The Defense Information Systems Agency (DISA) confirmed that it is developing a proof of concept Authentication Gateway Service (AGS) that would allow for secure translation between DOD public key infrastructure (PKI) common access card authentication and Google-provided cloud services.
"This is a pilot effort to validate the ability to use DISA's Authentication Gateway with external cloud solutions using the standards-based Security Assertion Markup Language (SAML) protocol as well as explore interoperability and usability issues in commercial cloud-based email services," said David M. Mihelcic, CTO for DISA.
The pilot program makes use of Google Apps for Government as a way to test the ability of users to utilize their common access cards for authentication. But Mihelcic cautioned against speculation about broader use of Google Apps beyond the pilot for now. "DISA is not adopting Google Apps for Government," he said.
[ Want to know about another Google-government collaboration? See Google, NASA Team On Quantum Computing. ]
The purpose of the pilot is to find reliable alternatives for authenticating users and ultimately eliminate the less-secure password-based login.
During the first phase of the pilot, 50 DISA employees will use Google Apps for Government to process only non-sensitive unclassified data. At the same time, DISA's field security office is conducting a security evaluation of Google Apps for Government to determine if the service can support additional pilot users as well as sensitive but unclassified data.
The program isn't the first effort by DISA to develop authentication services for cloud-based email services.
"DISA previously developed enterprise directory services and identity synchronization services to allow for secure (non-password based) authentication to the Microsoft Exchange-based Defense Enterprise Email (DEE) service," he said. "The authentication gateway extends these services using the Security Assertion Markup Language to allow for rapid integration with cloud-based services."
The pilot program with Google began to take shape in February when DISA and Google signed a Cooperative Research and Development Agreement (CRADA) to explore innovate ways for DOD users to securely authenticate to commercial cloud service providers.
"The DISA-Google CRADA work is a necessary precursor activity that if successful would allow DISA to bring competitive commercial cloud-based email providers into the [DEE] service offering," said rear admiral David Simpson, vice director of DISA, in a prepared release from DISA.
He added that the program's goal would be to provide for a portion of DOD email user communities to work with lowest cost, technically acceptable service providers whose security is assured and commensurate with various missions. The initial implementation would focus on a single enterprise e-mail system that utilizes one directory service for the entire DOD and "seamless collaboration between commercial and DOD-hosted environments," Simpson said.
"While the current Google pilot is scheduled to end on Sept. 30, this is laying the groundwork for many future cloud services," said Jack Wilmer, DISA's deputy CTO for enterprise services. "The results of the CRADA are going to play a major role in our cloud strategy going forward."
DISA officials said, given the importance of enterprise email to DOD, the agency also is using the Google pilot to explore and validate next-generation approaches to cloud-based email that can augment DISA's existing Defense Enterprise Computing Center, which hosts the DEE service.
DISA is looking to integrate its enterprise directory services with cloud-based email to allow a single global address list to support total email interoperability. To accomplish that, an agency spokesperson said DISA is using its identity synchronization service to automatically provision Google pilot users and synchronize the global address list between the DEE service and the pilot.
"If we can validate this approach," said Wilmer, "in the future we will be able to competitively acquire cloud-based email services to provide browser-based email for users that don't need all of DEE's features."