With the threat of card cloning and door controller interceptions ever increasing, the industry recommendation is to use smart cards to secure credentials; but for many companies the move is daunting. For small companies the concerns are about cost, knowledge and selecting the best solution to meet their needs. Larger companies will have the additional concern of scale and how they physically manage the migration process and roll out of the new smart cards; especially if multiple sites and systems are deployed globally.
There are four major factors for companies to consider:
While cost was a prohibitive factor in the beginning, we are now starting to see this change. The industry’s drive towards more secure technologies with multiple layers of encryption is pushing the cost of smart cards down. This not only offers a future proof technology platform for access control and other business functions but immediately protects against the growing threat of authentication breaches.
Although smart cards typically offer strong layers of security, companies must consider the entire security of their smart card solution from the credential right down to the reader level at the door. It is no good having a highly encrypted smart card when the card number is easily played back across a vulnerable Wiegand interface from a third party reader at the door. The communication channel between the card reader and controller must be secure. This can be achieved using secure RS485 communication protocol, as well as industry standard Open Supervised Device Protocol (OSDP), which also means customers are not tied to one manufacturer.
Think about more than just the physical security of your building or site. Ask yourself “Is this smart card technology compatible with my existing security systems, products and technology?” Choosing the right smart card solution is definitely not clear cut.
For example at some large organisations not all sites will have access control readers from the same manufacturer and crucially not all manufacturers can read from an encrypted area of a smart card. Every company has different challenges and questions such as “Can I integrate with other products using the new cards?” and ‘Will my secure card work with my other business systems?”. These are just some of the important questions you need to ask yourself and your solutions provider before choosing your smart card.
4. KEY MANAGEMENT
Ok, so you have chosen the smart card technology and solution that is right for your business. The next consideration is whether you should manage your own smart card keys? You can buy blank smart cards and self-manage your own keys or you can opt for pre-personalised smart cards from the manufacturer. Again there is no one size fits all answer here. The pros and cons need analysed depending on your business and resources. Carefully look at resources needed for self-key management, as well as the security considerations of storing your keys on site. For some projects the cost of managing their own cards could far outweigh any other cost savings made.
Other technical considerations also need to be made, for example do you want your solution to read the Unique Identifier (UID) of the cards or the Private Secure Number (PSN) and should you use diversified keys or static keys?
There are many benefits of opting for smart cards already pre-personalised. It’s the manufacturer who takes responsibility for ensuring compatibility of smart cards with third party readers and other security systems. They manage the key security and storage securely offsite and they absorb the costs associated with smart card key management – including the sourcing of NDA’s (Non-Disclosure Agreements) from external system providers.
In many cases however organizations consider control of their own keys for physical access control and other applications an essential element to security. If you do decide that user defined personalisation is the way to go, then speak to your manufacturer to see if they support you buying your own blank smart cards and if the cards are compatible with their products. Also ask your security manufacturer if they have a software utility or application within their security management system that enables you to create your own encrypted keysets in a manageable, intuitive and step-by-step way. This very often will eradicate any pitfalls of smart card encryption and transition.
Want to ask Marc a question on smart cards? Then please comment below.