|
Executive Summary
While many organizations have employed smart card identification to enhance their physical security infrastructure, KVM (Keyboard, Video & Mouse) system users in particular can benefit greatly from the two-factor authentication that a smart card inherently provides to the logical realm (access to software and application systems on servers).
However, whereas a physical security system that incorporates smart cards is straightforward to implement, logical security using PKI-based authentication (Public Key Infrastructure) incurs very specific practical obstacles during implementation in a data center, network operating center, lab or any facility that relies on a KVM system for efficient operation. While smart card readers themselves are inexpensive, 1-to-1 mapping of card readers to server hardware abrogates much of the efficiencies that a high-density server environment with few user touchpoints provides. IT managers thus face a difficult decision: greater security or greater convenience.
A similar problem has been faced previously. Before the modern server boom, most computer rooms employed a keyboard and monitor for each server – a 1-to-1 mapping. But the KVM switching technology later eliminated this inefficient deployment, allowing one set of keyboard, monitor, and mouse peripherals to be deployed to many servers at once. By extending its peripheral set to include smart card readers, modern KVM switches with smart card capabilities can allow data center managers to enjoy the best of both worlds: greater security and greater convenience.
The objective of this document is to provide insight into smart card support within a KVM system, enabling servers with PKI authentication to be deployed without sacrificing efficiency and convenience. We explore several points to consider when adding or deploying this functionality.
Note that this white paper provides perspective on the benefits of enabling smart cards specifically in an out-of-band (“analog”) KVM system; and does not address an in-band (“networked,” “digital”) KVM-over-IP system. Additionally, this paper is concerned with the implementation of smart card readers for the purpose of accessing servers and PC's via a KVM switch, not the use of smart cards to log into the KVM system itself. Finally, note that for simplicity, the term "smart card" is used throughout this document. However, the same principles apply to other types of smart media, such as USB smart sticks and fingerprint readers.
Introduction
The use of integrated PKI and smart card authentication infrastructure for strengthening user identification credentials is growing worldwide. Global revenues in the corporate smart card security market (both physical and logical) are expected to grow at a compound annual growth rate of 9.8% during the forecast period 2005-20102. And the estimated worldwide shipment of smart cards for use in corporate security was 15 million units in 2006, estimated to grow to 20 million units in 20072. Driving the demand is an increased need for greater physical security along with the requirement for stronger authentication of individuals accessing networks, often referred to as “logical access control.” For logical access, smart cards provide additional security to organizations that require multifactor authentication without hampering user convenience.
Managing employee credentials for physical access to facilities and logical access to IT infrastructure can be burdensome and expensive – even simple tasks such as password resets and reminders can incur non-trivial costs in a large organization. Smart cards provide a form of identification that can be used to secure both physical and logical access while combining other business benefits. Thus, many organizations have employed secure, portable, and multipurpose employee badges to enable an efficient and cost-effective identity management system. A sound understanding of the business processes and goals within an enterprise is a key to the most successful implementations of smart cards.
A pioneer in the adoption of smart card infrastructure is the United States Department of Defense (DoD), who has 3.8 million smart card users as a result of its Common Access Card (CAC) program3 , an initiative motivated by HSPD-12. This presidential mandate hopes to achieve improved physical and logical security of Federal defense employees and contractors worldwide, by requiring extensive implementation of smart cards in the DoD, including extensive smart card-based authentication to information systems by the end of 2007.
|
