Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Exostar Set to Launch Federated Identity Service for Aerospace

Service vets and authenticates customers and trading partners for its members

When you use the Internet to sell your old golf clubs, you've got two security challenges: making sure that the person you're selling to is trustworthy, and making sure that others don't try to steal your data while you're doing the transaction.

Now imagine that instead of a person selling golf clubs, you're Boeing, and you want to use the Internet to share the plans to a top-secret warplane with one of your business partners.

That's the challenge faced every day by Exostar, the online B2B community that serves the aerospace and defense industries. For more than a decade, Exostar has been linking aerospace companies like Lockheed Martin, BAE, and Rolls Royce with government agencies, allowing them to securely transact purchases and do collaborative projects.

Exostar's collaborative environment provides the infrastructure that allows aerospace companies to work together over the Web, but the question of certifying an individual's identity -- ensuring that they are who they say they are, and that they have the rights to access specific applications and capabilities in the community or on a member company's systems -- has been a tricky one.

Next week, however, Exostar will launch a new capability, the Federated Identity Service, that does the process of "credentialing" on behalf of Exostar's members, ensuring that individuals that attempt to use the systems of the community or its members are who they say they are -- and are authorized to use the systems they are trying to access.

The FIS service will essentially replace many of the security processes that most companies outside the community must do on a bilateral basis with their trading partners. For example, Exostar will verify the location and the identity of an individual who attempts to log on, and ensure that their connection is secure. Exostar's systems will also ensure that the individual has access rights to the applications they are using, as defined by contracts and access privileges defined by its member companies.

Using PKI technology, Exostar also encrypts the communications between the individual and the member company, and dates and timestamps all communications and transactions to ensure that they are authentic and to provide an audit trail for assessors and legal authorities.

With FIS, Exostar resolves many of the security issues faced by supply chains that want to do business online. Back in the heyday of Internet fever, many industries and organizations attempted to build "B2B exchanges" and online communities, using the successful eBay as a model. In the end, however, few succeeded, partly because eBay's trust model was insufficient to secure high-dollar business transactions and collaboration.

"The key for a community like this is to define who you are," says Vijay Takanti, vice president and security program director at Exostar, which serves more than 40,000 companies worldwide. "There has to be a standard for certifying your identity and to verify that I have a contract with you. If you can't do that, all the other capabilities of the community are useless."

In essence, Exostar's PKI certificates allow users to come and go into authorized systems of their trading partners, much as a passport allows a person to be authenticated and tracked in the physical world. The system is significantly cheaper than bilateral exchanges of certificates or multifactor authentication schemes such as smart cards.

"We're linking over 40,000 members, so we can achieve economies of scale that no one company could achieve with its partners," Takanti says. And because Exostar's member are outsourcing the authentication process, they can reduce or eliminate their investment in in-house remote access or "guest access" technologies, such as network access control (NAC), which some companies are attempting to use with their suppliers and trading partners.

There's only one problem with the Exostar service: you have to be a member to use it. That means FIS can only help companies in the aerospace and defense industries, although similar communities are operating in industries such as pharmaceuticals and financial services, Takanti observes.

"For a community of interest, where there's agreement on standards for authentication and credentialing, this model makes great sense. I think we may see it applied in other industries," Takanti says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25514
PUBLISHED: 2020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Incorrect Access Control via the Login Panel, http://<site>/lms/admin.php.
CVE-2020-25515
PUBLISHED: 2020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Insecure Permissions via Books > New Book , http://<site>/lms/index.php?page=books.
CVE-2020-14022
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway 4.17.1 through 4.17.6 does not check the file type when bulk importing new contacts ("Import Contacts" functionality) from a file. It is possible to upload an executable or .bat file that can be executed with the help of a functionality (E.g. the "Application Star...
CVE-2020-14023
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway through 4.17.6 allows SSRF via SMS WCF or RSS To SMS.
CVE-2020-14024
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored and/or reflected XSS vulnerabilities via the (1) Receiver or Recipient field in the Mailbox feature, (2) OZFORM_GROUPNAME field in the Group configuration of addresses, (3) listname field in the Defining address lists configuratio...