Cloud is the next chapter in the government's identity management saga

Friday - 1/11/2013, 5:14am EST

Jason Miller, executive editor, Federal News Radio

Download mp3

Sometimes it takes time for an idea to germinate.

Take the Bush administration's desire for a federated identity management gateway under the E-Authentication initiative. The White House began developing it in 2003 as part of its e-government strategy.

E-Authentication struggled to gain traction and OMB refocused it in 2007 with the emergence of Homeland Security Presidential Directive-12.

Flash forward to fiscal 2013, the Postal Service issued a draft request for proposals and a final RFP to create and run a Federal Cloud Credential Exchange (FCCX). The system would let citizens log onto federal services using usernames and passwords from third parties, such as Google or PayPal, as long as those companies meet federal standards under the Federal Identity Credential and Access Management framework (FICAM).

Jeremy Grant, senior executive advisor for identity management, National Institute of Standards and Technology

The FCCX would act as the identity authenticator, taking advantage of the build once, use many philosophy. Agencies wouldn't have to build separate identity management systems or manage separate usernames and passwords for each of their online services, and citizens would reduce the number of usernames and passwords they have to remember.

Experts in and out of government say the FCCX is borrowing heavily from E-Authentication.

"Looking back at E-Authentication, it was not a bad idea, but it was a little bit ahead of its time," said Jeremy Grant, the senior executive advisor for identity management at the National Institute of Standards and Technology and leader of the National Strategy for Trusted Identities in Cyberspace (NSTIC) program office. "Certainly, having worked, when I was in industry, on some of the implementations then, you had agencies that didn't necessarily understand the value of it. You had technology and standards that were not necessarily bad, but they were relatively new to the marketplace and not readily understood or easy to work with. If you fast forward from 2005 to 2012, you have lots of agencies where senior executives not only understand the value of federated identity within government, but are actively looking to bring these types of applications online and realizing they can't do it unless they have a better identity infrastructure than they do today."

He said the technology, policy and processes have all matured to the point that creating an identity exchange in the cloud is possible.

"The Postal Service is excited about the opportunity to partner with the White House on the pilot project to create a digital platform for greater efficiency and security for interagency transactions and communications," said a USPS spokesman in email comment about the draft RFP. "As an organization that prides itself on secured mail delivery to more than 150 million American addresses each day, USPS' newly formed Digital Solutions Group is uniquely positioned to create a secure digital messaging platform solution that will promote confidence, privacy, choice and convenience for U.S. citizens."

Related to NSTIC

This effort began with the National Strategy for Trusted Identities in Cyberspace (NSTIC) and received a push from a White House-led tiger team, which began looking at identity management in the cloud in 2012.

"By enabling agencies to adopt federated identity solutions, these efforts will improve the security, privacy and convenience of the government's transactions with the public," Steven VanRoekel, the federal chief information officer, said in email to Federal News Radio. "With its unique role within the American economy and society as a trusted institution., the U.S. Postal Service is the perfect partner for this enterprise. Ultimately, initiatives like this will enable the Federal government to more easily offer a variety of customer-facing services online, allowing the American people to access government services anytime, anywhere, and on any device."

Over the last decade, agencies have laid the groundwork for the FCCX through trial and error with efforts such as E-Authentication, the Federal Bridge and even HSPD-12.

Judy Spencer, policy management authority chairwoman, CertiPath

Judy Spencer, the policy management authority chairwoman for CertiPath, which provides aerospace and defense companies a public key infrastructure bridge so they can securely share information, spent 36 years in government, including working at the General Services Administration where she ran the governmentwide identity management efforts, including E-Authentication and the Federal Public Key Infrastructure Bridge.

She said the biggest difference between now and then is the cloud.

"Now that we have the cloud out there, we think there is a better environment to really be able to build this and making it work the way it needs to work," Spencer said. "This is an implementation piece to me, especially given the work they have done in developing federal profiles for the open standards, and also defining different identity providers and which standards they accept. A federal agency could make a determination and program that application to be able to accept all of these different credentials from different providers and validate them. But that would be everyone having to rebuild and what this does is allow that identity credentials to all go through this single function in the cloud, and the identity applications need to only process what the cloud sends them, and this cloud will always send them the same thing."

She said part of the goal of the draft RFP is to figure out what the front end will send and how it gets safely transmitted to the back-end system to make identity proofing easier.

Critical success factors

Bill Corrington, the chief cloud strategist for Stony Point Enterprises and a former chief technology officer at the Interior Department, said what the Postal Service detailed in the draft statement of work is a type of identity broker model. He said that makes perfect sense with the push from OMB to use cloud services. Corrington said there are several critical success factors USPS needs to keep in mind, starting with privacy and security.

"The other critical success factors that I see in anything like this is you have to build critical mass early and get the thing off the ground. They'll need to have some agencies lined up to be relying parties," he said. "They also will need to focus attention on pricing model. Obviously, there's pricing USPS will pay some vendor to deliver the service, but how's the charge back model going to work with the agencies and how's that going to be structured so the agencies see it's a cost effective approach."

Corrington, who also was the co-chairman of an ACT-IAC special interest group that issued a white paper in November on identity management in the cloud, said agencies may not yet realize the need for this type of approach.

"I'm not sure people realize the need for this until they begin utilizing two or three external cloud providers," he said. "Identity management is a hurdle for cloud adoption in particular with the federal cloud strategy. Agencies will end up using multiple cloud providers. When an agency gets beyond one provider, they will have to keep solving the identity management problem over and over again. And I think the need for it may not be obvious to the agencies, but they will appreciate it when it's there and they go to multiple cloud providers."

A few agencies have tested out open identity standards. The National Institutes of Health, for example, piloted using commercial identities under the OpenID standard for academics, researchers and others through the iTrust offering. Under the program, federal employees and non-federal employees can log onto five different systems, including the National Library of Medicine's PubMed biomedical research database and its electronic vendor invoicing system.

The National Cancer Institute partnered with the SAFE BioPharma Association to accelerate the process to start clinical drug trials by using standard digital credentials and processes for authentication and verification.

Tiger team recommendation

The Office of Management and Budget also issued a policy in October 2011 telling agencies to begin accepting commercial usernames and passwords for federal applications within a year.

But this effort is different as it includes both the cloud and a wider variety of security levels and applications.

NIST's Grant said the White House-led tiger team found agencies needed help in moving to a single identity authenticator.

"The notion of creating the Federal Cloud Credential Exchange arose last year after talking to a number of agencies when it was clear they needed to make the process easier," he said. "How could they actually rely on a single service across government that they could use to be able to accept these different types of credentials, coming from different commercial firms and having an easy way they could integrate with a wide variety of accredited credentials so they could move more services online, make things more convenient and secure for citizens and makes it cheaper for agencies to offer services?"

RELATED STORIES:

NIH to test use of commercial identity management providers

National Cancer Institute securing online transactions

OMB opens door to non-federal online credentials

White House team tackles identity management in the cloud