Mac Security in the Oval Office - or Any Office
Mar 30, 2009 4:00 AM PT
We hear that your new team is having challenges in getting their Macs integrated into the White House network. Some recent news stories mentioned application compatibility as one of the hassles, but we'd be willing to bet that the bigger challenge is security.
In many of the commercial enterprises we see, Macs are often managed individually or by the department expert, sometimes escaping the strict security controls that are usually required. Given the security and archiving requirements in the White House, that kind of loose control is probably not going to be allowed. So how is your technical staff going to be sure that your Macs are secure and meet the requirements that your predecessors put in place to ensure login security, specifically HSPD-12 (Homeland Security Presidential Directive 12) and FISMA (Federal Information Security Management Act)?
In general, we have some good news: We've seen these challenges before, and we have a solution to help you keep your Macs, even in a Windows-centric White House.
First, since the White House is using Microsoft Exchange for email, you must be using Microsoft Active Directory to authenticate people so they can get to their mail. You and your new staff are probably using Entourage as part of Microsoft Office 2008 on the Mac to access email, so you know there is no reason for the White House IT staff to prevent you from using Macs since you can do what you need to from your Mac.
Also, Active Directory can help your IT staff keep those Macs secure and within your control. Active Directory can be used to manage login controls on your Macs as well as to enforce the security policies that you need by leveraging a Microsoft technology called "Group Policy." Since your White House IT staff is already confident in their ability to administer Active Directory and use Group Policy in managing Windows computers, they should have no problem using an additional set of Mac Group Policies to control many of the security settings on Mac computers, reinforcing the native security of the Mac.
However, one thing that you will need to ensure is that only authorized people can login to your staff computers. The reason HSPD-12 was put in place is to make sure that someone can't get access with just a username and password; you've got to have a smart card that was issued to you and cannot be cryptographically compromised. It is unique to you and no one else. I'd bet that you have a photo ID badge now that is actually a PIV (Personal Identity Verification) card that was issued when you took office. You see, every single person in the Department of Defense has been issued a Common Access Card, and due to HSPD-12, every employee and contractor who works for any of the federal agencies will be issued a PIV card for photo ID, building access and computer login.
Say someone in the White House walks up to a computer and logs in claiming he's your senior advisor, David Axelrod. When one of these smart cards is inserted into a computer and the person to whom it was issued enters the PIN code to unlock the card, it can then be used by the operating system to validate the identity of the user, to enable a login and to provide access to what he is authorized to access. All you need is a smart card reader to plug into your Mac. You might already have one of those cool Bluetooth smart card readers for your BlackBerry. If so, you just need to get them to help you pair it with your MacBook so you can also wirelessly use the smart card to login to the computer.
We're going into a little more detail here about how the login works, but we know you can handle it. There are three providers involved in the stages of this transaction: Apple, the smart card company, and the identity management software company. The Mac OS has anticipated this problem so the Mac can support your DoD people as well as all of the other government agencies that require smart cards. The way it works is, your new staff members get an ID/smart card from the security people. The smart card companies provide the readers and cards that can hold your name, a certificate and private keys that are encrypted on the card and protected by a PIN number that only you know.
When Mr. Axelrod puts the card into the reader attached to his Mac, he has to put in his PIN number. The Mac has software called "TokenD" that checks the certificate for validity after the PIN is entered to unlock the card. Next, we need to see whether the name on the card matches a user in Active Directory (AD) and then validate the certificate; this is done by the third-party identity management software which knows how to talk to AD in order to confirm that the certificate is valid. If AD says it's valid, then Mr. Axelrod gets logged into his desktop as usual and AD provides proof of login, a Kerberos ticket, so that he can access other services on the network securely without having to login to each one. The good news then is he has just as much access as the PC users, and your White House IT guys have the same control over the Macs ( ... including yours) as they do of the PCs.
You're not alone in bringing Macs into a Windows environment. Lately, we've seen so many companies whose executives brought new Mac laptops into work and demanded support that there is a group of commercial software providers who joined together to form the Enterprise Desktop Alliance in order to promote the use of Mac computers within the enterprise. These companies provide solutions to enable Windows-centric IT organizations to embrace and support Mac computers with the same tools that are currently used to manage Windows computers. These solutions enable several features of the Mac that you need to use your Mac in the Windows environments and at the same time secure these systems to meet federal government standards.
"Change" may be the motto, but there's no reason people should have to change their preferred system when they come to work for you. So stand up for freedom of system choice. Tell your IT support staff that all they need are a few tools to help them manage your Macs. Then your team will be able to focus on getting the people's work done instead of trying to get their systems to work.
A fellow Mac user and caring citizen
David McNeely is director of product management at Centrify, a provider of solutions for enabling secure, connected computing environments..