Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Exostar Set to Launch Federated Identity Service for Aerospace

Service vets and authenticates customers and trading partners for its members

When you use the Internet to sell your old golf clubs, you've got two security challenges: making sure that the person you're selling to is trustworthy, and making sure that others don't try to steal your data while you're doing the transaction.

Now imagine that instead of a person selling golf clubs, you're Boeing, and you want to use the Internet to share the plans to a top-secret warplane with one of your business partners.

That's the challenge faced every day by Exostar, the online B2B community that serves the aerospace and defense industries. For more than a decade, Exostar has been linking aerospace companies like Lockheed Martin, BAE, and Rolls Royce with government agencies, allowing them to securely transact purchases and do collaborative projects.

Exostar's collaborative environment provides the infrastructure that allows aerospace companies to work together over the Web, but the question of certifying an individual's identity -- ensuring that they are who they say they are, and that they have the rights to access specific applications and capabilities in the community or on a member company's systems -- has been a tricky one.

Next week, however, Exostar will launch a new capability, the Federated Identity Service, that does the process of "credentialing" on behalf of Exostar's members, ensuring that individuals that attempt to use the systems of the community or its members are who they say they are -- and are authorized to use the systems they are trying to access.

The FIS service will essentially replace many of the security processes that most companies outside the community must do on a bilateral basis with their trading partners. For example, Exostar will verify the location and the identity of an individual who attempts to log on, and ensure that their connection is secure. Exostar's systems will also ensure that the individual has access rights to the applications they are using, as defined by contracts and access privileges defined by its member companies.

Using PKI technology, Exostar also encrypts the communications between the individual and the member company, and dates and timestamps all communications and transactions to ensure that they are authentic and to provide an audit trail for assessors and legal authorities.

With FIS, Exostar resolves many of the security issues faced by supply chains that want to do business online. Back in the heyday of Internet fever, many industries and organizations attempted to build "B2B exchanges" and online communities, using the successful eBay as a model. In the end, however, few succeeded, partly because eBay's trust model was insufficient to secure high-dollar business transactions and collaboration.

"The key for a community like this is to define who you are," says Vijay Takanti, vice president and security program director at Exostar, which serves more than 40,000 companies worldwide. "There has to be a standard for certifying your identity and to verify that I have a contract with you. If you can't do that, all the other capabilities of the community are useless."

In essence, Exostar's PKI certificates allow users to come and go into authorized systems of their trading partners, much as a passport allows a person to be authenticated and tracked in the physical world. The system is significantly cheaper than bilateral exchanges of certificates or multifactor authentication schemes such as smart cards.

"We're linking over 40,000 members, so we can achieve economies of scale that no one company could achieve with its partners," Takanti says. And because Exostar's member are outsourcing the authentication process, they can reduce or eliminate their investment in in-house remote access or "guest access" technologies, such as network access control (NAC), which some companies are attempting to use with their suppliers and trading partners.

There's only one problem with the Exostar service: you have to be a member to use it. That means FIS can only help companies in the aerospace and defense industries, although similar communities are operating in industries such as pharmaceuticals and financial services, Takanti observes.

"For a community of interest, where there's agreement on standards for authentication and credentialing, this model makes great sense. I think we may see it applied in other industries," Takanti says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16632
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
CVE-2021-32073
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.