Risk
5/20/2013
10:13 AM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%
Repost This

Google, DISA Launch User ID Pilot

Defense Department and Google pilot test seeks more secure ways to authenticate users on commercial cloud services.

10 Top Password Managers
10 Top Password Managers
(click image for slideshow)
The Department of Defense (DOD) is taking tentative steps with Google to tackle one of the primary obstacles to adopting commercial cloud computing: the need to reliably authenticate users.

The Defense Information Systems Agency (DISA) confirmed that it is developing a proof of concept Authentication Gateway Service (AGS) that would allow for secure translation between DOD public key infrastructure (PKI) common access card authentication and Google-provided cloud services.

"This is a pilot effort to validate the ability to use DISA's Authentication Gateway with external cloud solutions using the standards-based Security Assertion Markup Language (SAML) protocol as well as explore interoperability and usability issues in commercial cloud-based email services," said David M. Mihelcic, CTO for DISA.

The pilot program makes use of Google Apps for Government as a way to test the ability of users to utilize their common access cards for authentication. But Mihelcic cautioned against speculation about broader use of Google Apps beyond the pilot for now. "DISA is not adopting Google Apps for Government," he said.

[ Want to know about another Google-government collaboration? See Google, NASA Team On Quantum Computing. ]

The purpose of the pilot is to find reliable alternatives for authenticating users and ultimately eliminate the less-secure password-based login.

During the first phase of the pilot, 50 DISA employees will use Google Apps for Government to process only non-sensitive unclassified data. At the same time, DISA's field security office is conducting a security evaluation of Google Apps for Government to determine if the service can support additional pilot users as well as sensitive but unclassified data.

The program isn't the first effort by DISA to develop authentication services for cloud-based email services.

"DISA previously developed enterprise directory services and identity synchronization services to allow for secure (non-password based) authentication to the Microsoft Exchange-based Defense Enterprise Email (DEE) service," he said. "The authentication gateway extends these services using the Security Assertion Markup Language to allow for rapid integration with cloud-based services."

The pilot program with Google began to take shape in February when DISA and Google signed a Cooperative Research and Development Agreement (CRADA) to explore innovate ways for DOD users to securely authenticate to commercial cloud service providers.

"The DISA-Google CRADA work is a necessary precursor activity that if successful would allow DISA to bring competitive commercial cloud-based email providers into the [DEE] service offering," said rear admiral David Simpson, vice director of DISA, in a prepared release from DISA.

He added that the program's goal would be to provide for a portion of DOD email user communities to work with lowest cost, technically acceptable service providers whose security is assured and commensurate with various missions. The initial implementation would focus on a single enterprise e-mail system that utilizes one directory service for the entire DOD and "seamless collaboration between commercial and DOD-hosted environments," Simpson said.

"While the current Google pilot is scheduled to end on Sept. 30, this is laying the groundwork for many future cloud services," said Jack Wilmer, DISA's deputy CTO for enterprise services. "The results of the CRADA are going to play a major role in our cloud strategy going forward."

DISA officials said, given the importance of enterprise email to DOD, the agency also is using the Google pilot to explore and validate next-generation approaches to cloud-based email that can augment DISA's existing Defense Enterprise Computing Center, which hosts the DEE service.

DISA is looking to integrate its enterprise directory services with cloud-based email to allow a single global address list to support total email interoperability. To accomplish that, an agency spokesperson said DISA is using its identity synchronization service to automatically provision Google pilot users and synchronize the global address list between the DEE service and the pilot.

"If we can validate this approach," said Wilmer, "in the future we will be able to competitively acquire cloud-based email services to provide browser-based email for users that don't need all of DEE's features."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2012-0871
Published: 2014-04-18
The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/.

CVE-2012-6646
Published: 2014-04-18
F-Secure Anti-Virus, Safe Anywhere, and PSB Workstation Security before 11500 for Mac OS X allows local users to disable the Mac OS X firewall via unspecified vectors.

CVE-2013-4279
Published: 2014-04-18
imapsync 1.564 and earlier performs a release check by default, which sends sensitive information (imapsync, operating system, and Perl version) to the developer's site.

Best of the Web