Risk
5/20/2013
10:13 AM
Connect Directly
RSS
E-Mail
50%
50%

Google, DISA Launch User ID Pilot

Defense Department and Google pilot test seeks more secure ways to authenticate users on commercial cloud services.

10 Top Password Managers
10 Top Password Managers
(click image for slideshow)
The Department of Defense (DOD) is taking tentative steps with Google to tackle one of the primary obstacles to adopting commercial cloud computing: the need to reliably authenticate users.

The Defense Information Systems Agency (DISA) confirmed that it is developing a proof of concept Authentication Gateway Service (AGS) that would allow for secure translation between DOD public key infrastructure (PKI) common access card authentication and Google-provided cloud services.

"This is a pilot effort to validate the ability to use DISA's Authentication Gateway with external cloud solutions using the standards-based Security Assertion Markup Language (SAML) protocol as well as explore interoperability and usability issues in commercial cloud-based email services," said David M. Mihelcic, CTO for DISA.

The pilot program makes use of Google Apps for Government as a way to test the ability of users to utilize their common access cards for authentication. But Mihelcic cautioned against speculation about broader use of Google Apps beyond the pilot for now. "DISA is not adopting Google Apps for Government," he said.

[ Want to know about another Google-government collaboration? See Google, NASA Team On Quantum Computing. ]

The purpose of the pilot is to find reliable alternatives for authenticating users and ultimately eliminate the less-secure password-based login.

During the first phase of the pilot, 50 DISA employees will use Google Apps for Government to process only non-sensitive unclassified data. At the same time, DISA's field security office is conducting a security evaluation of Google Apps for Government to determine if the service can support additional pilot users as well as sensitive but unclassified data.

The program isn't the first effort by DISA to develop authentication services for cloud-based email services.

"DISA previously developed enterprise directory services and identity synchronization services to allow for secure (non-password based) authentication to the Microsoft Exchange-based Defense Enterprise Email (DEE) service," he said. "The authentication gateway extends these services using the Security Assertion Markup Language to allow for rapid integration with cloud-based services."

The pilot program with Google began to take shape in February when DISA and Google signed a Cooperative Research and Development Agreement (CRADA) to explore innovate ways for DOD users to securely authenticate to commercial cloud service providers.

"The DISA-Google CRADA work is a necessary precursor activity that if successful would allow DISA to bring competitive commercial cloud-based email providers into the [DEE] service offering," said rear admiral David Simpson, vice director of DISA, in a prepared release from DISA.

He added that the program's goal would be to provide for a portion of DOD email user communities to work with lowest cost, technically acceptable service providers whose security is assured and commensurate with various missions. The initial implementation would focus on a single enterprise e-mail system that utilizes one directory service for the entire DOD and "seamless collaboration between commercial and DOD-hosted environments," Simpson said.

"While the current Google pilot is scheduled to end on Sept. 30, this is laying the groundwork for many future cloud services," said Jack Wilmer, DISA's deputy CTO for enterprise services. "The results of the CRADA are going to play a major role in our cloud strategy going forward."

DISA officials said, given the importance of enterprise email to DOD, the agency also is using the Google pilot to explore and validate next-generation approaches to cloud-based email that can augment DISA's existing Defense Enterprise Computing Center, which hosts the DEE service.

DISA is looking to integrate its enterprise directory services with cloud-based email to allow a single global address list to support total email interoperability. To accomplish that, an agency spokesperson said DISA is using its identity synchronization service to automatically provision Google pilot users and synchronize the global address list between the DEE service and the pilot.

"If we can validate this approach," said Wilmer, "in the future we will be able to competitively acquire cloud-based email services to provide browser-based email for users that don't need all of DEE's features."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio