Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Exostar Set to Launch Federated Identity Service for Aerospace

Service vets and authenticates customers and trading partners for its members

When you use the Internet to sell your old golf clubs, you've got two security challenges: making sure that the person you're selling to is trustworthy, and making sure that others don't try to steal your data while you're doing the transaction.

Now imagine that instead of a person selling golf clubs, you're Boeing, and you want to use the Internet to share the plans to a top-secret warplane with one of your business partners.

That's the challenge faced every day by Exostar, the online B2B community that serves the aerospace and defense industries. For more than a decade, Exostar has been linking aerospace companies like Lockheed Martin, BAE, and Rolls Royce with government agencies, allowing them to securely transact purchases and do collaborative projects.

Exostar's collaborative environment provides the infrastructure that allows aerospace companies to work together over the Web, but the question of certifying an individual's identity -- ensuring that they are who they say they are, and that they have the rights to access specific applications and capabilities in the community or on a member company's systems -- has been a tricky one.

Next week, however, Exostar will launch a new capability, the Federated Identity Service, that does the process of "credentialing" on behalf of Exostar's members, ensuring that individuals that attempt to use the systems of the community or its members are who they say they are -- and are authorized to use the systems they are trying to access.

The FIS service will essentially replace many of the security processes that most companies outside the community must do on a bilateral basis with their trading partners. For example, Exostar will verify the location and the identity of an individual who attempts to log on, and ensure that their connection is secure. Exostar's systems will also ensure that the individual has access rights to the applications they are using, as defined by contracts and access privileges defined by its member companies.

Using PKI technology, Exostar also encrypts the communications between the individual and the member company, and dates and timestamps all communications and transactions to ensure that they are authentic and to provide an audit trail for assessors and legal authorities.

With FIS, Exostar resolves many of the security issues faced by supply chains that want to do business online. Back in the heyday of Internet fever, many industries and organizations attempted to build "B2B exchanges" and online communities, using the successful eBay as a model. In the end, however, few succeeded, partly because eBay's trust model was insufficient to secure high-dollar business transactions and collaboration.

"The key for a community like this is to define who you are," says Vijay Takanti, vice president and security program director at Exostar, which serves more than 40,000 companies worldwide. "There has to be a standard for certifying your identity and to verify that I have a contract with you. If you can't do that, all the other capabilities of the community are useless."

In essence, Exostar's PKI certificates allow users to come and go into authorized systems of their trading partners, much as a passport allows a person to be authenticated and tracked in the physical world. The system is significantly cheaper than bilateral exchanges of certificates or multifactor authentication schemes such as smart cards.

"We're linking over 40,000 members, so we can achieve economies of scale that no one company could achieve with its partners," Takanti says. And because Exostar's member are outsourcing the authentication process, they can reduce or eliminate their investment in in-house remote access or "guest access" technologies, such as network access control (NAC), which some companies are attempting to use with their suppliers and trading partners.

There's only one problem with the Exostar service: you have to be a member to use it. That means FIS can only help companies in the aerospace and defense industries, although similar communities are operating in industries such as pharmaceuticals and financial services, Takanti observes.

"For a community of interest, where there's agreement on standards for authentication and credentialing, this model makes great sense. I think we may see it applied in other industries," Takanti says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles ../../src/decode.c:2637.
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode.c:3051.