Risk
1/4/2013
10:55 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Postal Service Pilots Next-Gen Authentication Tech

U.S. Postal Service pilots an implementation of the Federal Cloud Credential Exchange to facilitate use of government online services.

IW500: 15 Top Government Tech Innovators
IW500: 15 Top Government Tech Innovators
(click image for larger view and for slideshow)
The U.S. Postal Service will be the guinea pig for a White House-led effort to accelerate government adoption of technologies that allow federal agencies to accept third-party identity credentials for online services. The program involves using services from organizations like PayPal and Google through standards like OpenID rather than requiring users to create government usernames and passwords.

The government hopes the pilot will serve as the foundation for a wider, federated approach to identity management for government services. Procurement documents characterize the goal as having a single "broker" to validate disparate identity credentials across a wide range of federal agencies. Federal CIO Steve VanRoekel set a requirement in October 2011 that within three years from that date, federal agencies would be able to accept third-party credentials to facilitate access to online government services.

The federated identity effort, known as the Federal Cloud Credential Exchange, is just one piece of a broader Obama administration online identity initiative: the National Strategy for Trusted Identities in Cyberspace (NSTIC), which aims to catalyze private sector-led development of a secure, digital "identity ecosystem" to better protect identities online.

[ The FedRAMP program aims to make it easier for government agencies to adopt cloud services. Read about it at Feds Issue First Cloud Services Security Authorization. ]

NSTIC calls on the government to be an early adopter of technologies that may become a part of the identity ecosystem. A few agencies, such as the National Institutes of Health, have tested third-party credentialing, but by and large, federal agencies have been slow to adopt these technologies. Technical, policy and cost barriers, according to procurement documents for the Postal Service pilot, have held up agencies from offering many transactional services to the American public, such as applying for benefits, transacting business at agency Websites, downloading healthcare data and filing taxes.

These challenges have recently begun to be ironed out via a set of standards and requirements drawn up by a group of agencies that have large numbers of citizens accessing their services online. The Post Office's Digital Solutions Group will pilot these ironed-out federated credentialing requirements with some help from the General Services Administration and a third-party provider or providers of software-as-a-service-based credentialing exchange.

The Postal Service pilot has a long list of requirements as to how authentication should work, how privacy should be handled, audit and reporting requirements, compliance with federal law and standards, availability and scalability. FCCX will most likely not store personally identifiable information and will not have any visibility into any such data, but rather will rely on and support a number of third-party credentialing systems and protocols like SAML and OpenID.

The one-year pilot will need to scale to support large numbers of users. It must be capable of supporting 135 million customers and as many as one million transactions hourly, according to procurement documents. The Postal Service has been eyeing more advanced digital authentication capabilities for some time.

Among the vendors already expressing interest in the pilot project are Symantec, McAfee, Amazon Web Services, Akamai, hybrid cloud authentication vendor Xceedium and a number of government contractors.

The Postal Service pilot is but one of several different pilots that are part of NSTIC. There are also three cryptography pilots and two non-cryptographic privacy pilots in the works. Each of those pilots is being carried out by multiple private sector organizations ranging from the Virginia Department of Motor Vehicles to AOL to AARP to Aetna.

Federal guidelines call for a move to virtualized environments, yet little funding exists to make that happen. Without a mandate, it may take decades to finish the job. Also in the new, all-digital Server Virtualization issue of InformationWeek Government IT Trends: Our survey shows no progress in using shared clouds within federal government, but there's growing interest in using commercial cloud services and running private clouds. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Why Cybersecurity Must Be an International Effort
Kelly Sheridan, Associate Editor, Dark Reading,  12/6/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.