Time to try storage smart cards? |
 |
By Vijay Ahuja
21 May 2005 | Vijay Ahuja |
|
|
Smart cards offer the compelling combination of mobility and higher security for enterprise employees. Storage networks can also exploit this emerging technology in multiple ways, as I will outline later.
Authentication of entities can be strengthened by deploying a multi-factor authentication scheme consisting of one or more of the following:
1. Something you know (passwords or PINs)
2. Something you have (token cards etc.)
3. Something you are (your signature, retinal scan, etc.)
Smart cards come in various flavors.
Stored value cards: These cards may have certain values stored in an encrypted format. They are similar to magnetic stripe cards and have a memory of 32 or 64 kilobytes. Examples include phone cards or loyalty cards. Sometimes, a microprocessor may be added to the card. In such cases, the microprocessor performs the storage functions and may also provide a PIN protection on the card.
Token cards: These cards provide authentication support by generating a unique number or challenge/response. The authenticating entity creates a challenge, and the entity being authenticated enters the response using the values from the token card. This provides a higher level of authentication than the traditional ID/password authentication.
Cryptographic cards: Cryptographic cards provide secure storage of various encryptions keys such as the private keys and master keys. Often, these cards have built-in encryption technology that would allow encrypted storage of secret keys. A version of these cards may support m of n key parts. For example, your secret master key may be divided in seven parts, in such a way that any four of the seven parts can recreate the key. Each part is stored on a cryptographic card and the cards are given to administrators. In this way, any four out of seven persons would be required to recover and enter the key.
Smart Cards can provide specialized security functions for storage networks. First, the token cards may be used to provide stronger authentication of system administrators or support people. In effect, any individual password-based authentication to the storage network can be supplemented with the use of token cards. Examples include, access by system administrator, security administrator, or other key personnel.
Another important use of this technology comes when encryption is deployed in the storage networks. Encryption can be provided to secure the sensitive data (passwords, financial, or health-related regulated data), control traffic (such as configuration data, etc.), or any other type of critical data. The encryption key may be typically stored in a cryptographic card. For example, consider the standalone appliances that provide bulk data encryption at high speeds in the storage networks. Since this data may be stored in encrypted format for a long time, it is important that the encryption key is securely saved and is available over extended periods of time. For such applications, one option is to use the m of n key scheme, as mentioned above.
Smart cards may satisfy niche security requirements for your storage networks and their deployments may be dictated by several other considerations:
1. How much is the current enterprise using smart cards?
2. Is it consistent with the security policy of the enterprise?
Ensure that the smart card technology in itself is secure. In other words, make sure this technology does not open new security vulnerabilities for your network.
Finally, smart card technology comes with a price tag. Large deployments of smart cards may be expensive and the cards are often priced on a yearly renewal basis.
|
|
|
|
