Why Leading Enterprises are Issuing Employee Smart Cards
by Aaron Zitzer
According to a recent survey of enterprises conducted by Datamonitor, smart card security solutions not only increase the protection of both physical and logical access to the organization but can also result in savings of more than $2 million for every 2,000 employees. Commissioned by Siemens Communications, Inc., the survey measured the return on investment of 53 organizations with smart card deployments. Datamonitor explored current authentication practices and the potential benefits of converging logical and physical access solutions.
Verifying a user’s identity before granting access to facilities or IT systems is hardly a new concept. Passwords, building access cards and photo IDs have been used to ‘authenticate’ users for decades. For some applications, such as remote access to IT resources, one-time-password tokens are used to increase security. Each of these items has multiple associated costs such as administration, software, hardware and maintenance.
Many leading organizations have found that by deploying a stronger and more flexible form of user authentication based on smart cards, their overall costs decrease significantly. There are examples in virtually every industry. Smart cards are also widely deployed in government due to their proven security and cost benefits.
The need for strong user authentication is higher than ever. Organizations are constantly bombarded by security threats, both internally and externally. Industry and government agencies are simultaneously mandating compliance to new regulations by demonstrating that they can control and audit the individuals that access certain resources.
Addressing the security requirements must be accomplished without becoming a burden on employees. In fact, most organizations are already dealing with employees that are frustrated by their existing IT security policies. Too many passwords and passwords that are complicated or expire too frequently all cause headaches and unproductive time spent looking for passwords. Even worse, the password problem generates additional calls to the help desk resulting in an increase in costs.
Not too long ago, security was seen as a necessary business requirement. Companies did only what they had to because of the cost. Today, leading organizations view security very different. Security can be a business enabler, can provide key competitive advantages and can actually save money.
Return on investment analysis is always a mitigating factor for an IT-related decision; however, little work has been done prior to the Datamonitor study to quantify the cost savings associated with an integrated smart card deployment.
Smart cards include a microchip for on-card processing capabilities and secure, portable storage for static and dynamic passwords, digital certificates and private keys, biometrics and other data. Smart cards have proven to be a reliable and secure form factor. However, the deciding factor for smart cards for employee ID may be its ability to host and protect multiple applications, providing cost savings and efficiencies throughout the organization. A single smart card can be used for physical (facilities) access and can securely store many digital credentials used to access IT resources. Even with its strong security, the user experience is simple – very much like using an ATM card, simply insert the card and enter the PIN.
Datamonitor’s analysis of the survey results identified both hard dollar and soft dollar savings that may result when a secure access smart card solution is deployed. For example, the survey found that, for a 2,000 employee enterprise, an average of 23.5 password-related helpdesk queries are fulfilled by IT departments each day, with each query requiring nearly 2.5 minutes to fulfill. This equates, according to Datamonitor, to an average of nearly one hour of password-related helpdesk queries each day. Based on an IT staff cost of $70 per hour, this totals to a $17,420 cost for fulfillment each year.
This cost estimate does not include the fact that password queries also cause IT staff disruptions, according to the report. Disruptions due to password queries mean that an IT staff member is unable to fulfill other organizational IT tasks. Password systems also require IT staff time for general maintenance. According to the report, such costs can add up to more than $152,000 per year for an enterprise with 2,000 workers.
In another cost savings evaluated by Datamonitor, the study explored ways in which a smart card system could save employee time. For example, how much time do employees spend to find and enter passwords during a typical day? Even with a relatively small amount of time savings – an average of one minute and 13 seconds per employee at an average of $70 per hour, according to the study – equates to a cost savings of $736,667 per year for an enterprise with 2,000 employees.
Datamonitor’s survey also collected anecdotal evidence for the management of PKI certificates through a smart card deployment. A prominent government department, for example, that deployed PKI as an authentication mechanism within the organization, estimated that between $101 and $500 per user was saved each year by managing PKI certificates through smart cards. Assuming a midpoint of $300 per user per year, this equates to an annual savings of $600,000 for an enterprise with 2,000 employees.
Several cost savings related to physical access were also studied when smart cards are used to authenticate employees and control facility access as well as for authenticating access to IT networks and systems. On average, according to the study, enterprises could save 25 percent of their facilities staff budget, as well as significant dollars related to more efficient building access procedures.
Such systems help simplify management processes involving card issuance, personalization, access rights, management and post-issuance. This translates into reduced staff costs, quicker building entry and other tangible savings such as reduced insurance premiums. In addition, soft dollar savings include reductions in theft and other costs associated with unwanted individuals gaining access to the enterprise and potentially conducting industrial espionage.
In total, the Datamonitor analysis illustrates a number of potential cost savings associated with integrated smart card deployments, including both IT and general employee cost savings:
- Time savings from enhanced mechanism for user sign on ($736,667).
- Cost savings by managing PKI certificates through smart cards ($600,000).
- Time savings through quicker access to buildings and facilities ($347,569).
- Cost of password-related queries for IT department ($152,620).
- Reduction in staff costs through automation of physical access ($125,000).
- Cost savings from issuing smart cards for temporary access ($45,335).
Datamonitor noted that such savings will scale for enterprises with greater number of employees. An enterprise with 10,000 employees, for example, could generate annual cost savings of more than $10 million. “Although these savings do not factor in the cost of deployment and operation, the information clearly illustrates that enterprises will generate significant cost savings over time by deploying a secure access smart card solution.”
When seeking an integrated smart card solution, the Datamonitor report suggests strategies for seeking an integrated smart card solution that to provide maximum return on investment for the enterprise. According to Datamonitor, a vendor’s solutions should ensure:
A comprehensive range of products and demonstrated flexibility in terms of solution offerings. Packaged solutions are available, Datamonitor warns, but packaged deals may also prohibit an enterprise from adapting best-of-breed solution components.
- Simple migration, via standards-based identity management solutions, that support biometrics or alternative technologies as they become available or are practical to integrate.
- Scalability if the enterprise needs to cover a greater number of users.
- Integration with legacy systems and applications as well as with back-end mainframes and network configurations.
"Enterprises are now increasingly familiar with smart card technology, though knowledge of areas such as standards and an understanding of how smart cards can improve business processes is often lacking," the Datamonitor report concluded. "Enterprises continue to need advice and guidance on managing smart cards through their life-cycle, including knowledge of how to make post-issuance cost effective."
Link to the complete survey findings captured in the Datamonitor report, The ROI Case for Smart Cards in the Enterprise.
About the Author
Aaron Zitzer is a product marketing manager with Siemens Communications, Inc.