|
|
By Jonathan Barrett, on September 2nd, 2010
What’s better: having a lock on your door, or having a lock on your door AND a guy standing there making sure it’s you unlocking the door?
Obviously, the more security you have the better, which is why more Government eCommerce systems are moving towards PKI. So, what does PKI mean? The acronym stands for Public Key Infrastructure and it refers to the use of hardware and software-based “keys”, or certificates, to verify a user’s identity and credentials online.
In order to get a key/certificate, you need to contact a Certificate Authority (CA). There are several CAs available, but the Defense Logistics Agency only recognizes Verisign, Identrust, and ORC as approved CAs on DOD EMALL. An when it comes to establishing user identity, CAs don’t take the process lightly. Getting a certificate issued generally requires paperwork, several forms of identification, a notary signature, and on occasion, an in-person visit.
After your identify is verified, the certificate is issued in one of two ways:
1) A software-based certificate installed directly to the user’s computer.
2) A portable, hardware-based certificate that the user physically carries with them (often in the form of a smart card or USB stick).
These certificates also include a user-associated PIN. This is called two-factor authentication, and is why PKI is significantly more secure than the traditional username/password model. It’s more than just what you know (i.e., a password); it’s what you have and what you know.
So, now that you have a certificate, what can you do?
Some sites, such as the DOD EMALL, require users to present a certificate for accessing and using the site. Additionally, certificates enable users to send digitally-signed emails that provide proof of data integrity and origin, while also enabling receipt of encrypted email.
Users can also restrict access to their computers and other devices by requiring a PKI certificate.
S0 what happens if you lose your certificate? That’s where the CA comes back in. CAs maintain Certificate Revocation Lists (CRLs) that track the revocation status of all issued certificates. So every time a hardware or software-based certificate is presented, its status is validated against the associated CRL. This prevents lost or compromised certificates from being used for unauthorized access.
Just like changing the lock on your door. Makes you wish more things used two-factor authentication, right?
By Debra Fryar, on August 17th, 2010
The Performance Based Logistics 2010 Conference was held last week in Arlington, VA. It made me think about how much defense logistics has changed over the last ten years.
Performance Based Logistics (PBL) goes beyond traditional acquisition of contractor good and services. PBL guarantees contractor performance and system capability based on declared performance-based agreements between the Department of Defense (DOD) and the contractor.
Before PBL, defense contractors simply provided a product or service. A contractor would develop a weapons system, for instance, and DOD would subsequently assume complete responsibility for its storage and maintenance.
DOD advocated PBL in the 2001 Quadrennial Defense Review and called for the evaluation of a PBL approach for all new acquisition programs and systems.
As a result, a defense contractor awarded a PBL contract for aviation services, for instance, is required to provide more than just an aircraft, but all the services, support, and maintenance required to keep that aircraft mission-ready for a specified period of time.
In many cases, however, DLA’s bulk purchasing capability allows it to acquire common repair parts at a lower cost than individual PBL contractors.
With the advent of PBL support contracts, DOD needed a way to allow defense contractors to purchase parts from DLA under PBL contracts. The easiest way to support this capability was to enable PBL contractors with access to DOD EMALL. Using DOD EMALL, contractors can purchase repair parts directly from the DLA and at lower cost to the government.
Today, Lockheed Martin, Boeing, Honeywell, and dozens of other defense contractors s are participating in this DLA program.
As the primary developer of the DOD EMALL, Partnet is pleased to support this innovative strategic sourcing initiative.
By Cameron Morris, on August 5th, 2010
This picture by Dustin Sacks shows the extreme measures one can take to feel secure. It’s amusing that only one of the hundred or so locks actually anchors the bike to the bike rack. Government web pages need to be secure, but currently there are many, many, different security practices—so many that it can be over-whelming. Some are more important, while others are just cosmetic and provide only a false sense of security. Some are not needed and may actually open the door to more attacks. Over-zealousness may result in a situation like the bike pictured above.
Low Hanging Fruit
Why climb up the tree for an apple if you can reach the apple from the ground? Removing the low hanging fruit for hackers needs to be first priority. The OWASP Top 10 Risks represents the current low-hanging fruit. If these risks are ignored, your site will be the first to get hacked. For a development team the CWE/SANS Top 25 Most Dangerous Software Errors are more valuable and instructive.
Regular training has helped Partnet uncover and resolve vulnerabilities in DOD EMALL that was thought to be secure. It has helped DOD EMALL stay ahead. Because of training with the OWASP top ten, Partnet added protection against CSRF attacks nearly a year before these protections were required by the Application Development and Security STIG in May.
Adding Depth
A government website cannot be content with simply removing the low-hanging fruit. But with so many security activities, it’s hard to know what to focus on next. For adding depth, the OpenSAMM (Software Assurance Maturity Model) project from OWASP provides that guidance. It organizes many of the best security practices into a maturity model. It organizes 12 general security practices into four business functions: Governance, Construction, Verification, and Deployment:
The general security practices help ensure you have all the bases covered. Each practice has four levels of maturity. These levels can be thought of as bang for the buck levels. Implement level one activities before level two, as these will give you more bang for the buck. These levels of maturity help an organization answer the question, “how secure do we want to be?”
Open SAMM offers road-maps to help you answer that question. It includes road-maps for four different types businesses: Web-applications, traditional shrink-wrap software, financial services, and government services.
Partnet uses OpenSAMM as a measuring stick when considering new security activities, helping us put first-things first, and giving DOD EMALL the most security bang for the buck. We highly encourage using OWASP resources when building a Government eCommerce web application.
By Debra Fryar, on July 20th, 2010
I was asked the question earlier: ”How is the DOD EMALL important other than as a sales tool?”
Apparently, the question took some people by surprise, but not me. The DOD EMALL provides several acquisition services that extend beyond traditional eCommerce (though that is certainly a big part of it).
Here are my top eight reasons why DOD EMALL works for government:
1. Saves money. Buying online is inherently cheaper than going to a store or writing a contract for each purchase.
2. Global access – 24/7. DOD EMALL provides a single point of access for users around the world, and around the clock. This allows shoppers and vendors to work on their own schedules, regardless of time or location.
3. Innovation platform. For years, DOD EMALL has been a launching pad for several, new IT-acquisition practices and applications — resulting in a number of firsts for the Department of Defense:
- Establishment of unique Service-acquisition rules like the Army JWOD/AbilityOne and the Army discount policy.
- Strategic sourcing of office supply contracts — started by the Army, but now implemented for all the the Services.
4. DLA enhancements. DOD EMALL has opened up access to the Defense Logistics Agency’s managed items for Performance Based Logistics (PBL) contractors and state governments.
5. NAVFAC base services. For over ten years, the Naval Facilities Command has used the DOD EMALL to support base-services contracts on Navy and Marine bases worldwide.
6. Government-wide Acquisition Contracts. DOD EMALL allows Military Services to grant and gain access to GWAC contracts from other federal agencies, enabling strategic sourcing across the Department of Defense.
7. Data quality. DOD EMALL regularly provides Level III credit card data to several Service systems, and soon the Federal Procurement Data System – Next Generation (FPDS-NG) as well.
8. Self-service. DOD EMALL provides a number of self-service tools for its logistics customers.
- Order-status tracking support for all DLA-managed items
- Supportability Analysis and Stock Out Reports (SA-SOR), allows logistics planners to research and support critical, weapons-system items.
- Specialized functionality for Critical Item Lists, Critical Readiness Drivers, and Priority Requisition Lists (CIL/CRD/PRL).
Over the last ten years, DOD EMALL’s sales volume has grown from virtually nothing to nearly $1 billion annually. Though only fraction of DOD’s overall annual spending, it is clear that DOD EMALL — and Government eCommerce, in general — has proven itself a valuable acquistion tool in ways that extend beyond dollars and cents, while moving the DOD forward into the digital era.
By Debra Fryar, on July 12th, 2010
Last week, Matt Langan of Appian had an excellent post on the emerging use of Business Process Management (BPM) software in the government acquisition process. He stated that, “we are seeing government embrace Business Process Management (BPM) acquisition solutions (versus COTS) in order to gain process transparency, react quickly to change and improve process efficiency; thereby allowing federal purchasing organizations to successfully enhance the entire procurement lifecycle.”
BPM software can guide government acquisition officers through the complex rules of government procurement — saving time and reducing administrative overhead and paperwork. Each agency develops unique workflow and business-rule requirements, which in turn, are addressed by the application software.
With over 15 years of industry experience, Partnet understands the complexity of the business rules surrounding government acquisition, but also recognizes problems associated with implementing standard BPM applications.
Partnet’s BPM solution is a flexible and easy-to-use business-rules framework and workflow engine that directly addresses problems found in other BPM solutions. Quartz BPM uses simple, UI-based wizards that allow any end user to design and optimize business rules and workflow for approvals, registrations, permissions, and more. These wizards help non-developers easily identify application trigger points, data entities, users, and other critical process elements. The Quartz BPM interface also generates graphical workflow representations that allow users to see their processes as they’re defined.
In other words, Quartz BPM helps align and continuously improve government and commercial business processes.
By Robert Lockard, on July 8th, 2010
Accuracy is an essential ingredient in supply chain management. Without it, managers have a more difficult time making the right decisions for their organizations.
There are three main ways organizations can improve the accuracy of their supply chain system. First, use barcodes and scanners. Second, use inventory management software to organize the data. Third, automatically update the accounting database at the same time as the inventory database.
1. Using Barcodes and Scanners
With the help of barcode software and portable scanners, organizations can easily keep track of their inventory levels, place orders and accurately assess their ever-changing inventory needs.
When new products arrive, workers can scan them in and instantly update their inventory database. This saves time and reduces the risk of errors creeping into orders and inventories. If employees have to type product numbers and quantities into a computer by hand, they are more likely to make errors than if they scan product barcodes.
2. Using Inventory Management Software
Barcodes and scanners are great tools, but unless they have an organized place to put their information, they are useless. Inventory management software helps companies stay up to date on their inventory situation. An electronic inventory database can be instantly updated via barcode scanners so that at any given time managers know how many products they have and how many they need.
Inventory management software is also a good tool for estimating future inventory needs. Based on past sale cycles and changes in consumer demand, the software can help managers order more or less of certain products to maintain a balance between being overstocked and out of stock.
3. Updating Accounting and Inventory Databases
If managers have to enter the same information into multiple databases, they have a higher chance of making a mistake along the way. However, if inventory management software automatically updates a company’s accounting software, this problem is solved.
Combining inventory management and accounting databases benefits organizations by increasing their accuracy and making sure they know how much cash is receivable, payable and in the bank, even with their changing inventory levels.
The importance of accuracy in inventory management can’t be overstated. By using barcode scanners, uploading data to inventory management software and combining accounting and inventory databases, organizations can improve their chances of having correct information to make decisions with.
Robert Lockard is a copywriter for Fishbowl Inventory.
By Debra Fryar, on June 28th, 2010
Last fall, Ronald Inman of Naval Facilities Engineering Command (NAVFAC) Public Affairs reports that the NAVFAC Far East command generated a total of 3,367 orders and approximately $13.8 million in sales on DOD EMALL in fiscal year 2009 — more than any other NAVFAC command.
The DOD EMALL is a web-based Government eCommerce site enabling authorized military and government customers to search for and order products and services from a global community of government and commercial vendors. Operated on behalf of the Defense Logistics Agency, the DOD EMALL contains over 2,000 commercial catalogs offering nearly 70 million items.
NAVFAC Far East is based in Yokosuka, Japan — nearly halfway around the globe from the DOD EMALL’s home in Ogden, UT. Partnet keeps the DOD EMALL applications running smoothly — 24 X 7, 365 days a year. Over the last year, Partnet maintained system uptime at 99.75%. Without high system availability, NAVFAC would have been relegated to slower, less efficient forms of procurement.
By Robert Lockard, on June 16th, 2010
When it comes to organizations’ finances, some years are better than others. It’s no secret that for many in the private and public sectors, the last few years have been on the lean side.
It requires creativity for a company or government department to tighten its belt without cutting its services or quality. With fewer goods being sold, companies earn less money and the government takes in less in sales and payroll taxes.
How can these organizations effectively cut costs and maintain their overall strength? One way is with inventory management software. Inventory management software is an automated system for keeping track of inventory levels, product shipping and sales.
Two typical inventory-management problems that can hurt organizations’ financial health are having too much or too little inventory. Many times, a company or government department purchases products or parts in bulk to ensure they have enough on hand to meet demand the moment an order comes through. They also may think the discount they get by buying a large number of products or parts will offset any potential risks.
However, this strategy leaves them vulnerable to product spoilage and obsolescence. An overstock of products or parts also prevents the capital that was spent on them from being used in more productive ways. Organizations have a finite amount of capital to work with, so it’s important that they spend their money as effectively as possible.
Being understocked on products is what most organizations try to avoid. Not having enough inventory on hand causes manufacturing delays, and it can drive customers away.
To find a balance between an overstock and an understock of products, many groups turn to inventory management software. Using barcode scanners to receive, track and sell products, organizations can know how much inventory they have at any given time. They can also accurately predict different times of year when they will need more or less inventory and automatically order more products when they reach a certain low level.
Even when the economy recovers, companies and government departments can continue to take advantage of inventory management software’s cost-cutting solutions.
Robert Lockard is a copywriter for Fishbowl Inventory.
By Terryl Benson, on June 15th, 2010
This final part of our series on PKI security in large scale web applications looks at how eValidate was able to accommodate the unique, high performance demands of the DOD EMALL.
Powered by Partnet eValidate, DOD EMALL is now fully CAC-enabled, and public key access is configured for all Federal Bridge customers. This was accomplished with zero impact to system performance and availability, and in accordance with the strict DOD operating standards.
eValidate’s internal CRL application was implemented to validate regular DOD Common Access Cards. The application automatically retrieves, compiles, and indexes CRLs from a host of trusted CAs into a dedicated file system within the DOD EMALL login module. The file system is available throughout the load-balanced cluster, allowing user CACs to be checked against the indexed file system from any node within the system. eValidate’s internal server-side CRL application provides virtually seamless login and certificate-revocation processing— transparent to users and without impact to system performance and availability.
While an efficient certificate revocation method for regular DOD users, the internal CRL application was not a practical solution for validating the external certificates (i.e., VeriSign, IdenTrust, etc.) used by DOD’s Federal and commercial partners. Instead, eValidate’s OSCP web service was enabled for these user groups.
Using standard HTTP, the login module transmits an encoded OCSP query to a corresponding OCSP responder for each external public key presented (i.e.,LincPass, HSPD-12 cards). The OCSP responder checks the public key’s digital certificate and returns the revocation status to DOD EMALL in real-time. The Federal Bridge user is then granted or denied access, as appropriate.
Too many simultaneous OCSP queries can undermine network performance, however, which is why Partnet configured this solution for Federal Bridge users—representing only a small fraction of the DOD EMALL user base. As use of PKI broadens and more external partners are brought into DOD EMALL’s user base, eValidate’s OCSP implementation can be scaled using client-side plug-ins (e.g., Tumbleweed) already approved by the Joint Interoperability Test Command (JITC), or by locally caching certification-revocation data.
Partnet eValidate can be applied to any large-scale system using a loadbalanced, clustered architecture. eValidate is also highly configurable to meet the unique system requirements and operating conditions of diverse applications and network environments.
As PKI continues to expand within federal, DOD, and commercial enterprises, the need for large-scale, high-volume web applications to balance the complex security/performance equation will become more acute. eValidate picks up where standard, commercial products fall short—providing optimized performance and networking, while ensuring the robust security environment that federal and DOD agencies depend on to meet their day-to-day needs and fulfill mission objectives.
Simply put, eValidate is the smart PKI-solution for the federal government.
By Terryl Benson, on June 9th, 2010
This part of our series on PKI security in large scale web applications examines the challenge the DOD EMALL faced in implementing PKI.
DOD EMALL is the largest eCommerce site operating within the US Government. It is a highly-available system that employs best-in-class practices and utilizes a variety of sophisticated networking and systems hardware, alongside software based clustering to enable redundancy, scaling, and load balancing.
Around the globe, DOD EMALL provides a single-entry point for more than 30,000 registered users to search and purchase from a virtual catalog of over 66 million items.
Within the Department of Defense, system performance and IT security have long been at odds. Large-scale web applications must efficiently deliver products, services, and information to end users, while at the same time, restricting unauthorized access. Faced with this dilemma, the Defense Logistics Agency (DLA) turned to Partnet for a PKI security solution for the DOD EMALL.
Background
The Federal Bridge Certificate Authority (FBCA) was established to help federal agencies better share information and resources through a more secure, interoperable PKI framework. The Federal Bridge enables department-issued public keys to be cross-certified and accepted throughout the community. The following diagram helps illustrate the FBCA trust model.
 Click to see an enlarged view. (Source: DISA) In response to the FBCA, the DOD developed Instruction 8520.2, mandating a Department-wide PKI policy to enhance security through authentication, digital signatures, and encryption. The first line of defense was the Common Access Card (CAC) — a smart card provided to DOD service members, civilians, and contractors in order to access restricted systems, networks, and facilities.
The CAC—a hard-token public key—carries a non-replicable digital certificate providing:
- Data integrity and confidentiality
- User identification and authentication.
- User non-repudiation
The Challenge
Like every other DOD agency, the DOD EMALL Program Office was directed to provide DOD users access through the CAC, but because DOD EMALL also served a broad user base of federal agencies and commercial suppliers, the Program Office was faced with a new PKI challenge. DOD EMALL needed a way to verify access both through the CAC and other FBCA-approved public keys.
Faced with the high-performance security demands of its global user base, the DLA selected Partnet eValidate as the solution best able to meet this unique challenge.
The next and final installment of our PKI series examines how Partnet solved this complex PKI challenges and successfully bridged the gap between the DOD and Federal Bridge users on DOD EMALL.
|
|
