MAXIMUS
th
7
CACR Information
Workshop
Vulnerabilities of MultiApplication Systems
April 25, 2001
1
Smart Card Concept
MARC
Satisfies requirement for
updateable information on a
portable medium.
Portable hardware token
Reduces proliferation of
SMITH JOHN JAMES
for PKI
single use, non-
standard cards.
Eliminates redundant data entry.
2
Why a Multiple Application
Smart Card

Replace Currently Issued Single Use Cards


Eliminate/Reduce Redundant Data Entry


Ensure Accurate Data Entry
Updateable/Portable Data Carrier


Driver’s License, Loyalty Cards, I.D. Card, Financial
Card
Write Once - Read Many
Card and Infrastructure Costs Can be Shared
Across Participating Businesses
3
Why a Multiple Application
Smart Card, Continued

Security



Network - Log On, PKI
Physical - Access Control
Stored Value




Eliminate Handling, Collection, Counting of Cash
Guaranteed Form of Payment
Completely Auditable
Reduce Opportunity for Theft
4
Issues
Management Issues…...
Requirements
Managing Data Across Multiple
Applications
Risk Factors
People Issues…
Privacy/Security
Concerns
Operational
Effectiveness
User Satisfaction
Training
Technical Issues…
Durability
Availability
Maintainability
5
The key to e-government
solutions is authentication
Organizations providing private information over the
net need assurance that the person or entity viewing
and using that information is the person or entity they
claim to be and that they are authorized to do so.
6
ACCESS CONTROL
TRAVEL SUPPORT
STORED VALUE
LOYALTY
PHYSICAL TRAINING
BIOMETRICS
SECURITY
CREDENTIALS
GENERAL TRAINING
OPTOMETRY
DENTAL
IMMUNIZATION
MEDICAL
LEGAL
FINANCE
GENERAL MILITARY
CONNECTIVITY
DEMOGRAPHICS
Representative Data Model
Data Sets to Support Range of Applications
Broad Range & Depth
Medium Range & Depth
Limited Range & Depth
7
SMART CARD MULTI-APPLICATION VIEW
Applications
Serial Readers
TCP/IP
POS
ISO 7816 Cards
JAVA Cards
EMV Cards
Multos Cards
WFSC Cards
Proton Cards…
PC Card Readers
UNIX
WFSC
Applications on Card
CE
32-bit Windows
On Board Readers
Specialty
Multos JAVA
OS
Parallel Readers
DOS
Card Data Management and Version Control
PC/SC
Specialty Application
Multiple Data Management and Version Control Systems
Communications Protocol Manager
Smart Card
Chips
8
Critical Paths
RequirementsDecision
Documentation
Funding
Decision
Customer
Acceptance
Documentation
Provided
Card Platform
Decision
Delivery
Software
Development Delivery
Acceptance
Hardware
Decision
Delivery
Installation
Business Case
AS-IS
TO-BE
Business
Case
Analysis 9
Issuance
Vulnerabilities

Additive




Functional data bases
Functional IT infrastructure
Card reader devices
Users security




PIN
Card possession
Integrity
Large user population increases threat
10
Multi-application Maturity
Stage 4
Stage 3
Stage 2
Stage 1
Customer
Home
Page
Characteristics
•Static Web Page
•Presentation of Services
•Basic Information
•Links to Other Sites
•No Impact on Operations
Information
and
Referral
e-business
Transactions
Characteristics
•On-line Transaction Processing
•Web Enabled Applications
•Limited Interface to
Legacy Systems
•Security and Authentication
•Limited Personalization
•Electronic Payment
•Major Impact on Operations
Characteristics
•Dynamic Information
•Resource Directory
•Search Engine
•e-Mail
•Documents Available for Download
•Minor Impact on Operations
e-business
Transformation
Characteristics
•Internet is Primary Means of
Informational Exchange
•Reengineered Business
Processes
•Optimized Organizational
Model
•Full Integration with
Legacy Systems
•Extensive Personalization
•Supply Chain Optimization
•Advanced Security
and Authentication
11
A Day in the Life of a user
Access Control
Replaces Paper-based Records
Verifies Qualifications
Monitors/Tracks Personnel
Automates Reporting
Physical Access
Logical Access
Medical
Verifies Identification
Protects Personal Information
Increases Readiness for
Mobilization
Safeguards Benefits
Reduce Paperwork
Verifies Identity
Automates Transactions
Eliminates Redundancy
Quality of Life
Easy win for Policies
Eliminates input error
Public Key Infrastructure
Verifies Identification
Key Management
Secure Communications
Automates Transactions
12
A Day in the Life Cont’d
E-Commerce
Interoperability
Meets Agency Business Rules
Fits into existing infrastructure
Not a stand alone“system”
Automation Enabler
Increases customer satisfaction
Entitlements
Reduces Money Handling
Identifies Entitlements
Automates Headcount
Automation of Processes
Minimizes Dual Entries
Leverages Infrastructure
Minimizes Training
Reduces technical issues
Web Enabling
Paperless Reports
Verifies Qualifications
Virtual Office Support
Information Visibility
13
Questions?
14