Smart Card Implementation - Secure Technology Alliance · 04/06/2002 · – Does the current card...
Transcript of Smart Card Implementation - Secure Technology Alliance · 04/06/2002 · – Does the current card...
Smart Card Implementation “Project Management and Implementation Best
Practices”
Smart Card Implementation “Project Management and Implementation Best
Practices”
Chris Cikanovich,Director of Government Programs
June 4, 2002
Chris Cikanovich,Director of Government Programs
June 4, 2002
2
Topics of DiscussionTopics of Discussion
• Implementation of a formal “Process Plan”– Phase I – Strategy– Phase II – Definition– Phase III – Design– Phase IV – Development– Phase V – Integration– Phase VI - Development
• Implementation of a formal “Process Plan”– Phase I – Strategy– Phase II – Definition– Phase III – Design– Phase IV – Development– Phase V – Integration– Phase VI - Development
3
Implement Process PlanImplement Process Plan
- Business Requirements
- Functional Requirements
- Budget definition
- Subcontractor selection
- Subcontractor Agreements
- Project Management Plan
- Define project team
- High Level Design/ Design Specs
- Functional Specification
- Low Level Design
- Test Plan
- QA Plan
- Coding
- Unit Tests
- Documentation (user Manual, quick start guide, trouble shooting guide)
- Integration Tests
- System Tests
- Acceptance Testing
- Support team Training
- Pilots
- Help desk / Customer Service
- Platform Maintenance
- Product Release
- Delivery
DefinitionPhase II
DesignPhase III
DevelopmentPhase IV
IntegrationPhase V
DeploymentPhase VI
- Define value proposition
- Define project objectives
- Create estimated budget
-Obtain management approval
StrategyPhase I
4
Phase I - StrategyPhase I - Strategy
• Objective: – Program Value Proposition– Program Objectives– Project Budget– Management Approval
• Objective: – Program Value Proposition– Program Objectives– Project Budget– Management Approval
5
Defining The Value PropositionDefining The Value Proposition
– Financial• Off-line payment• Reducing fraud• Cashless payment• Web-based
transactions
– GSM• Network
authentication• Remote application
download• Store preferences
and user profile data
– Financial• Off-line payment• Reducing fraud• Cashless payment• Web-based
transactions
– GSM• Network
authentication• Remote application
download• Store preferences
and user profile data
– Loyalty• Strengthening the
merchant/consumer relationship by offering purchase incentives
– Loyalty• Strengthening the
merchant/consumer relationship by offering purchase incentives
Smart card technology addresses the value proposition from multiple directions
6
Defining The Value PropositionDefining The Value Proposition• The value proposition for implementing ID security programs is based on the cost of “non-security”
and loss or compromise of critical information or unauthorized access to specific locations– Loss of critical information
• Classified information• R&D data• Customer data• Financial statements• Human Resource data
– Unauthorized access to locations• Government/Commercial facilities• Unauthorized access to critical information• Regions (US Territory or other government property)
– “Unknown” Cyber Attacks• No immediate evidence of the attack provides the hacker time to “guide” through ones
organization– Alter permissions to physical and logical access systems– Obtain employee personal information– Copy, alter or delete end user information through networked PCs– Copy, alter or delete end user information through dial-up services
• The value proposition for implementing ID security programs is based on the cost of “non-security” and loss or compromise of critical information or unauthorized access to specific locations
– Loss of critical information• Classified information• R&D data• Customer data• Financial statements• Human Resource data
– Unauthorized access to locations• Government/Commercial facilities• Unauthorized access to critical information• Regions (US Territory or other government property)
– “Unknown” Cyber Attacks• No immediate evidence of the attack provides the hacker time to “guide” through ones
organization– Alter permissions to physical and logical access systems– Obtain employee personal information– Copy, alter or delete end user information through networked PCs– Copy, alter or delete end user information through dial-up services
The ROI is not necessarily based on increasing revenue, however,
based on the fact that you have eliminated the ability for unauthorized
users to gain access to mission critical information
7
Outline Project ObjectivesOutline Project Objectives
• Define the clear program goals/objectives – Create a mission statement for your project which
reinforces the overall objective
• Determine the overall investment objective and start with mission critical systems – If budget constraints exist define the system components
that are most critical to ensuring the program goals/objectives are met
• Define the clear program goals/objectives – Create a mission statement for your project which
reinforces the overall objective
• Determine the overall investment objective and start with mission critical systems – If budget constraints exist define the system components
that are most critical to ensuring the program goals/objectives are met
8
Phase II - DefinitionPhase II - Definition
• Objective: – Define project scope– Define project team
• Outline roles & responsibilities– Select technology providers, required
subcontractors and execute appropriate agreements
– Define functional requirements– Develop project management plan
• Objective: – Define project scope– Define project team
• Outline roles & responsibilities– Select technology providers, required
subcontractors and execute appropriate agreements
– Define functional requirements– Develop project management plan
9
Identify Project Team and Site LeadersIdentify Project Team and Site LeadersProject Lead
(Individual, Service, AgencyOr Government Body
Project Lead(Individual, Service, Agency
Or Government Body
Supplier Manager
Supplier Manager
• Contracts• Deliverables
• Contracts• Deliverables
Card Production
Card Production
•Card Body Requirements• Testing (PhysicalAccess and PKI)• Manufacturing• Fulfillment
•Card Body Requirements• Testing (PhysicalAccess and PKI)• Manufacturing• Fulfillment
Reader andInstall
Reader andInstall
• Functional and technical specs.• Distribution/Installation
• Functional and technical specs.• Distribution/Installation
PKI Implementation
PKI Implementation
• Integration • Implementation
• Integration • Implementation
PhysicalAccess
PhysicalAccess
• Technology• Implementation• Badging Station
• Technology• Implementation• Badging Station
IssuanceStations
IssuanceStations
• Define locations• Integration with CMS, AMS, KMS and Directory Services
• Define locations• Integration with CMS, AMS, KMS and Directory Services
10
Project Management Roles & ResponsibilitiesProject Management Roles & Responsibilities
• The following are the absolute requirement for a successful project (even when managed internally)– Ensure there is project dedication from management oversight
(corporate, Service, Agency or local government)• IT projects are complex and without objectives, dedication,
commitment from corporate management, IT projects can become expensive programs
– Assign overall project manager• For multi-location programs assign site leaders who report to
the overall project manager and coordinate all project and user communication for those individual sites
– Strong program and project management disciplines– Well defined responsibilities for key personnel (CTO, MIS Manager,
Security Officer, Human Resource Manager, etc)
• The following are the absolute requirement for a successful project (even when managed internally)– Ensure there is project dedication from management oversight
(corporate, Service, Agency or local government)• IT projects are complex and without objectives, dedication,
commitment from corporate management, IT projects can become expensive programs
– Assign overall project manager• For multi-location programs assign site leaders who report to
the overall project manager and coordinate all project and user communication for those individual sites
– Strong program and project management disciplines– Well defined responsibilities for key personnel (CTO, MIS Manager,
Security Officer, Human Resource Manager, etc)
11
Identify Technology SuppliersIdentify Technology SuppliersInfrastructureInfrastructure IntegrationIntegration ImplementationImplementation Life Cycle SupportLife Cycle Support
Des
crip
tion
• PKI
• Physical Access
• Smart Cards
• Smart Card Readers
• ID issuance stations
• Connectivity
• Card/Application management system
• PKI/LDAP
• Server components
• ID issuance components
• Deployment
• ID issuance process
• Help Desk
Part
ners
• Baltimore
• Entrust
• VeriSign
• DST
• FDR
• TSYS
• DataCard
• SchlumbergerSema
• Oberthur
• Gemplus
• Identicard
• Identix
• ActivCard
• PKI Provider
• In-House
• EDS
• Northrop Grumman
• Maximus
• SchlumbergerSema
• In-House
• Outsourced Call Center
• PKI Provider
• In-House
• EDS
• Northrop Grumman
• Maximus
• SchlumbergerSema
12
Project Management PlanProject Management Plan
• Your project management plan should outline:– Duration for the overall project and individual
design, development, integration, testing and deployment phases
– Responsible party for the delivery of the individual phases
– All key milestones and dependencies for the individual phases
– Project resource requirements and constraints
• Your project management plan should outline:– Duration for the overall project and individual
design, development, integration, testing and deployment phases
– Responsible party for the delivery of the individual phases
– All key milestones and dependencies for the individual phases
– Project resource requirements and constraints
13
Functional RequirementsFunctional Requirements• Your functional requirements outline the feature set
for the individual products, applications or systems required including:– PKI– Issuance station– Physical access solution– Logical access solution– LDAP services– Issuance process– Card Management System
• Your functional requirements outline the feature set for the individual products, applications or systems required including:– PKI– Issuance station– Physical access solution– Logical access solution– LDAP services– Issuance process– Card Management System
14
Phase III DesignPhase III Design• Objective:
– Understand the current user/technology infrastructure
– Create design specification• Outline the solution architecture• Understand the current user environment
– Create functional specification– Outline/implement test plan
• Objective: – Understand the current user/technology
infrastructure– Create design specification
• Outline the solution architecture• Understand the current user environment
– Create functional specification– Outline/implement test plan
15
Defining The ArchitectureDefining The Architecture• Create project plan for each critical system• Create architectural diagrams for all systems• Clearly outline and understand where all systems interact and the
impact on each system– Network– Physical access– CMS (Card Management System)– PKI (secure room environment for CA/RA services)– Directory Services (LDAP)– Redundancy Systems
• Define any systems/services which will be outsourced and how that system will integrate within your environment
• Define all security policies associated with:– Physical access– Card, Application and Key management
• Create project plan for each critical system• Create architectural diagrams for all systems• Clearly outline and understand where all systems interact and the
impact on each system– Network– Physical access– CMS (Card Management System)– PKI (secure room environment for CA/RA services)– Directory Services (LDAP)– Redundancy Systems
• Define any systems/services which will be outsourced and how that system will integrate within your environment
• Define all security policies associated with:– Physical access– Card, Application and Key management
16
Understanding The Current EnvironmentUnderstanding The Current Environment
• ID Issuance process– Physical location (impact of new technologies based on the current
environment)– Does the current card body support new technologies such as
integrated chips and have characteristics that ensure card body durability
• PC Platforms – 98, 2000, NT4, XP, etc?– Impact – smart card reader devices (USB support not provided under
NT4)– Browser support – Integration of smart card support (implementation of
required middleware software)– e-Mail support – Does the current “corporate” standard provide
interfaces for signature and encryption capability
• ID Issuance process– Physical location (impact of new technologies based on the current
environment)– Does the current card body support new technologies such as
integrated chips and have characteristics that ensure card body durability
• PC Platforms – 98, 2000, NT4, XP, etc?– Impact – smart card reader devices (USB support not provided under
NT4)– Browser support – Integration of smart card support (implementation of
required middleware software)– e-Mail support – Does the current “corporate” standard provide
interfaces for signature and encryption capability
17
• Physical access – Is there an existing system?– Proprietary or based on WIGEN standard (backend communication
protocol for physical access systems)?– If proprietary – can the card body support chip technology and post
printing processes (example: MAT finishes typically result in poor post printing quality)
– Reader interface• Does the reader interface both with the required Contactless
technology and the back-end protocol (typically Wiegand)
• Physical access – Is there an existing system?– Proprietary or based on WIGEN standard (backend communication
protocol for physical access systems)?– If proprietary – can the card body support chip technology and post
printing processes (example: MAT finishes typically result in poor post printing quality)
– Reader interface• Does the reader interface both with the required Contactless
technology and the back-end protocol (typically Wiegand)
Understanding The Current EnvironmentUnderstanding The Current Environment
Panel
Door Readers
(Contactless card –Mifare, HID, etc.)
Imaging System (Badges)
Access ServerRights and Policies
RS-232/485 converter
Standard Wiegand Output
18
Phase IV - DevelopmentPhase IV - Development• Objective:
– Develop or modify any core technology/software that is required to complete the implementation of your system
• Card Management System• Client Middleware• Install wizard (client installation package for
middleware software, reader drivers, etc)
• Objective: – Develop or modify any core technology/software that
is required to complete the implementation of your system
• Card Management System• Client Middleware• Install wizard (client installation package for
middleware software, reader drivers, etc)
19
Phase V - IntegrationPhase V - Integration
• Objective:– Integration of core software/hardware
components• LDAP (Directory services with key systems
such as HR, Payroll, Physical Access) • PKI Server components as required• Card Management System with LDAP
• Objective:– Integration of core software/hardware
components• LDAP (Directory services with key systems
such as HR, Payroll, Physical Access) • PKI Server components as required• Card Management System with LDAP
20
Example DiagramExample Diagram
PKI Engine (Intelligence Manager)
WebAccess
File encryption
ICE
Interface(CSP/PKCS)
CardManager
SecureE-mail
PC Card Reader
VPN PKISign-on
WebCMSTools
Java 2Plugin
21
Phase VI - DeploymentPhase VI - Deployment
• Objective: – Train user and customer support staff– Successfully deploy user components
• Smart Cards• Readers• Middleware software• Physical access systems• Issuance stations
– Define and establish customer/field support services (help desk)
• Objective: – Train user and customer support staff– Successfully deploy user components
• Smart Cards• Readers• Middleware software• Physical access systems• Issuance stations
– Define and establish customer/field support services (help desk)
22
TrainingTraining• Implementing a well defined end-user training program is key to a
successful project for several reasons– Provides an understanding of the purpose behind the
implementation (increased security, enhanced employee-based services through telecommunication via VPN, enhanced password management, physical access control to critical systems, etc.)
– Familiarizes the end-user with new technologies, terms and processes
– Increases end-user awareness of security policies and practices– Enforces the goal and objectives behind the initial project launch
• End users should be trained on all relevant aspects of the security system– Smart Card issuance process– Client software support– VPN access– “PKI 101”– Smart card reader installation/use– Security policies and procedures
• Implementing a well defined end-user training program is key to a successful project for several reasons– Provides an understanding of the purpose behind the
implementation (increased security, enhanced employee-based services through telecommunication via VPN, enhanced password management, physical access control to critical systems, etc.)
– Familiarizes the end-user with new technologies, terms and processes
– Increases end-user awareness of security policies and practices– Enforces the goal and objectives behind the initial project launch
• End users should be trained on all relevant aspects of the security system– Smart Card issuance process– Client software support– VPN access– “PKI 101”– Smart card reader installation/use– Security policies and procedures
23
Managing The DeploymentManaging The Deployment• Program management is key to deploying a successful smart card-
based corporate security solution• Define the program management team based on:
– Regions (North America, South America, Europe)– Regional Locations (States, Cities, etc.)– Campus locations– Buildings within individual locations
• Define deployment process– Card issuance (HR, Corporate Security, etc.)– Reader implementation (MIS Team)– Client Software deployment (Web Download, self install, MIS)
• Include the employee population in communications regarding events around deployment – Implement Intranet site to disseminate information– Impact on operations (if any)– Impact on operational policies and procedures
• Program management is key to deploying a successful smart card-based corporate security solution
• Define the program management team based on:– Regions (North America, South America, Europe)– Regional Locations (States, Cities, etc.)– Campus locations– Buildings within individual locations
• Define deployment process– Card issuance (HR, Corporate Security, etc.)– Reader implementation (MIS Team)– Client Software deployment (Web Download, self install, MIS)
• Include the employee population in communications regarding events around deployment – Implement Intranet site to disseminate information– Impact on operations (if any)– Impact on operational policies and procedures
24
Field SupportField Support
• Implement a formal “Field Support” guideline document that provides trouble shooting and technical support information for the employee population (physical document and web-based)
• For multi-national corporations, provide regional support that is capable of supporting procedures and operations unique to geographical regions
• For corporations who’s business relies on 24 hour services, support and communication, provide 24x5 technical support. If the budget is there provide 24x7 technical support– If technical support is outsourced ensure that the contracted party
are technology specialists within the PKI, VPN and IMS space.– Avoid contracting with “1-800” specialist that are not familiar with
your environment
• Implement a formal “Field Support” guideline document that provides trouble shooting and technical support information for the employee population (physical document and web-based)
• For multi-national corporations, provide regional support that is capable of supporting procedures and operations unique to geographical regions
• For corporations who’s business relies on 24 hour services, support and communication, provide 24x5 technical support. If the budget is there provide 24x7 technical support– If technical support is outsourced ensure that the contracted party
are technology specialists within the PKI, VPN and IMS space.– Avoid contracting with “1-800” specialist that are not familiar with
your environment
Communication and responsiveness are the key to quality field support
25
Contact information . . .Contact information . . .
Chris CikanovichSchlumberger NISDirector , Government Programs
Chris CikanovichSchlumberger NISDirector , Government Programs