- Email: [email protected]
A smart approach to fighting crime
chip talk
Chip Talk Where leaders of the smart card revolution air their views
A smart approach to fighting crime The UK’s general election campaign in May 2005 saw the issue of crime come to the forefront. A large part of the crime debate has centred on how police resources can best be managed to ensure crime is fought efficiently while enhancing overall national security. Marc Hudavert, vice president and general manager of ActivCard Europe, tells CTT that appropriate use of smart technology can play a major role in improving the network security of the police force, as well as in lowering costs.
“Like businesses and government organisations around the world, police departments are waking up to the fact that computer networks protected by old fashioned usernames and passwords have inherent weaknesses that make them a potential target for hackers. In a crimefighting environment this weakness is even more of a problem, because any hacker who successfully gains access to a police force’s computer system has the potential to tamper with criminal records and compromise investigations. Clearly, this is bad news for criminal justice – but it is also bad news for taxpayers who have to pick up the bill for any investigations that are compromised.
National standards “This threat is being taken seriously in the UK, and a number of standards and national police guidelines are now emerging. For example, the Unified Police Security Architecture (UPSA) standard is now being put together by the Police IT Organisation (PITO) at a national level. This specifies a standard set of tools for providing the authentication of individuals, the control of access rights and the secure transmission of information. Admittedly, it will take some time before all 43 police forces in England and Wales adopt technologies that comply with the UPSA standard, but that is the ultimate goal. “One of the forces at the forefront of rolling out systems that comply is Hampshire Constabulary, which serves a population of more than 1.8 million people and covers 1,500 square miles of the southern English county of Hampshire and the Isle of Wight. “Hampshire Constabulary’s answer to the problem of ensuring the confidentiality, integrity and accessibility of criminal information is to deploy a smart card solution that can provide
Card Technology Today June 2005
secure, seamless access to network and physical resources. The Constabulary recognised that legacy usernames and passwords were difficult to manage and would not meet the requirements of the UPSA standard. In addition, it needed to deploy a Record Management System to aid efficient operational policing while reviewing its security policies and business processes around network, remote, physical and application access. By selecting identity assurance solutions, Hampshire Constabulary can manage the administration, issuance and revocation of credentials in a user-friendly manner and provide single sign-on capabilities to its key systems, including the record management system. “Rollout of this technology began in October 2004 and concluded earlier this year. Over six months, 6,000 officers, staff and partner agencies in the county have been issued with smart cards that provide a holistic ID function controlling access to both logical and physical facilities. “The card used in Hampshire contains both contact and contactless interfaces for physical and logical access. The contact interface is a Java Card 2.1 containing 64KB EEPROM and adheres to GlobalPlatform 2.0 for logical access. On the IT side, the technology works in the Microsoft environment using active directory as a network directory and Microsoft digital certificates in the Windows environment.”
Reduced cost? “While the public may demand security, there is a general unwillingness to pay more taxes to achieve improvements. With this tough challenge for most politicians to grapple with, a smart approach to security becomes an interesting idea. “In the case of Hampshire Constabulary, the consolidation of user credentials onto a single, secure card should help the force to dramatically
improve IT security while reducing costs and increasing the productivity of its workforce. This is a cost reduction that could be achieved by police forces throughout England and Wales. “The biggest saving comes from the fact that the card is multi-application – and can be used for logical and physical access control. If you think of traditional systems, two separate infrastructures for enrolment and fulfilment of physical and logical access control are a necessity. You’ve also got to factor in the person-hours spent inputting information in two systems, not to mention the costs of a form factor for each application. Whether the form factors are token, biometrics or smart cards, these costs can soon mount up. Now, by collapsing all credentials onto one badge with one software infrastructure, you can significantly reduce costs. Added to this, the single sign-on solution requires tight integration with a directory. This means you can manage users from one place – the central directory – which is tightly fitted with the active directory. This compares with traditional solutions which use databases and position the solution on one side and the directory on the other.
Getting it right “I would say that rollout of the technology was efficient and successful. All partners played a key role in ensuring they provided what was expected of them. As a starting point, the lead-time was well organised and used to prepare the technology for deployment. Between August and October 2004, a proof of concept and pilot involving 150 users was put in place. This helped ensure the product and the IT infrastructure were well organised and helped all those involved to understand the challenges associated with enrolling users, issuing cards, fulfilment and solving problems. “One of the biggest challenges for a rollout such as this involves the use of single sign-on architecture for the logical environment. Here, you need to know which applications need to be part of the architecture. For example, how do you include standard or web applications? And how do you deal with legacy applications in the architecture? In the case of the rollout in Hampshire, the police had to choose what legacy systems it wanted to integrate, and we had to organise ourselves accordingly.
The opportunity “Confidentiality, integrity and availability are critical goals and necessities for any organisation holding sensitive data. By deploying single sign-on technology that is centrally managed, such goals can be achieved, resulting in an increase in productivity as well as compliance with security standards. By adding physical access to the card, you can significantly cut down on the costs associated with deploying two separate types of system.” Contact: Marc Hudavert of ActivCard Europe, Tel: +33 6 09 45 28 75, email: [email protected]
9
Chip Talk Where leaders of the smart card revolution air their views
A smart approach to fighting crime The UK’s general election campaign in May 2005 saw the issue of crime come to the forefront. A large part of the crime debate has centred on how police resources can best be managed to ensure crime is fought efficiently while enhancing overall national security. Marc Hudavert, vice president and general manager of ActivCard Europe, tells CTT that appropriate use of smart technology can play a major role in improving the network security of the police force, as well as in lowering costs.
“Like businesses and government organisations around the world, police departments are waking up to the fact that computer networks protected by old fashioned usernames and passwords have inherent weaknesses that make them a potential target for hackers. In a crimefighting environment this weakness is even more of a problem, because any hacker who successfully gains access to a police force’s computer system has the potential to tamper with criminal records and compromise investigations. Clearly, this is bad news for criminal justice – but it is also bad news for taxpayers who have to pick up the bill for any investigations that are compromised.
National standards “This threat is being taken seriously in the UK, and a number of standards and national police guidelines are now emerging. For example, the Unified Police Security Architecture (UPSA) standard is now being put together by the Police IT Organisation (PITO) at a national level. This specifies a standard set of tools for providing the authentication of individuals, the control of access rights and the secure transmission of information. Admittedly, it will take some time before all 43 police forces in England and Wales adopt technologies that comply with the UPSA standard, but that is the ultimate goal. “One of the forces at the forefront of rolling out systems that comply is Hampshire Constabulary, which serves a population of more than 1.8 million people and covers 1,500 square miles of the southern English county of Hampshire and the Isle of Wight. “Hampshire Constabulary’s answer to the problem of ensuring the confidentiality, integrity and accessibility of criminal information is to deploy a smart card solution that can provide
Card Technology Today June 2005
secure, seamless access to network and physical resources. The Constabulary recognised that legacy usernames and passwords were difficult to manage and would not meet the requirements of the UPSA standard. In addition, it needed to deploy a Record Management System to aid efficient operational policing while reviewing its security policies and business processes around network, remote, physical and application access. By selecting identity assurance solutions, Hampshire Constabulary can manage the administration, issuance and revocation of credentials in a user-friendly manner and provide single sign-on capabilities to its key systems, including the record management system. “Rollout of this technology began in October 2004 and concluded earlier this year. Over six months, 6,000 officers, staff and partner agencies in the county have been issued with smart cards that provide a holistic ID function controlling access to both logical and physical facilities. “The card used in Hampshire contains both contact and contactless interfaces for physical and logical access. The contact interface is a Java Card 2.1 containing 64KB EEPROM and adheres to GlobalPlatform 2.0 for logical access. On the IT side, the technology works in the Microsoft environment using active directory as a network directory and Microsoft digital certificates in the Windows environment.”
Reduced cost? “While the public may demand security, there is a general unwillingness to pay more taxes to achieve improvements. With this tough challenge for most politicians to grapple with, a smart approach to security becomes an interesting idea. “In the case of Hampshire Constabulary, the consolidation of user credentials onto a single, secure card should help the force to dramatically
improve IT security while reducing costs and increasing the productivity of its workforce. This is a cost reduction that could be achieved by police forces throughout England and Wales. “The biggest saving comes from the fact that the card is multi-application – and can be used for logical and physical access control. If you think of traditional systems, two separate infrastructures for enrolment and fulfilment of physical and logical access control are a necessity. You’ve also got to factor in the person-hours spent inputting information in two systems, not to mention the costs of a form factor for each application. Whether the form factors are token, biometrics or smart cards, these costs can soon mount up. Now, by collapsing all credentials onto one badge with one software infrastructure, you can significantly reduce costs. Added to this, the single sign-on solution requires tight integration with a directory. This means you can manage users from one place – the central directory – which is tightly fitted with the active directory. This compares with traditional solutions which use databases and position the solution on one side and the directory on the other.
Getting it right “I would say that rollout of the technology was efficient and successful. All partners played a key role in ensuring they provided what was expected of them. As a starting point, the lead-time was well organised and used to prepare the technology for deployment. Between August and October 2004, a proof of concept and pilot involving 150 users was put in place. This helped ensure the product and the IT infrastructure were well organised and helped all those involved to understand the challenges associated with enrolling users, issuing cards, fulfilment and solving problems. “One of the biggest challenges for a rollout such as this involves the use of single sign-on architecture for the logical environment. Here, you need to know which applications need to be part of the architecture. For example, how do you include standard or web applications? And how do you deal with legacy applications in the architecture? In the case of the rollout in Hampshire, the police had to choose what legacy systems it wanted to integrate, and we had to organise ourselves accordingly.
The opportunity “Confidentiality, integrity and availability are critical goals and necessities for any organisation holding sensitive data. By deploying single sign-on technology that is centrally managed, such goals can be achieved, resulting in an increase in productivity as well as compliance with security standards. By adding physical access to the card, you can significantly cut down on the costs associated with deploying two separate types of system.” Contact: Marc Hudavert of ActivCard Europe, Tel: +33 6 09 45 28 75, email: [email protected]
9