Thursday, December 21, 2006

Smart Cards Everywhere?

One of my clients wants to know if it's possible to implement something like the DoD Common Access Card (CAC, not "CAC card") in a commercial setting. In other words, you use a single card for building access, PC access, etc. Is anyone using something like that in their organization?


Anonymous said...

How is the CAC smartcard functionality used these days? Email signing and encryption? Web authentication? The card is only used with unclassified systems, right?

Joel Esler said...

Yes. The CAC is used for signing on, email signing and encryption, web authentication, basically anything that can be done, or is done with a certificate.

It's only being used in NIPR (Unclassified) systems. It has a magnetic strip on the back that is blank, and can be coded for swipe doors at whatever location you are currently working at.. (problem is, most DOD facilities have proximity cards).

Could this be implemented in a commercial setting? Yes. But at what cost? What what expense? What do you gain out of it? When I worked for DOD, all I got out of the deal was a headache... implementation, it became our ID, which.. only SOME people accepted (like, the gate guards on post wanted our Drivers License sometimes -- grrrr) going to get a new one every three years, using it for sign-on, using it to get in the building. Here's the kicker. Say you left it in your computer at night, your computer would screensaver lock after a while, no problem.. but you couldn't get back in the building the next day!

Annoying is the key. I never liked it. The Email signing and authentication never worked across all platforms with ease. Doesn't work with ALL email clients. (and IMO, trying to say something like "well everyone MUST use OUTLOOK" is not an answer, it's a 'way out'.) Ours didn't work with sign on to the network. The only feature about the CAC that I DID like, is when I walked away from my computer, I took the CAC out of the reader, and viola... my computer locked.

That was about it. Now. You know whats kinda cool (but involves us going back to terminals), is Sun's (yes Sun Microsystems, as much as I hate Sun...) card that you can carry from machine to machine and wherever you plug it in.. you can call up YOUR desktop. That's a descent idea. However, no one likes dummy terminals. I digress.

Could it be done? Yes. Is it worth it? No. Not in my opinion.

Anonymous said...

I heard that Microsoft moved to this some years ago for their employees. My understanding is that their roleout took weeks, not decades like the federal government.

Anonymous said...

Honestly, I use the CAC daily and it hasn't been the annoyance that Joel describes. Email encryption and signing work well, and as long as you don't forget your CAC, you can go about your business just fine. The problem of 'not being able to get into your building the next day' has been felt by everyone working at a secure facility when you forget your badge. This is not a valid reason not to implement it. At it's most fundamental, this enables digital signing and encryption for all; not too shabby for 'non-repudiation', 'integrity', and 'confidentiality'.

As for the 'Outlook' for everyone.. well, it *is* the baseline. It may not be the email application of your choice (or mine, personally) but it is what the enterprise has subscribed to. If your organization chooses to use something different as compared to the enterprise as a whole, it's left to you to mitigate/correct any implementation details, including making the CAC work.

If 'everyone uses Outlook' is a 'way out' instead of a solution, then how do you propose to patch manage and configuration manage at an enterprise level, when you can't even keep a standard set of applications on your systems?

The rollout could've been a little faster though, that's for sure. :)

John said...

I worked at a client site a couple of years ago that implemented a combined photo id/proximity card/smart card for a couple thousand employees and with the implementation being completed fairly well.

As far as its use, it was accepted well. Upon removal of the card from the reader, the PC automatically locked which was a nice feature. As previously noted, someone could walk away from the PC, exit a floor or building, and then have no way of gaining entry. This is a human process and procedure issue. Depending on the required security, the card could be required to exit a door or building, thus forcing the user to ensure s/he took the card with them.

I don't feel the issue about needing to support multiple email clients is that big an issue as most enterprises are going to standardise on a single email client as part of their SOE.

Anonymous said...

Speaking of Sun Microsystems -- I worked there until recently and we had a badge which consolidated mag stripe, proximity, and a Java smart card into a single photo ID.

Unfortunately, after years of promises the PKI never arrived to do anything useful with the "smart" card. It was just a token for building access, SunRays, etc.

The hotdesking was pretty cool, but it came with the "left the badge in the SunRay, can't get into the building" feature.

Joel Esler said...

Apparently people don't share my complaint.

I just thought the CAC in DOD was more of a hassle than it was worth. People were supposed to be signing and encrypting email by 2003 i mean.. 2004. Or.. 2005. Wait..

It just seemed like a waste of money when it could have been done easier.

Robert M. Richardson said...

I use something very similar at my organization from Aladdin.

It works very well and was fairly easy to setup and administer. Integrates well with AD also.