About Terryl Benson

This author has not yet filled in any details.
So far Terryl Benson has created 11 entries.

The Problem with Multiple Accounts and Passwords

Each time a person registers with a new website, they are required to share personal identifying information. This can include names, addresses, email addresses, phone numbers, and usernames and passwords. This information is vulnerable to a number of threats. Untrustworthy organizations can sell the information, thereby exposing a person to unsolicited telephone calls, mailings, and spam email. Even worse, if hacked or stolen, the information can be used to steal a person’s identity and potentially gain access to their other online accounts.

Aggravating the problem is the fact that the average Internet user has registered accounts with over a dozen websites. This exponentially increases the chances of their personal data being compromised.

A closely related problem lies in the fact that people must try to remember usernames and passwords for all of the websites in which they interact.  To make remembering easier, many people use the same password to access multiple sites. This practice makes their accounts less secure and more vulnerable to cyber attacks, such as phishing, click-jacking, and cross-site scripting.

In response to problems such as these, the Obama administration is drafting plans for a forthcoming cyber-security effort intended to create an Internet ID for Americans. Although details of the plan are scarce, U.S. Commerce Secretary Gary Locke shed some light on the plan during its announcement this past November at the Stanford Institute for Economic Policy Research, “What we are talking about is enhancing online security and privacy, and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities.”

OpenID

OpenID is a promising technology intended to bolster cyber-security by solving the multiple accounts and passwords problem. OpenID is a standards-based Single Sign-On (SSO) protocol […]

Congress to Consider Cyber-Security Legislation on the Heels of Report that Top Government Sites were Hacked by Chinese

Legislation focused on addressing the cybersecurity challenges faced by the Federal Government is currently awaiting debate in congress. If passed, the law will coordinate U.S. cybersecurity efforts and creates a voluntary partnership between the government and the private sector to facilitate the flow of information regarding cyber threats and promotes the sharing of technologies between the private sector and government.

By |December 3rd, 2010|Security|0 Comments|

DLA Team Investigates Security Measures

Agencies across the Federal Government are increasing efforts to identify and fix security flaws. These programs are probing both IT Security and Physical security in an attempt to measure the effectiveness of current security measures.

One of the agencies testing the effectiveness of current security measures is the Defense Logistics Agency (DLA). A recent article published by the DLA News Center, titled Investigative team uncovers security flaws, details the work performed by members of the DLA Accountability Office. The team scrutinized screening and property pick-up procedures at several DLA Disposition Services facilities. Because the investigation included members of law enforcement, many details of the operation have not been released. However, it was reported that the team was able to identify weaknesses and take corrective actions.

Proactive efforts like this are a good way to ensure the effectiveness of current security measures–and with the success of the investigation–it is likely that similar investigations will be conducted in the coming months.

Avoiding Pitfalls – Strategies for Large Enterprise Projects

Organizations have been using large enterprise systems for decades to improve business intelligence and processes.  These systems—when correctly designed and implemented—provide organizations with important strategic advantages, including improved efficiency and reduced costs. However, implementing the wrong system or implementing it the wrong way can have the opposite effect—making an organization less efficient and ultimately more expensive to operate.

According to a recent report, 70 percent of large-scale government software projects fail to achieve their stated business objectives, are delivered late, or are substantially over budget. In August of this year, White House officials identified 26 high-risk programs within the federal government that are experiencing significant cost increases and schedule delays. These projects, which span 15 departments and would cost $30 billion for completion, are all mission-critical programs that are being put through a fast-paced reassessment process to move them forward, possibly in modified forms.

Below are three strategies organizations can take to avoid these pitfalls. These proposed strategies are based on nearly two decades of research, experience, and lessons learned by Partnet in developing and implementing large-scale Government web applications.

Strategy 1: Use Custom Code and Open Standard Technologies to Increase Interoperability of COTS Products

When introducing a new enterprise system, it is important to recognize COTS products can be difficult to integrate. While COTS products normally work fine independently, combining them together so that they function seamlessly is the real challenge.

One key to interoperability is understanding when to use custom code as a means to more tightly integrate COTS components. It is important to determine when custom code is called for, and when an existing tool will work best. Using open commercial standards like XML helps to balance the costs and risks associated […]

PKI Security in Large Scale Web Applications – Part 5: The Solution and the Result

This final part of our series on PKI security in large scale web applications looks at how eValidate was able to accommodate the unique, high performance demands of the DOD EMALL.

Powered by Partnet eValidate, DOD EMALL is now fully CAC-enabled, and public key access is configured for all Federal Bridge customers. This was accomplished with zero impact to system performance and availability, and in accordance with the strict DOD operating standards.

eValidate’s internal CRL application was implemented to validate regular DOD Common Access Cards. The application automatically retrieves, compiles, and indexes CRLs from a host of trusted CAs into a dedicated file system within the DOD EMALL login module. The file system is available throughout the load-balanced cluster, allowing user CACs to be checked against the indexed file system from any node within the system. eValidate’s internal server-side CRL application provides virtually seamless login and certificate-revocation processing— transparent to users and without impact to system performance and availability.

While an efficient certificate revocation method for regular DOD users, the internal CRL application was not a practical solution for validating the external certificates (i.e., VeriSign, IdenTrust, etc.) used by DOD’s Federal and commercial partners. Instead, eValidate’s OSCP web service was enabled for these user groups.

Using standard HTTP, the login module transmits an encoded OCSP query to a corresponding OCSP responder for each external public key presented (i.e.,LincPass, HSPD-12 cards). The OCSP responder checks the public key’s digital certificate and returns the revocation status to DOD EMALL in real-time. The Federal Bridge user is then granted or denied access, as appropriate.

Too many simultaneous OCSP queries can undermine network performance, however, which is why Partnet configured this solution for Federal Bridge users—representing only a small fraction of the DOD […]

PKI Security in Large Scale Web Applications – Part 4: Case Study of DOD EMALL

This part of our series on PKI security in large scale web applications examines the challenge the DOD EMALL faced in implementing PKI.

DOD EMALL is the largest eCommerce site operating within the US Government. It is a highly-available system that employs best-in-class practices and utilizes a variety of sophisticated networking and systems hardware, alongside software based clustering to enable redundancy, scaling, and load balancing.

Around the globe, DOD EMALL provides a single-entry point for more than 30,000 registered users to search and purchase from a virtual catalog of over 66 million items.

Within the Department of Defense, system performance and IT security have long been at odds. Large-scale web applications must efficiently deliver products, services, and information to end users, while at the same time, restricting unauthorized access. Faced with this dilemma, the Defense Logistics Agency (DLA) turned to Partnet for a PKI security solution for the DOD EMALL.

Background

The Federal Bridge Certificate Authority (FBCA) was established to help federal agencies better share information and resources through a more secure, interoperable PKI framework. The Federal Bridge enables department-issued public keys to be cross-certified and accepted throughout the community. The following diagram helps illustrate the FBCA trust model.

In response to the FBCA, the DOD developed Instruction 8520.2, mandating a Department-wide PKI policy to enhance security through authentication, digital signatures, and encryption. The first line of defense was the Common Access Card (CAC) — a smart card provided to DOD service members, civilians, and contractors in order to access restricted systems, networks, and facilities.

The CAC—a hard-token public key—carries a non-replicable digital certificate providing:

Data integrity and confidentiality
User identification and authentication.
User non-repudiation

The Challenge

Like every other DOD agency, the DOD EMALL Program Office was directed to provide DOD users access through the CAC, but […]

PKI Security in Large Scale Web Applications – Part 3: Partnet eValidate

This part of our series on PKI security in large scale web applications examines how the new Partnet eValidate solution effectively satisfies the unique PKI demands of large scale web applications.

Partnet eValidate™ is an ideal solution for large-scale web applications with a large number of users and transactions. eValidate protects government enterprises from potential security breaches by verifying the revocation status of digital certificates within a PKI. eValidate provides enterprises with the flexibility of using CRL and Online Certificate Status Protocol (OCSP) for validation as illustrated in this graphic.

OCSP is a fast, lightweight alternative to traditional CRLs that allow applications to query external certification-status servers, or OCSP responders, for the status of a single certificate. OCSP responds much faster than CRL downloads—quickly returning a small, signed message stating the certificate’s revocation status. For large-scale systems, Partnet eValidate provides enterprises with faster, more efficient cert validation processing and greater security protection.

Partnet eValidate Benefits

Security. Safeguards applications and networks against potential security breaches from expired or revoked digital certificates.
Reliability. Robust design provides support for backup, load balancing, and failover.
Versatility. Provides agency’s with the flexibility to use CRL- or OCSP based validation based on the particular need.
Cost Effective. Designed to efficiently plug in and scale to meet a wide range of deployment requirements.
Proven. eValidate has been proven in one of the government’s largest and most challenging e-commerce transaction environments.

The next installment in this series will look at how Partnet eValidate was able to solve the PKI security challenges faced by the DOD EMALL, one of the largest Government eCommerce sites.

PKI Security in Large Scale Web Applications – Part 2: The Limits of Off-The-Shelf Solutions

This part of our series on PKI security in large scale web applications examines the limits of traditional Off-the-Shelf PKI-validation solutions.

Per Joint Task Force Global Network Operations (JTF-GNO), the #1 method of attack on the DoD information network is compromised user IDs and passwords. Homeland Security Presidential Directive (HSPD 1) — implemented in the wake of September 11, 2001 — mandates a federal standard for secure and reliable forms of identification.

Validating a user’s identity is at the heart of PKI’s effectiveness. Certificate-validation software is currently available off-the-shelf from a variety of private companies. These products typically employ a desktop application that transmits HTTP requests to corresponding certificate-status servers whenever a smart card (or other public key) is presented. The server verifies the smart card’s digital certificate against a Certificate Revocation List (CRL)—provided by a principal Certifying Authority—and determines whether the user’s access is granted or denied.

Within a PKI, it is particularly important to ensure certificate validation is performed efficiently to minimize impact to users, networks, and system applications. And while standard off-the-shelf products have proven effective when deployed to smaller systems with relatively limited user volume, larger, more sophisticated systems typically require a more robust solution.

Many large-scale, high-volume systems use sophisticated load-balanced and clustered architectures that deploy applications redundantly across multiple nodes—optimizing availability and failover, while operating as a single virtual machine.

Traditional COTS products, however, require a one-to-one connection between the local application and the externally-hosted CRLs, which load-balanced architectures prevent. As a result, traditional COTS solutions cannot be properly configured for most large-scale systems without negatively impacting availability and performance.  While sufficient for small systems and applications, these COTS solutions are not well suited for the high volume demands of large-scale web applications.

The next installment […]

PKI Security in Large Scale Web Applications – Part 1: The Call for PKI Validation

This week, Partnet begins a five part series on PKI security in Large Scale Web Applications. We will cover the importance of PKI validation within the Federal Government, the limits of Off-the-Shelf PKI validation packages, a DOD case study for use of Partnet’s new eValidate software and a description of the solution and outcome.

Part 1:  The Call for PKI Validation

Over the past decade, technology has enabled government agencies to provide more immediate services to citizens and greater flexibility in meeting their mission objectives. As a result, these agencies have become increasingly dependent on the integrity of their information systems. In recent years, attacks on these systems have grown in size and sophistication, with the Department of Defense (DOD) now suffering more than 5,000 attacks a day on its servers.1

Security breaches have plagued nearly every agency, whether through malicious code, stolen data, or compromised IDs and passwords. The government is now fighting back with a renewed focus on cyber security and access control. Chief among these tasks is the move towards a Public Key Infrastructure (PKI) for application and network security. Unlike traditional security models that rely on usernames and passwords, PKI is based on the issuance of public keys that bind digital certificates to a user’s identity and credentials.

Major advantages of PKI include:

Centralized x.509 certification – Specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm across government agencies.
Elimination of username and password management – Cryptographic public keys preclude problems associated with forgotten or shared login credentials.
Revocation of compromised certificates – Certificate Authorities (CA) help agencies to immediately identify and revoke compromised or invalid certificates.

As PKI has matured, so has the application of digital identification cards, known […]

Does Data Quality Influence Government eCommerce Sales?

The simple answer is, “absolutely.”

eCommerce data quality relates to both invalid data and incomplete data.  Potential customers may find its difficult to recognize what they’re buying without an image or thorough description. Data analysis on the DOD EMALL shows that vendors providing robust data descriptions and product images sell much higher volumes then vendors providing minimal data.  Not surprisingly, the absence of a product image is often the most common catalog characteristic affecting sales.

Partnet engineers are working to improve master data verification and ensure the most complete, accurate data is available to DOD EMALL customers.  In addition, Partnet’s distributed architecture and vendor management system allows vendors to maintain and update their own product data through real-time connections, which has proven to be a faster, more efficient model than caching data with a third-party host.

Good data is also portable–that is, standardized in a way that makes it consumable to external applications and systems. Toward this end, Partnet is working to improve the quality and portability of data on the DOD EMALL, in accordance with Electronic Commerce Code Management Association (ECCMA) guidelines and ISO 8000-110:2009.

Robust data can’t be achieved overnight–it requires a sustained process and thorough commitment to data integrity. Enterprises willing to make that commitment, however, will find it translates into increased sales and satisfied customers.

Google+