Risk
1/4/2013
10:55 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Postal Service Pilots Next-Gen Authentication Tech

U.S. Postal Service pilots an implementation of the Federal Cloud Credential Exchange to facilitate use of government online services.

IW500: 15 Top Government Tech Innovators
IW500: 15 Top Government Tech Innovators
(click image for larger view and for slideshow)
The U.S. Postal Service will be the guinea pig for a White House-led effort to accelerate government adoption of technologies that allow federal agencies to accept third-party identity credentials for online services. The program involves using services from organizations like PayPal and Google through standards like OpenID rather than requiring users to create government usernames and passwords.

The government hopes the pilot will serve as the foundation for a wider, federated approach to identity management for government services. Procurement documents characterize the goal as having a single "broker" to validate disparate identity credentials across a wide range of federal agencies. Federal CIO Steve VanRoekel set a requirement in October 2011 that within three years from that date, federal agencies would be able to accept third-party credentials to facilitate access to online government services.

The federated identity effort, known as the Federal Cloud Credential Exchange, is just one piece of a broader Obama administration online identity initiative: the National Strategy for Trusted Identities in Cyberspace (NSTIC), which aims to catalyze private sector-led development of a secure, digital "identity ecosystem" to better protect identities online.

[ The FedRAMP program aims to make it easier for government agencies to adopt cloud services. Read about it at Feds Issue First Cloud Services Security Authorization. ]

NSTIC calls on the government to be an early adopter of technologies that may become a part of the identity ecosystem. A few agencies, such as the National Institutes of Health, have tested third-party credentialing, but by and large, federal agencies have been slow to adopt these technologies. Technical, policy and cost barriers, according to procurement documents for the Postal Service pilot, have held up agencies from offering many transactional services to the American public, such as applying for benefits, transacting business at agency Websites, downloading healthcare data and filing taxes.

These challenges have recently begun to be ironed out via a set of standards and requirements drawn up by a group of agencies that have large numbers of citizens accessing their services online. The Post Office's Digital Solutions Group will pilot these ironed-out federated credentialing requirements with some help from the General Services Administration and a third-party provider or providers of software-as-a-service-based credentialing exchange.

The Postal Service pilot has a long list of requirements as to how authentication should work, how privacy should be handled, audit and reporting requirements, compliance with federal law and standards, availability and scalability. FCCX will most likely not store personally identifiable information and will not have any visibility into any such data, but rather will rely on and support a number of third-party credentialing systems and protocols like SAML and OpenID.

The one-year pilot will need to scale to support large numbers of users. It must be capable of supporting 135 million customers and as many as one million transactions hourly, according to procurement documents. The Postal Service has been eyeing more advanced digital authentication capabilities for some time.

Among the vendors already expressing interest in the pilot project are Symantec, McAfee, Amazon Web Services, Akamai, hybrid cloud authentication vendor Xceedium and a number of government contractors.

The Postal Service pilot is but one of several different pilots that are part of NSTIC. There are also three cryptography pilots and two non-cryptographic privacy pilots in the works. Each of those pilots is being carried out by multiple private sector organizations ranging from the Virginia Department of Motor Vehicles to AOL to AARP to Aetna.

Federal guidelines call for a move to virtualized environments, yet little funding exists to make that happen. Without a mandate, it may take decades to finish the job. Also in the new, all-digital Server Virtualization issue of InformationWeek Government IT Trends: Our survey shows no progress in using shared clouds within federal government, but there's growing interest in using commercial cloud services and running private clouds. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.