type Of Access
Drug Formula
Basis of business income. Competitor spying
Highly selective list of executives
Accounting, Regulatory
Required by law
Relevant executives and departments
Personnel Files
Employee privacy
Relevant executives and departments
Employee ID
Non-employee access. Inaccurate payroll, benefits assignment
Relevant executives and departments
Facilities
Access authorization
Individuals per function and clearance such as customers, visitors, or vendors
Building safety, emergency response
All employees
Outside emergency response
What Is Information Security?
Information security is the application of measures to ensure the safety and privacy of data by managing it’s storage and distribution. Information security has both technical and social implications. The first simply deals with the ‘how’ and ‘how much’ question of applying secure measures at a reasonable cost. The second grapples with issues of individual freedom, public concerns, legal standards and how the need for privacy intersects them. This discussion covers a range of options open to business managers, system planners and programmers that will contribute to your ultimate security strategy. The eventual choice rests with the system designer and issuer.
The Elements Of Data Security
In implementing a security system, all data networks deal with the following main elements:
1. Hardware, including servers, redundant mass storage devices, communication channels and lines, hardware tokens (smart cards) and remotely located devices (e.g., thin clients or Internet appliances) serving as interfaces between users and computers
2. Software, including operating systems, database management systems, communication and security application programs
3. Data, including databases containing customer – related information.
4. Personnel, to act as originators and/or users of the data; professional personnel, clerical staff, administrative personnel, and computer staff
The Mechanisms Of Data Security
Working with the above elements, an effective data security system works with the following key mechanisms to answer:
1. Has My Data Arrived Intact? (Data Integrity) This mechanism ensures that data was not lost or corrupted when it was sent to you
2. Is The Data Correct And Does It Come From The Right Person? (Authentication) This proves user or system identities
3. Can I Confirm Receipt Of The Data And Sender Identity Back To The Sender? (Non-Repudiation)
4. Can I Keep This Data Private? (Confidentiality) – Ensures only senders and receivers access the data. This is typically done by employing one or more encryption techniques to secure your data
5. Can I Safely Share This Data If I Choose? (Authorization and Delegation) You can set and manage access privileges for additional users and groups
6. Can I Verify The That The System Is Working? (Auditing and Logging) Provides a constant monitor and troubleshooting of security system function
7. Can I Actively Manage The System? (Management) Allows administration of your security system
Smart Card System Planning And Deployment
Mar 2, 2009 Software
Smart card system design requires advance planning to be successful and to avoid problems. It is highly recommended that you graphically diagram the flow of information for your new system. The first question to consider is ‘will the card and system transact information, or value, or both?’ If it stores keys or value (i.e.; gift certificates or sports tickets), greater design detail is required than in data-only systems. When you combine information types on a single card, other issues arise. The key to success is not to overrun the system with features that can confuse users and cause problems in management. We recommend that you phase-in each feature set as each one is working. To properly implement a functional smart card system you should be able to answer the following questions. NOTE: These are only general guidelines, provided as a basis for your individual planning. Many other steps may be involved and are not mentioned here. For more extensive planning information regarding identity management and national IDs we recommend that you review the GSA Smart Card Handbook.
Basic Set-Up
1. Is there a clear business case? Including financial and consumer behavior factors?
2. Will the system be single or multi-application?
3. What type of information do I want to store in the cards (ie; data or value)?
4. How much memory is required for each application?
5. If multi-application, how will I separate different types of data?
6. Will card data be obtained from a database? Or loaded every time?
7. Will this data concurrently reside on a database?
8. How many cards will be needed?
9. Are card/infrastructure vendors identified? What are the lead times?
Security Planning
1. What are the security requirements?
2. Does all, or only some of the data need to be secure?
3. Who will have access to this information?
4. Who will be allowed to change this information?
5. In what manner shall I secure this data i.e. encryption, Host passwords, card passwords/PINs or all of these?
6. Should the keys/PINs be customer or system-activated?
7. What form of version control do I want?
Value Applications
1. Should the value in the cards be re-loadable or will the cards be disposable?
2. How will I distribute the cards?
3. How will cards be activated and loaded with value?
4. What type of card traceability should I implement?
5. What is the minimum and maximum value to store on each card?
6. Will there be a refund policy?
General Issuance
1. How many types of artwork will be included in the issuance?
2. Who will do the artwork?
3. What is needed on the card? For example signature panels, Magnetic-Stripe, Embossing etc.
Multi-Application Card Systems
It is highly recommended that you graphically diagram the flow of information as shown below.
Building a smart card system that stores value i.e. gift certificates, show tickets, redemption points or cash equivalents requires an attention to detail not necessary in other information management systems. The key to success is not to overrun the system with features that can confuse users and cause problems in management. We recommend that you phase-in each feature set after the first one is working. Here is a list of some questions that are pertinent to these systems in addition to the above questions.
Deployment
As the minimum steps in deploying a stored value or multi-application system, establish clear achievable program objectives;
1. Make sure the organization has a stake in the project’s success and that management buys into the project
2. Set a budget
3. Name a project manager
4. Assemble a project team and create a team vision
5. Graphically create an information – card and funds-flow diagram
6. Assess the card and reader options
7. Write a detailed specification for the system
8. Set a realistic schedule with inch-stones and mile-stones
9. Establish the security parameters for both people and the system
10. Phase-in each system element, testing as you deploy
11. Reassess for security leaks
12. Deploy the first phase of cards and test, test
13. Train the key employees responsible for each area
14. Set-up a system user manual
15. Check the reporting structures
16. Have contingency plans should problems arise
17. Deploy and announce
18. Advertise and market your system