Can the U.S. Postal Service find a future running a gov't cloud-based authentication service?
- 21 August, 2013 20:07
Can the U.S. Postal Service (USPS) find a new future running a cloud-based authentication service for the government? The USPS intends to try and do just that under a three-year $15.12 million contract awarded to SecureKey Technologies today for some foundation technology to build a cloud-based authentication exchange.
[MORE:7 IT security skills certifications on the rise
While in the early stages, the USPS-managed Federal Cloud Credential Exchange (FCCX), as it's being called, is envisioned as a way that people can use their existing online credentials to gain access to U.S. government agency online services in the future.
What third-party credentials would be used as part of FCCX is not yet decided, but ideas in play include credentials that users already have with the likes of Google and PayPal, for example, says Andre Boysen, executive vice president for marketing at SecureKey. It's anticipated these credentials would be of various strengths and types, from simple names and passwords to the government-designed Personal Identity Verification cards.
The RFP for the FCCX contract was originally put out for bid last January and the award today to Toronto-based SecureKey means that the USPS will be proceeding with its plans to try and operate a cloud-based authentication exchange for the government.USPS spokeswoman Darleen Reid-DeMeo said USPS is "implementing a pilot software solution to enable the public to use commercially issued digital credentials to access government services online with greater security, privacy and efficiency."
Many details, however, need to be ironed out as what would be the nation's first-of-its-kind authentication service to federal government in the U.S.
"Participants have not been finalized at this time," says Reid-DeMeo. "However, some of the agencies that have been assisting in developing the requirements for the pilot are the Veterans Administration, the Department of Education, the Social Security Administration and the Internal Revenue Service." It's anticipated that the FCCX pilot project would begin this fall.
The USPS pilot project for a cloud-based exchange is one of several experimental approaches to online access to government services envisioned under the Obama Administration's National Strategies for Trusted Identities in Cyberspace (NSTIC) program.
The NSTIC program seeks to find new ways to reduce password use online for security reasons or to facilitate novel ways to facilitate government services in the future. Reid-DeMeo says the FCCX pilot project is being led by the White House Office of the Federal Chief Information Officer.
The FCCX project basically involves the USPS setting up a kind of credential-brokerage service using SecureKey's federated authentication platform. It's hoped that FCCX will work behind the scenes so when users go to a government agency's online service, they can enter a credential they already have that was not necessarily issued by the government to get access rather than having to go ask for a credential from the agency itself.
This all suggests a close level of trust and cooperation between all the participants involved, including the government agency, the USPS, and any third-party credential provider. While this kind of authentication brokering hasn't been done yet in the U.S. for government, something similar has been shown to work in Canada.
A cloud-based authentication brokerage system, with technology provided by SecureKey, has been operated by the Canadian government for well over a year for use by the Canadian Treasury Board and other Canadian agencies.
According to SecureKey's Boysen, the Canadian credentials exchange now processes over 1 million transactions per month with users entering banking credentials they already have from the Bank of Montreal and TD Bank, for example. The Canadian system has the government's cloud-based credentials exchange service doing a quick online authentication verification with the participating banks concerning the user's credentials before allowing the user into the government online service.
The idea behind it is that users interact frequently with their banks online but infrequently with government services. Thus, they remember their online banking credentials while they are more likely to forget credentials they only use a few times a year for a government service.
It will be some time before it's clear exactly how the USPS-run FCCX might work, but it could give the country's beleaguered mail-delivery service, a new mission. But it might also prove unworkable and fade away after a year of a FCCX pilot cloud project, too.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com
Read more about wide area network in Network World's Wide Area Network section.
