Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Exostar Set to Launch Federated Identity Service for Aerospace

Service vets and authenticates customers and trading partners for its members

When you use the Internet to sell your old golf clubs, you've got two security challenges: making sure that the person you're selling to is trustworthy, and making sure that others don't try to steal your data while you're doing the transaction.

Now imagine that instead of a person selling golf clubs, you're Boeing, and you want to use the Internet to share the plans to a top-secret warplane with one of your business partners.

That's the challenge faced every day by Exostar, the online B2B community that serves the aerospace and defense industries. For more than a decade, Exostar has been linking aerospace companies like Lockheed Martin, BAE, and Rolls Royce with government agencies, allowing them to securely transact purchases and do collaborative projects.

Exostar's collaborative environment provides the infrastructure that allows aerospace companies to work together over the Web, but the question of certifying an individual's identity -- ensuring that they are who they say they are, and that they have the rights to access specific applications and capabilities in the community or on a member company's systems -- has been a tricky one.

Next week, however, Exostar will launch a new capability, the Federated Identity Service, that does the process of "credentialing" on behalf of Exostar's members, ensuring that individuals that attempt to use the systems of the community or its members are who they say they are -- and are authorized to use the systems they are trying to access.

The FIS service will essentially replace many of the security processes that most companies outside the community must do on a bilateral basis with their trading partners. For example, Exostar will verify the location and the identity of an individual who attempts to log on, and ensure that their connection is secure. Exostar's systems will also ensure that the individual has access rights to the applications they are using, as defined by contracts and access privileges defined by its member companies.

Using PKI technology, Exostar also encrypts the communications between the individual and the member company, and dates and timestamps all communications and transactions to ensure that they are authentic and to provide an audit trail for assessors and legal authorities.

With FIS, Exostar resolves many of the security issues faced by supply chains that want to do business online. Back in the heyday of Internet fever, many industries and organizations attempted to build "B2B exchanges" and online communities, using the successful eBay as a model. In the end, however, few succeeded, partly because eBay's trust model was insufficient to secure high-dollar business transactions and collaboration.

"The key for a community like this is to define who you are," says Vijay Takanti, vice president and security program director at Exostar, which serves more than 40,000 companies worldwide. "There has to be a standard for certifying your identity and to verify that I have a contract with you. If you can't do that, all the other capabilities of the community are useless."

In essence, Exostar's PKI certificates allow users to come and go into authorized systems of their trading partners, much as a passport allows a person to be authenticated and tracked in the physical world. The system is significantly cheaper than bilateral exchanges of certificates or multifactor authentication schemes such as smart cards.

"We're linking over 40,000 members, so we can achieve economies of scale that no one company could achieve with its partners," Takanti says. And because Exostar's member are outsourcing the authentication process, they can reduce or eliminate their investment in in-house remote access or "guest access" technologies, such as network access control (NAC), which some companies are attempting to use with their suppliers and trading partners.

There's only one problem with the Exostar service: you have to be a member to use it. That means FIS can only help companies in the aerospace and defense industries, although similar communities are operating in industries such as pharmaceuticals and financial services, Takanti observes.

"For a community of interest, where there's agreement on standards for authentication and credentialing, this model makes great sense. I think we may see it applied in other industries," Takanti says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1842
PUBLISHED: 2020-02-18
Huawei HEGE-560 version 1.0.1.20(SP2); OSCA-550 and OSCA-550A version 1.0.0.71(SP1); and OSCA-550AX and OSCA-550X version 1.0.0.71(SP2) have an insufficient authentication vulnerability. An attacker can access the device physically and perform specific operations to exploit this vulnerability. Succe...
CVE-2020-8010
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains an improper ACL handling vulnerability in the robot (controller) component. A remote attacker can execute commands, read from, or write to the target system.
CVE-2020-8011
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a null pointer dereference vulnerability in the robot (controller) component. A remote attacker can crash the Controller service.
CVE-2020-8012
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a buffer overflow vulnerability in the robot (controller) component. A remote attacker can execute arbitrary code.
CVE-2020-1791
PUBLISHED: 2020-02-18
HUAWEI Mate 20 smartphones with versions earlier than 10.0.0.185(C00E74R3P8) have an improper authorization vulnerability. The system has a logic judging error under certain scenario, successful exploit could allow the attacker to switch to third desktop after a series of operation in ADB mode.