Smart Cards Everywhere?
One of my clients wants to know if it's possible to implement something like the DoD Common Access Card (CAC, not "CAC card") in a commercial setting. In other words, you use a single card for building access, PC access, etc. Is anyone using something like that in their organization?
Comments
It's only being used in NIPR (Unclassified) systems. It has a magnetic strip on the back that is blank, and can be coded for swipe doors at whatever location you are currently working at.. (problem is, most DOD facilities have proximity cards).
Could this be implemented in a commercial setting? Yes. But at what cost? What what expense? What do you gain out of it? When I worked for DOD, all I got out of the deal was a headache... implementation, it became our ID, which.. only SOME people accepted (like, the gate guards on post wanted our Drivers License sometimes -- grrrr) going to get a new one every three years, using it for sign-on, using it to get in the building. Here's the kicker. Say you left it in your computer at night, your computer would screensaver lock after a while, no problem.. but you couldn't get back in the building the next day!
Annoying is the key. I never liked it. The Email signing and authentication never worked across all platforms with ease. Doesn't work with ALL email clients. (and IMO, trying to say something like "well everyone MUST use OUTLOOK" is not an answer, it's a 'way out'.) Ours didn't work with sign on to the network. The only feature about the CAC that I DID like, is when I walked away from my computer, I took the CAC out of the reader, and viola... my computer locked.
That was about it. Now. You know whats kinda cool (but involves us going back to terminals), is Sun's (yes Sun Microsystems, as much as I hate Sun...) card that you can carry from machine to machine and wherever you plug it in.. you can call up YOUR desktop. That's a descent idea. However, no one likes dummy terminals. I digress.
Could it be done? Yes. Is it worth it? No. Not in my opinion.
As for the 'Outlook' for everyone.. well, it *is* the baseline. It may not be the email application of your choice (or mine, personally) but it is what the enterprise has subscribed to. If your organization chooses to use something different as compared to the enterprise as a whole, it's left to you to mitigate/correct any implementation details, including making the CAC work.
If 'everyone uses Outlook' is a 'way out' instead of a solution, then how do you propose to patch manage and configuration manage at an enterprise level, when you can't even keep a standard set of applications on your systems?
The rollout could've been a little faster though, that's for sure. :)
As far as its use, it was accepted well. Upon removal of the card from the reader, the PC automatically locked which was a nice feature. As previously noted, someone could walk away from the PC, exit a floor or building, and then have no way of gaining entry. This is a human process and procedure issue. Depending on the required security, the card could be required to exit a door or building, thus forcing the user to ensure s/he took the card with them.
I don't feel the issue about needing to support multiple email clients is that big an issue as most enterprises are going to standardise on a single email client as part of their SOE.
Unfortunately, after years of promises the PKI never arrived to do anything useful with the "smart" card. It was just a token for building access, SunRays, etc.
The hotdesking was pretty cool, but it came with the "left the badge in the SunRay, can't get into the building" feature.
I just thought the CAC in DOD was more of a hassle than it was worth. People were supposed to be signing and encrypting email by 2003 i mean.. 2004. Or.. 2005. Wait..
It just seemed like a waste of money when it could have been done easier.
http://aladdin.com/etoken/proximity.asp
It works very well and was fairly easy to setup and administer. Integrates well with AD also.