Agencies eager to understand benefits of cloud credential exchange

Friday - 11/15/2013, 4:01am EST

The Federal Cloud Credential Exchange pilot still is in the early stages of development, but there's growing anticipation of how it could change the way agencies authenticate and authorize users of their systems.

The Postal Service awarded a $15.1 million contract to SecureKey Technologies in August to develop and run the initial program, also known as FCCX.

Just three months into the effort, agencies are eager to see the results.

"They just want to know what problems can it solve," said Naomi Lefkovitz, a senior privacy policy adviser at the National Institute of Standards and Technology, at a recent panel discussion sponsored by AFCEA Bethesda, Md.'s chapter. "The funny thing is, even though it's very oriented toward citizen-facing applications, because we can run personal identity verification (PIV) cards through it, some agencies have said, 'Hey, maybe I can use it to help me with some of my internal systems as well.' There's a whole range of problems agencies are excited about solving."

She said FCCX is creating excitement because agencies are starting to see the value in sharing the costs and getting out of the identity management business.

The Federal Cloud Credential Exchange will test the concept of authenticating and authorizing users through a federated cloud infrastructure. The goal is to use the strengths of the cloud-access anywhere, anytime to data and shared services to create a strong identity management approach where agencies no longer have to host the authentication and authorization capabilities in-house.

Cloud broker of identities

USPS will act as the broker between agencies and citizens and will manage all the relationships and deal with all the system requirements and changes. So far, NIST and the Department of Veterans Affairs have signed on to the pilot and other agencies are interested, Lefkovitz said.

She said agencies can integrate once and USPS will do the translation to the identity provider's system.

USPS is planning to launch the pilot during the first quarter of 2014. This small scope test will go on for a year and then Postal Service, the General Services Administration, which is the program manager of the initiatives, and NIST will reassess how it works and make any necessary adjustments with an eye toward expansion.

Lefkovitz said GSA is helping with the policy and process issues for FCCX. She said there are several policy issues that need to be address — security and privacy are among the biggest ones.

"Having a broker in the middle introduces some new privacy problems, which is that now you have this agent who knows everything about what a citizen is doing with the government. To address that, we have an interesting architecture with the broker, which is that it will do a mapping with identifiers and keep the linkage separate between the identity providers and agencies as relying parties," Lefkovitz said. "A commercial identity provider will not know what agency a citizen is going to so they will not be able to build a profile. The relying party doesn't really need to know which identity provider someone is using as long as they are certified."

Additionally, NIST, GSA and USPS are implementing a cryptography standard that will make sure the broker doesn't know the attributes flowing through the system. "The credential will essentially be anonymous to the broker. They will know where it comes from and they will know where it needs to go, but they don't really need to know the attributes, your name, your Social Security number and any information," she said. "That way we will build in privacy and security into the system."

Fewer data sets needed

Lefkovitz added the cryptography standard is called zero knowledge proof cryptography, and it's been around for decades and has been well tested. But it hasn't been widely used in the commercial world. She said the government wants to bring it into a commercial protocol that they can adapt.

She said FCCX also is looking at ANSI standards body, which is looking at the issue of identity proofing and identity resolution. Lefkovitz said the standards body is trying to figure out what is the minimum data set needed to authenticate someone's identity. Even though agencies believe they need a lot of data, the ANSI group is realizing that they maybe don't need as much data as first thought and that idea may help citizens accept and use the capabilities in FCCX, she said.

Beyond USPS, VA and NIST, the capabilities in FCCX that other agencies can use are at least a year away. So in the meantime several agencies are moving out with complimentary identity management initiatives.

This story is part of the Reporter's Notebook blog found here.