Anyone here supporting a smart card infrastructure?

blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
I'm starting to look into smart cards as an option for secure authentication and encryption for our IT, finance, and remote users. We have a mature AD and a corporate Windows PKI in place, so much of the supporting infrastructure is already there, but we don't have any smart card infrastructure as yet. I keep hearing about how expensive it is to implement. How many digits are we talking, $00,000's?

Who are some of the vendors that you use?

Thanks in advance...

blargoe
IT guy since 12/00

Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...

Comments

  • KaminskyKaminsky Member Posts: 1,235
    It's not expensive for the hardware. (The blank cards are way expensive) A read/write card reader is pennies. However, the big problem comes from the software that makes your staff cards for you. It's still a new technology (ish) and typically this card creation software is bespoke by the organisation typically although, you attach a smartcard reader to Windows and it automatically changes the login text to "Inset Smartcard or type password".

    You may find some utility somewhere but if you don't know the inside of that .exe, how can you trust it with something as serious as security.

    Staff Use of the cards, although you would think it would make things nice and simple, present quite a few other problems. If you have departments where the staff move around and are not sat at a desk all the time, it can present problems. Say for instance you have a department with several workstations and any staff can log into them, they have to take the card with them as they go. They are prone not to in which case other people start using other people's logins as the card is already logged in and your security goes completely out the window. You may think it logical for one staff member to pull his card out and secure the workstation and the next user logs in when they want to use it but users are users and you can bet your salary that sooner or later they will start leaving their cards in or requesting generic cards.

    Staff turning up for work only to discover they left their cards at home is another complete nightmare as well as lost cards and the implications of that. Also, what happens when you walk into a department and find unattended workstations with cards sitting in them ?

    I speak from two years experience in the NHS where smartcards are being deployed, eventually throughout the 1.3 million staff base right across England... (at £4.50 / blank card) Accident and Emergency is a fast moving department and how would smartcard logins work in that scenario. In and A&E, they don't have time to mess about with logging in and out just to type something into a patient administration system. One way aournd this thay are looking into is RF tags onto the smartcards to work on proximity (1 foot) instant logon due to the time delay problems of smartcards. Conceptually, smartcard are a nice idea but cause lots of unforseen problems unless your staff are chained to a desk. Desk based staff then yes, smartcards are a good idea with single sign on but there is always the left my card at home/dog ate it factor and you will be amazed at how often that crops up. One senior GP I knew had 3 new cards issued to him in 6 months. This leads to a whole other ball of wax as to what do you do about card missuse....
    Kam.
Sign In or Register to comment.