Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/4/2013
10:55 AM
Connect Directly
Twitter
RSS
E-Mail

Postal Service Pilots Next-Gen Authentication Tech

U.S. Postal Service pilots an implementation of the Federal Cloud Credential Exchange to facilitate use of government online services.



IW500: 15 Top Government Tech Innovators
IW500: 15 Top Government Tech Innovators
(click image for larger view and for slideshow)
The U.S. Postal Service will be the guinea pig for a White House-led effort to accelerate government adoption of technologies that allow federal agencies to accept third-party identity credentials for online services. The program involves using services from organizations like PayPal and Google through standards like OpenID rather than requiring users to create government usernames and passwords.

The government hopes the pilot will serve as the foundation for a wider, federated approach to identity management for government services. Procurement documents characterize the goal as having a single "broker" to validate disparate identity credentials across a wide range of federal agencies. Federal CIO Steve VanRoekel set a requirement in October 2011 that within three years from that date, federal agencies would be able to accept third-party credentials to facilitate access to online government services.

The federated identity effort, known as the Federal Cloud Credential Exchange, is just one piece of a broader Obama administration online identity initiative: the National Strategy for Trusted Identities in Cyberspace (NSTIC), which aims to catalyze private sector-led development of a secure, digital "identity ecosystem" to better protect identities online.

[ The FedRAMP program aims to make it easier for government agencies to adopt cloud services. Read about it at Feds Issue First Cloud Services Security Authorization. ]

NSTIC calls on the government to be an early adopter of technologies that may become a part of the identity ecosystem. A few agencies, such as the National Institutes of Health, have tested third-party credentialing, but by and large, federal agencies have been slow to adopt these technologies. Technical, policy and cost barriers, according to procurement documents for the Postal Service pilot, have held up agencies from offering many transactional services to the American public, such as applying for benefits, transacting business at agency Websites, downloading healthcare data and filing taxes.

These challenges have recently begun to be ironed out via a set of standards and requirements drawn up by a group of agencies that have large numbers of citizens accessing their services online. The Post Office's Digital Solutions Group will pilot these ironed-out federated credentialing requirements with some help from the General Services Administration and a third-party provider or providers of software-as-a-service-based credentialing exchange.

The Postal Service pilot has a long list of requirements as to how authentication should work, how privacy should be handled, audit and reporting requirements, compliance with federal law and standards, availability and scalability. FCCX will most likely not store personally identifiable information and will not have any visibility into any such data, but rather will rely on and support a number of third-party credentialing systems and protocols like SAML and OpenID.

The one-year pilot will need to scale to support large numbers of users. It must be capable of supporting 135 million customers and as many as one million transactions hourly, according to procurement documents. The Postal Service has been eyeing more advanced digital authentication capabilities for some time.

Among the vendors already expressing interest in the pilot project are Symantec, McAfee, Amazon Web Services, Akamai, hybrid cloud authentication vendor Xceedium and a number of government contractors.

The Postal Service pilot is but one of several different pilots that are part of NSTIC. There are also three cryptography pilots and two non-cryptographic privacy pilots in the works. Each of those pilots is being carried out by multiple private sector organizations ranging from the Virginia Department of Motor Vehicles to AOL to AARP to Aetna.

Federal guidelines call for a move to virtualized environments, yet little funding exists to make that happen. Without a mandate, it may take decades to finish the job. Also in the new, all-digital Server Virtualization issue of InformationWeek Government IT Trends: Our survey shows no progress in using shared clouds within federal government, but there's growing interest in using commercial cloud services and running private clouds. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.