Risk
1/4/2013
10:55 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Postal Service Pilots Next-Gen Authentication Tech

U.S. Postal Service pilots an implementation of the Federal Cloud Credential Exchange to facilitate use of government online services.

IW500: 15 Top Government Tech Innovators
IW500: 15 Top Government Tech Innovators
(click image for larger view and for slideshow)
The U.S. Postal Service will be the guinea pig for a White House-led effort to accelerate government adoption of technologies that allow federal agencies to accept third-party identity credentials for online services. The program involves using services from organizations like PayPal and Google through standards like OpenID rather than requiring users to create government usernames and passwords.

The government hopes the pilot will serve as the foundation for a wider, federated approach to identity management for government services. Procurement documents characterize the goal as having a single "broker" to validate disparate identity credentials across a wide range of federal agencies. Federal CIO Steve VanRoekel set a requirement in October 2011 that within three years from that date, federal agencies would be able to accept third-party credentials to facilitate access to online government services.

The federated identity effort, known as the Federal Cloud Credential Exchange, is just one piece of a broader Obama administration online identity initiative: the National Strategy for Trusted Identities in Cyberspace (NSTIC), which aims to catalyze private sector-led development of a secure, digital "identity ecosystem" to better protect identities online.

[ The FedRAMP program aims to make it easier for government agencies to adopt cloud services. Read about it at Feds Issue First Cloud Services Security Authorization. ]

NSTIC calls on the government to be an early adopter of technologies that may become a part of the identity ecosystem. A few agencies, such as the National Institutes of Health, have tested third-party credentialing, but by and large, federal agencies have been slow to adopt these technologies. Technical, policy and cost barriers, according to procurement documents for the Postal Service pilot, have held up agencies from offering many transactional services to the American public, such as applying for benefits, transacting business at agency Websites, downloading healthcare data and filing taxes.

These challenges have recently begun to be ironed out via a set of standards and requirements drawn up by a group of agencies that have large numbers of citizens accessing their services online. The Post Office's Digital Solutions Group will pilot these ironed-out federated credentialing requirements with some help from the General Services Administration and a third-party provider or providers of software-as-a-service-based credentialing exchange.

The Postal Service pilot has a long list of requirements as to how authentication should work, how privacy should be handled, audit and reporting requirements, compliance with federal law and standards, availability and scalability. FCCX will most likely not store personally identifiable information and will not have any visibility into any such data, but rather will rely on and support a number of third-party credentialing systems and protocols like SAML and OpenID.

The one-year pilot will need to scale to support large numbers of users. It must be capable of supporting 135 million customers and as many as one million transactions hourly, according to procurement documents. The Postal Service has been eyeing more advanced digital authentication capabilities for some time.

Among the vendors already expressing interest in the pilot project are Symantec, McAfee, Amazon Web Services, Akamai, hybrid cloud authentication vendor Xceedium and a number of government contractors.

The Postal Service pilot is but one of several different pilots that are part of NSTIC. There are also three cryptography pilots and two non-cryptographic privacy pilots in the works. Each of those pilots is being carried out by multiple private sector organizations ranging from the Virginia Department of Motor Vehicles to AOL to AARP to Aetna.

Federal guidelines call for a move to virtualized environments, yet little funding exists to make that happen. Without a mandate, it may take decades to finish the job. Also in the new, all-digital Server Virtualization issue of InformationWeek Government IT Trends: Our survey shows no progress in using shared clouds within federal government, but there's growing interest in using commercial cloud services and running private clouds. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio