Risk
5/20/2013
10:13 AM
Connect Directly
RSS
E-Mail
50%
50%

Google, DISA Launch User ID Pilot

Defense Department and Google pilot test seeks more secure ways to authenticate users on commercial cloud services.

10 Top Password Managers
10 Top Password Managers
(click image for slideshow)
The Department of Defense (DOD) is taking tentative steps with Google to tackle one of the primary obstacles to adopting commercial cloud computing: the need to reliably authenticate users.

The Defense Information Systems Agency (DISA) confirmed that it is developing a proof of concept Authentication Gateway Service (AGS) that would allow for secure translation between DOD public key infrastructure (PKI) common access card authentication and Google-provided cloud services.

"This is a pilot effort to validate the ability to use DISA's Authentication Gateway with external cloud solutions using the standards-based Security Assertion Markup Language (SAML) protocol as well as explore interoperability and usability issues in commercial cloud-based email services," said David M. Mihelcic, CTO for DISA.

The pilot program makes use of Google Apps for Government as a way to test the ability of users to utilize their common access cards for authentication. But Mihelcic cautioned against speculation about broader use of Google Apps beyond the pilot for now. "DISA is not adopting Google Apps for Government," he said.

[ Want to know about another Google-government collaboration? See Google, NASA Team On Quantum Computing. ]

The purpose of the pilot is to find reliable alternatives for authenticating users and ultimately eliminate the less-secure password-based login.

During the first phase of the pilot, 50 DISA employees will use Google Apps for Government to process only non-sensitive unclassified data. At the same time, DISA's field security office is conducting a security evaluation of Google Apps for Government to determine if the service can support additional pilot users as well as sensitive but unclassified data.

The program isn't the first effort by DISA to develop authentication services for cloud-based email services.

"DISA previously developed enterprise directory services and identity synchronization services to allow for secure (non-password based) authentication to the Microsoft Exchange-based Defense Enterprise Email (DEE) service," he said. "The authentication gateway extends these services using the Security Assertion Markup Language to allow for rapid integration with cloud-based services."

The pilot program with Google began to take shape in February when DISA and Google signed a Cooperative Research and Development Agreement (CRADA) to explore innovate ways for DOD users to securely authenticate to commercial cloud service providers.

"The DISA-Google CRADA work is a necessary precursor activity that if successful would allow DISA to bring competitive commercial cloud-based email providers into the [DEE] service offering," said rear admiral David Simpson, vice director of DISA, in a prepared release from DISA.

He added that the program's goal would be to provide for a portion of DOD email user communities to work with lowest cost, technically acceptable service providers whose security is assured and commensurate with various missions. The initial implementation would focus on a single enterprise e-mail system that utilizes one directory service for the entire DOD and "seamless collaboration between commercial and DOD-hosted environments," Simpson said.

"While the current Google pilot is scheduled to end on Sept. 30, this is laying the groundwork for many future cloud services," said Jack Wilmer, DISA's deputy CTO for enterprise services. "The results of the CRADA are going to play a major role in our cloud strategy going forward."

DISA officials said, given the importance of enterprise email to DOD, the agency also is using the Google pilot to explore and validate next-generation approaches to cloud-based email that can augment DISA's existing Defense Enterprise Computing Center, which hosts the DEE service.

DISA is looking to integrate its enterprise directory services with cloud-based email to allow a single global address list to support total email interoperability. To accomplish that, an agency spokesperson said DISA is using its identity synchronization service to automatically provision Google pilot users and synchronize the global address list between the DEE service and the pilot.

"If we can validate this approach," said Wilmer, "in the future we will be able to competitively acquire cloud-based email services to provide browser-based email for users that don't need all of DEE's features."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4262
Published: 2014-07-28
svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-...

CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2013-7393
Published: 2014-07-28
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions...

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.