TORONTO — The Bank of Montreal has spent the last five years creating a smart card strategy to address compliance, productivity and client issues, but an executive in the bank’s information security division said there have been some hiccups
along the way.
“It’s not all rosy and nice without the hurdles,” said BMO’s Jimmy Don, one of four speakers on a panel looking at the challenges of merging physical and logical access at this year’s Infosecurity Canada conference. “It’s not a technology problem, it’s a process problem.”
With 35,000 BMO employees, enforcing a role-based system is a massive undertaking. To do this, the bank needed to have a solid organizational structure with clearly defined roles across all business units. Like many large organizations, BMO has many pockets that have their own rules, settings and infrastructure. When BMO started researching smart cards in 2000, it started with three streams: compliance, productivity and client.
Since then, BMO has rolled out tactical deployments across these pockets, including the most recent implementation for the trading floor. BMO is eventually looking to expand its strategy to a large-scale deployment of smart cards within the next two to three years.
Because every minute of stock brokers’ time counts for revenue, they require quick and easy access to applications and the network.
“All they want to do is come in the office in the morning, stick a card in and everything works,” said Don.
To enable users to start work fast, BMO used password synchronization to achieve single sign-on capability and built card and thumb-print readers into the machine. This capability, however, requires a lot of work in the back end to secure the infrastructure.
“The faster they get access, the more security we need to put in the backend,” said Don.
He added some initial problems included people leaving cards in their machines and manual work associated with password synchronization. If a user, for example, forgets his or her password, every application needs to be synchronized when the new password is created.
Tom Moss, senior director of managed security services at Bell Security Solutions Inc., added users are often aware of password authentication issues. Single sign-on was one of the first areas Bell Security Solutions focused on when it got into identity management five years ago.
“Today, we’re looking at much more sophisticated management of lifecycle identities across a variety of enterprise infrastructures,” said Moss. Bell Security Solutions, for example, manages the government of Canada’s credentialing process for citizens who file their income taxes online as well as a large project for the government of Alberta called secure access services.
Despite advances in smart card technology in recent years, Moss added, “most organizations are not at a point where they’re talking about converged physical and logical access because of the cost and the scale of those things.”
In terms of cost, Microsoft Corp., which has implemented smart cards across its 61,000 full-time and 30,000 contract employees worldwide, said the average cost per user has gone down significantly since it first piloted the cards in 2001 from $55 to $75 per user to $5 for a card at present. The cards that Microsoft is currently using have up to 32 kilobits of memory, half of which is used by the operating system and applications, said Microsoft Canada Co. security lead Michael Nowacki. He added cards are now capable of four to eight times that amount of memory.
Microsoft currently uses smart cards for system access, digitally signing e-mails, decrypting e-mails and rights management services, which combines encryption and policy to determine how an individual can use a document like print or save, for example.
“At Microsoft we combined RFID for physical access to the building along with smart card technology for logical access to the network along with a photo ID card that you must wear around as an ID badge,” said Nowacki.
Both Moss and Cryptocard Corp. president and CEO Malcom MacTaggart noted the increasing demand for smart card technology.
“We’re starting to see it in areas where high trust is essential,” said Moss referring to data centre deployments that use three-factor authentication. He added Bell Security Solutions has also seen an uptake in health care and manufacturing.
While the demand is there in certain sectors, MacTaggart pointed out that less than five per cent of the world’s computers use anything less than a static password.
“Security is only as strong as the weakest link,” he cautioned. “No matter how much money spending on firewalls, routers and switches, all of which are good things, it’s always useful to keep in mind where the weakest link in your network is.”
InfoSecurity Canada continues on Thursday.