Partnet supports DOD EMALL sales halfway around the world

Last fall, Ronald Inman of Naval Facilities Engineering Command (NAVFAC) Public Affairs reports that the NAVFAC Far East command generated a total of 3,367 orders and approximately $13.8 million in sales on DOD EMALL in fiscal year 2009 — more than any other NAVFAC command.

The DOD EMALL is a web-based Government eCommerce site enabling authorized military and government customers to search for and order products and services from a global community of government and commercial vendors. Operated on behalf of the Defense Logistics Agency, the DOD EMALL contains over 2,000 commercial catalogs offering nearly 70 million items.

NAVFAC Far East is based in Yokosuka, Japan — nearly halfway around the globe from the DOD EMALL’s home in Ogden, UT.  Partnet keeps the DOD EMALL applications running smoothly — 24 X 7, 365 days a year. Over the last year, Partnet maintained system uptime at 99.75%.    Without high system availability, NAVFAC would have been relegated to slower, less efficient forms of procurement.

Cost-Cutting Solution: Inventory Management Software

When it comes to organizations’ finances, some years are better than others. It’s no secret that for many in the private and public sectors, the last few years have been on the lean side.

It requires creativity for a company or government department to tighten its belt without cutting its services or quality. With fewer goods being sold, companies earn less money and the government takes in less in sales and payroll taxes.

How can these organizations effectively cut costs and maintain their overall strength? One way is with inventory management software. Inventory management software is an automated system for keeping track of inventory levels, product shipping and sales.

Two typical inventory-management problems that can hurt organizations’ financial health are having too much or too little inventory. Many times, a company or government department purchases products or parts in bulk to ensure they have enough on hand to meet demand the moment an order comes through. They also may think the discount they get by buying a large number of products or parts will offset any potential risks.

However, this strategy leaves them vulnerable to product spoilage and obsolescence. An overstock of products or parts also prevents the capital that was spent on them from being used in more productive ways. Organizations have a finite amount of capital to work with, so it’s important that they spend their money as effectively as possible.

Being understocked on products is what most organizations try to avoid. Not having enough inventory on hand causes manufacturing delays, and it can drive customers away.

To find a balance between an overstock and an understock of products, many groups turn to inventory management software. Using barcode scanners to receive, track and sell products, organizations can know […]

PKI Security in Large Scale Web Applications – Part 5: The Solution and the Result

This final part of our series on PKI security in large scale web applications looks at how eValidate was able to accommodate the unique, high performance demands of the DOD EMALL.

Powered by Partnet eValidate, DOD EMALL is now fully CAC-enabled, and public key access is configured for all Federal Bridge customers. This was accomplished with zero impact to system performance and availability, and in accordance with the strict DOD operating standards.

eValidate’s internal CRL application was implemented to validate regular DOD Common Access Cards. The application automatically retrieves, compiles, and indexes CRLs from a host of trusted CAs into a dedicated file system within the DOD EMALL login module. The file system is available throughout the load-balanced cluster, allowing user CACs to be checked against the indexed file system from any node within the system. eValidate’s internal server-side CRL application provides virtually seamless login and certificate-revocation processing— transparent to users and without impact to system performance and availability.

While an efficient certificate revocation method for regular DOD users, the internal CRL application was not a practical solution for validating the external certificates (i.e., VeriSign, IdenTrust, etc.) used by DOD’s Federal and commercial partners. Instead, eValidate’s OSCP web service was enabled for these user groups.

Using standard HTTP, the login module transmits an encoded OCSP query to a corresponding OCSP responder for each external public key presented (i.e.,LincPass, HSPD-12 cards). The OCSP responder checks the public key’s digital certificate and returns the revocation status to DOD EMALL in real-time. The Federal Bridge user is then granted or denied access, as appropriate.

Too many simultaneous OCSP queries can undermine network performance, however, which is why Partnet configured this solution for Federal Bridge users—representing only a small fraction of the DOD […]

PKI Security in Large Scale Web Applications – Part 4: Case Study of DOD EMALL

This part of our series on PKI security in large scale web applications examines the challenge the DOD EMALL faced in implementing PKI.

DOD EMALL is the largest eCommerce site operating within the US Government. It is a highly-available system that employs best-in-class practices and utilizes a variety of sophisticated networking and systems hardware, alongside software based clustering to enable redundancy, scaling, and load balancing.

Around the globe, DOD EMALL provides a single-entry point for more than 30,000 registered users to search and purchase from a virtual catalog of over 66 million items.

Within the Department of Defense, system performance and IT security have long been at odds. Large-scale web applications must efficiently deliver products, services, and information to end users, while at the same time, restricting unauthorized access. Faced with this dilemma, the Defense Logistics Agency (DLA) turned to Partnet for a PKI security solution for the DOD EMALL.

Background

The Federal Bridge Certificate Authority (FBCA) was established to help federal agencies better share information and resources through a more secure, interoperable PKI framework. The Federal Bridge enables department-issued public keys to be cross-certified and accepted throughout the community. The following diagram helps illustrate the FBCA trust model.

In response to the FBCA, the DOD developed Instruction 8520.2, mandating a Department-wide PKI policy to enhance security through authentication, digital signatures, and encryption. The first line of defense was the Common Access Card (CAC) — a smart card provided to DOD service members, civilians, and contractors in order to access restricted systems, networks, and facilities.

The CAC—a hard-token public key—carries a non-replicable digital certificate providing:

Data integrity and confidentiality
User identification and authentication.
User non-repudiation

The Challenge

Like every other DOD agency, the DOD EMALL Program Office was directed to provide DOD users access through the CAC, but […]

PKI Security in Large Scale Web Applications – Part 3: Partnet eValidate

This part of our series on PKI security in large scale web applications examines how the new Partnet eValidate solution effectively satisfies the unique PKI demands of large scale web applications.

Partnet eValidate™ is an ideal solution for large-scale web applications with a large number of users and transactions. eValidate protects government enterprises from potential security breaches by verifying the revocation status of digital certificates within a PKI. eValidate provides enterprises with the flexibility of using CRL and Online Certificate Status Protocol (OCSP) for validation as illustrated in this graphic.

OCSP is a fast, lightweight alternative to traditional CRLs that allow applications to query external certification-status servers, or OCSP responders, for the status of a single certificate. OCSP responds much faster than CRL downloads—quickly returning a small, signed message stating the certificate’s revocation status. For large-scale systems, Partnet eValidate provides enterprises with faster, more efficient cert validation processing and greater security protection.

Partnet eValidate Benefits

Security. Safeguards applications and networks against potential security breaches from expired or revoked digital certificates.
Reliability. Robust design provides support for backup, load balancing, and failover.
Versatility. Provides agency’s with the flexibility to use CRL- or OCSP based validation based on the particular need.
Cost Effective. Designed to efficiently plug in and scale to meet a wide range of deployment requirements.
Proven. eValidate has been proven in one of the government’s largest and most challenging e-commerce transaction environments.

The next installment in this series will look at how Partnet eValidate was able to solve the PKI security challenges faced by the DOD EMALL, one of the largest Government eCommerce sites.

PKI Security in Large Scale Web Applications – Part 2: The Limits of Off-The-Shelf Solutions

This part of our series on PKI security in large scale web applications examines the limits of traditional Off-the-Shelf PKI-validation solutions.

Per Joint Task Force Global Network Operations (JTF-GNO), the #1 method of attack on the DoD information network is compromised user IDs and passwords. Homeland Security Presidential Directive (HSPD 1) — implemented in the wake of September 11, 2001 — mandates a federal standard for secure and reliable forms of identification.

Validating a user’s identity is at the heart of PKI’s effectiveness. Certificate-validation software is currently available off-the-shelf from a variety of private companies. These products typically employ a desktop application that transmits HTTP requests to corresponding certificate-status servers whenever a smart card (or other public key) is presented. The server verifies the smart card’s digital certificate against a Certificate Revocation List (CRL)—provided by a principal Certifying Authority—and determines whether the user’s access is granted or denied.

Within a PKI, it is particularly important to ensure certificate validation is performed efficiently to minimize impact to users, networks, and system applications. And while standard off-the-shelf products have proven effective when deployed to smaller systems with relatively limited user volume, larger, more sophisticated systems typically require a more robust solution.

Many large-scale, high-volume systems use sophisticated load-balanced and clustered architectures that deploy applications redundantly across multiple nodes—optimizing availability and failover, while operating as a single virtual machine.

Traditional COTS products, however, require a one-to-one connection between the local application and the externally-hosted CRLs, which load-balanced architectures prevent. As a result, traditional COTS solutions cannot be properly configured for most large-scale systems without negatively impacting availability and performance.  While sufficient for small systems and applications, these COTS solutions are not well suited for the high volume demands of large-scale web applications.

The next installment […]

Google+