This part of our series on PKI security in large scale web applications examines the challenge the DOD EMALL faced in implementing PKI.
DOD EMALL is the largest eCommerce site operating within the US Government. It is a highly-available system that employs best-in-class practices and utilizes a variety of sophisticated networking and systems hardware, alongside software based clustering to enable redundancy, scaling, and load balancing.
Around the globe, DOD EMALL provides a single-entry point for more than 30,000 registered users to search and purchase from a virtual catalog of over 66 million items.
Within the Department of Defense, system performance and IT security have long been at odds. Large-scale web applications must efficiently deliver products, services, and information to end users, while at the same time, restricting unauthorized access. Faced with this dilemma, the Defense Logistics Agency (DLA) turned to Partnet for a PKI security solution for the DOD EMALL.
The Federal Bridge Certificate Authority (FBCA) was established to help federal agencies better share information and resources through a more secure, interoperable PKI framework. The Federal Bridge enables department-issued public keys to be cross-certified and accepted throughout the community. The following diagram helps illustrate the FBCA trust model.
In response to the FBCA, the DOD developed Instruction 8520.2, mandating a Department-wide PKI policy to enhance security through authentication, digital signatures, and encryption. The first line of defense was the Common Access Card (CAC) — a smart card provided to DOD service members, civilians, and contractors in order to access restricted systems, networks, and facilities.
The CAC—a hard-token public key—carries a non-replicable digital certificate providing:
- Data integrity and confidentiality
- User identification and authentication.
- User non-repudiation
Like every other DOD agency, the DOD EMALL Program Office was directed to provide DOD users access through the CAC, but because DOD EMALL also served a broad user base of federal agencies and commercial suppliers, the Program Office was faced with a new PKI challenge. DOD EMALL needed a way to verify access both through the CAC and other FBCA-approved public keys.
Faced with the high-performance security demands of its global user base, the DLA selected Partnet eValidate as the solution best able to meet this unique challenge.
The next and final installment of our PKI series examines how Partnet solved this complex PKI challenges and successfully bridged the gap between the DOD and Federal Bridge users on DOD EMALL.