Enterprises and government agencies are using smart card-based credentials more and more. Organizations around the globe are striving to protect corporate information assets, address regulatory compliance pressures, and achieve cost savings and increased security through the convergence of physical and logical access credentials.

To the casual observer, it's easy to think of a smart card as merely a piece of plastic - intelligent plastic, to be sure - but plastic nonetheless. In fact, the evolution of smart card technology reflects a transformation from credit cards to cutting-edge devices whose capabilities have grown exponentially along with chip features and capacities.

Today smart cards protect physical facilities, desktops, networks, applications, and much more. Applications are growing as fast as the forces driving smart card adoption. However, the "smart chip" concept is leaping beyond the confines of the smart card itself. Smart cards and smart chips, along with management solutions that extend enterprise investments, are paving the way for advanced security applications such as enterprise single sign-on.

A Brief History
In a simplistic sense, the smart card was born in the 1950s, when Diners Club introduced a plastic version of its paper charge card. This provided the long-lasting, now familiar form factor, and afforded credit to those who carried it. In a foreshadowing of events that preoccupied the security industry for the next five decades, the risk of fraud and the need for financial controls saw the original plastic card evolve into a machine-readable card. More recently, this evolution has continued into what is now the most common form of electronic payment: the magnetic stripe-embossed card.

The introduction of encryption into the smart card equation was of considerable interest to security professionals. Microprocessors capable of stronger authentication opened up the way for the standalone or challenge-and-response authentication of cardholders without the security risks or infrastructure associated with magnetic stripe cards. This encryption can be public key, symmetric, or a hybrid approach leveraging digital signatures. The power of encryption and advances in microprocessor technology meant that smart cards now feature chips whose functionality is constantly expanding.

Applications: From ID Badges to Converged Access
Applications for smart chip technology span the gamut from physical security to logical security. The most common physical security applications revolve around access to campuses and buildings. When embedded in a card, smart chips combine the familiarity of the typical ID badge, such as employee photo and company logo, with the authority to access office campuses, specific buildings, and the like.

Logical security - the software safeguards for an organization's systems, including user ID and password access, authentication, access rights, and authority levels - represents the leading edge of smart chip applications. These measures are necessary to ensure that only authorized users can to do certain things or access information in a network or workstation. For example, smart chips in USB tokens or more traditional smart cards can authenticate users on corporate networks, whether on-site or via remote dial-in or virtual private networks (VPNs). They can authenticate everyday users for an application, group of applications, or a Web portal. They can also be used to provide administrators with everything from operating system access to other high-level corporate functions.

Another crucial smart-chip application is the convergence of stronger physical and logical security in the same form factor. For example, a single smart chip-enabled device can let an employee access a corporate campus, enter his or her building, and log on to those portions of the corporate network that he or she is approved to access.

These applications and many others have led to the rapid growth of the smart chip market. In September 2005, Frost and Sullivan predicted a 27.7% compound annual growth rate in North American smart card microcontroller shipments through 2010. It predicted even stronger growth in Latin America, where it says compound annual growth rates will reach 59.1% over the same period.

Government and Enterprise Adoption
In 2004, the White House issued Homeland Security Presidential Directive 12 (HSPD-12) with the goal of establishing a single government-wide standard for identification credentials issued by the United States government to all federal employees and contractors. The implementation of HSPD-12 began on February 25, 2005 when the Secretary of Commerce approved FIPS 201, a document titled "Personal Identity Verification for Federal Employees and Contractors" issued by the National Institute of Standards and Technology (NIST) as part of its Federal Information Processing Standards (FIPS) publication series.

Through HSPD-12, federal employees and contractors will soon be required to carry a smart card - called a Personal Identity Verification (PIV) card - to access both physical and logical resources. These smart cards, when used with appropriate data collection systems, will identify their bearers in several standard ways - photographic images printed on the card, biometric data (fingerprints) stored on the card, personal information numbers (PIN) stored on the card, as well as other electronic credentials stored on the card, such as digital certificates.

Of course, government agencies have responded, investigating technology solutions that will enable them to meet HSPD-12 requirements. This is similar to what happened in the commercial market when Sarbanes-Oxley was passed several years ago - recognizing the need to comply, organizations sought out technical solutions that offered a "quick fix" to meet a regulatory deadline. While this approach achieved compliance, what many commercial organizations missed was the opportunity to leverage compliance-driven investments in technology more broadly.

Luckily, those commercial organizations aren't making the same mistake twice. A growing number of companies in a wide variety of vertical markets are executing smart card and smart chip deployments that pave the way for advanced security applications. The Burton Group surveyed global enterprises in oil and gas, healthcare, aerospace, pharmaceutical, hardware, software, and financial services - some with as many as 100,000 employees worldwide - as well as U.S. federal government agencies and organizations to understand the nature of their plans. Most of those organizations were attempting organization-wide rollouts rather than limited rollouts to specific groups.

Management and Advanced Applications
The scale of these deployments demands that smart chip-enabled devices be managed effectively to enable advanced applications. Without a card management system (CMS) in place to enroll users easily and securely, deploy smart cards and manage the lifecycle of these credentials, even small smart card deployments can be complex.

Card management systems let enterprises implement card-based identities, provisioning, authentication devices, and policy enforcement - increasing their overall security posture, improving the end-user's experience, and addressing regulatory requirements. They address the entire smart card credential lifecycle, from card and credential issuance to replacement and cancellation, as well as managing smart badging and applets. Correctly deployed, card management system technology provides unparalleled security for trusted distributed credential issuance and post-issuance management.

One advanced application that organizations are pursuing is enterprise single sign-on (ESSO). They're rolling out ESSO software so users can log in once and that login is automatically passed through to other applications, lessening the organizations' password management burden. Because this essentially creates one master "key," there's obviously a need to protect that key with strong authentication. Today, that often means a digital certificate embedded on a smart card. ESSO reduces human error, a major factor in systems failure, and is therefore highly desirable - but it was difficult to implement before the advent of smart chips.

A Look to the Future
Enterprises need to embrace a variety of authentication solutions that map to users around the globe, requiring a move beyond the traditional smart card model. The ever-growing power of microprocessors is freeing "smart" technology from its card container, enabling embedded chip smart devices that can be leveraged across many form factors to power a wide variety of applications. Today, many chips that were once embedded in plastic cards now find themselves in more versatile USB containers. Smart chips can literally go anywhere, and the future will find many other form factors to house them.

At the same time, new market drivers - such as the need for secure e-commerce transactions or validation of participation in government programs - will create new applications that smart chips will power. So long as these technologies are efficiently managed, security professionals will be able to harness their power for productive deployments.