Employment dept smartens up security

Leading the trend to combine both IT and physical security the Department of Employment and Workplace Relations (DEWR) has rolled out a million-dollar smartcard solution to more than 2000 employees.

The corporate access card combines IT and building access for employees on a single, multi-application smartcard and incorporate mandatory photo identification.

DEWR is the first federal government department to fully integrate IT and building security; several other departments are set to follow with a number of trials currently under way.

The department's communications and IT security director, Ian Rose, said the smartcard is expected to increase employee's personal security with improved monitoring of building access, reduce the cost of helpdesk support relating to password resets and provide greater protection from hackers.

The implementation was the result of a formal recommendation by the Australian National Audit Office and coincided with the installation of a new electronic building system allowing DEWR to consolidate multiple security processes.

Previously, DEWR employees used three different credentials - a static password for IT access, a card for building access and a badge with a photograph for staff identification.

Rose said the solution, from VeriSign, will reduce the risk of system hackers and eliminate the improper practice of shared logins for IT access. It also improves detection capabilities and audit trails for investigative and review purposes.

"It significantly reduces helpdesk costs; under the previous system of static passwords employees had to reset their passwords every 30 days," Rose said.

"This is no longer necessary as employees receive a personal PIN for their smartcard which acts in a similar way to a credit card PIN providing two-factor authentication."

VeriSign Australia managing director Gregg Rowley said the DEWR installation is the largest enterprise project undertaken to date and is a showcase for the other departments looking to implement a single security solution.

Rowley said the installation was completed in two months covering 2000 Windows users and 500 Citrix users.

Password management costly

Labour costs for configuring and maintaining password systems in companies with more than 100,000 users average $US300 to $350 per user, according to Aberdeen Group. The average user manages more than five passwords and over 24 per cent of users have at least eight user names and passwords on their system at any one time. The key to password integrity is to obfuscate words as much as possible by using both upper- and lowercase letters, numbers, symbols and punctuation. There's no ideal combination of letters, numbers or symbols.

The goal is to make each password as difficult for hackers to decipher as possible. For example, you can use 0 in place of an O, @ in place of an A, or 3 in place of an E. Each layer of difficulty that you add to the password will increase the time it takes for a hacker to crack it.