by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : October 2012
24 GCN OCTOBER 2012 • GCN.COM CASE STUDY The Energy Department is adopting a cloud- based appliance to handle encryption of unclassified e-mail, taking the processing of encryption o the desktop and easing the department s burden of handling digital certificates. But, "it s not a good solution for every- body," said Michele J. Thomas, the Energy Department s PKI program manager. As with any other tool, there are tradeo s, the first of which is cost for acquiring and maintaining the appliance. "Some agencies might not have the resources to do it," she said. "That can be a substantial consideration, with budget cuts." DOE is using the Entelligence Messaging Server from Entrust, an appliance that sits with the e-mail server and encrypts outgoing e-mail at the edge of the enterprise, whether it is being sent from a desktop or mobile device in the field. Thomas called the adop- tion of EMS a cost-e ective alternative for DOE to manage its own digital certificates. But she said a department or agency must have a bona fide business case for bringing a new piece of equipment into the enterprise. The evolution of the Personal Identity Verification card, which includes digital cer- tificates for authentication, encryption and digital signing, along with infrastructures such as the Federal PKI Bridge that can leverage trusted certificates from other organizations, can make it easier to enable secure commu- nications without a boundary encryption tool. But neither of these is fully mature. The move away from static desktops to a more mobile environment in which workers use personal devices to access resources can muddle the picture, making a new appliance a more attractive alternative. -- William Jackson the Common Access Card---is to provide a standard system for ID and access manage- ment for both logical and physical resourc- es. But the card is not yet ready to support all of the department's needs. To enable secure communications, "we use a combination of certificates on the PIV card and soft certs on the end devices," Thomas said. Although the cards have been issued and the standards and specification for using them are in place, implementing them in the real world is complicated by legacy tech- nology that remains in place longer than ex- pected and emerging technologies that are adopted more quickly than anticipated. At the front end, "there are still a ton of one-time tokens sitting around govern- ment," that are being used for authentica- tion, said Bill Conner, Entrust president and CEO. They still work and are unlikely to be replaced with new schemes until the sys- tems supporting them are upgraded. On the back end, applications also have to be enabled to use PIV credentials for au- thentication and authorization. "There are a lot of legacy systems out there" that have not been upgraded, said Isadore Schoen, Entrust's vice president of federal services. "Many agencies are not in a hurry to replace them." PIV cards require smart-card readers for authentication and access control. They are being put into use for desktop computers and laptops in the government workplace, but are less likely to be found on home PCs used for remote access and are compara- tively rare on mobile devices such as Black- Berrys, iPhones, Android phones and oth- ers that are being used for e-mail and other tasks. "The cost of the reader is pretty high," Conner said. "You've got to overcome that bottleneck." Until the bottleneck is overcome, there are ways around it. The National Institute of Standards and Technology is updating Federal Information Processing Standard 201, which contains PIV card specifications. Proposed changes allow the use of elec- tronic credentials derived from PIV cards in a variety of form factors for use with mobile devices, although the PIV card itself would continue to be in the smart-card format. Putting electronic credentials on the de- vices allow them to be used for VPNs and other connections that can establish secure links with the agency enterprise. Once in the enterprise, tools such as Entrust's EMS can encrypt communications throughout the enterprise and with other organizations. VIRTUAL CERTIFICATES Adoption of virtual certificates along with technologies such as Near Field Communi- cation to exchange the certificates is coming slowly in North America, and even more slowly in government, said Entrust's Con- ner. "We're seeing more of it in the private side rather than in the public side." But he sees the adoption as inevitable and says it will help to drive down both the cost and need for hardware readers for PIV cards. Whatever means are used to log onto a government system, the EMS appliance is "becoming very popular with our federal customers," Schoen said. The EMS appliance can be set in the agen- cy network or in a cloud and is transparent to the sender. It supports a variety of delivery options, including S/MIME, OpenPGP, Ado- bePDF and secure webmail standards, with a variety of encryption algorithms. An im- portant feature for government users is the ability to do content scanning on encrypted outbound e-mails, either in the EMS appli- ance itself or through third-party scanners. Encryption schemes on the desktop can enable outbound e-mails to pass without being scanned, creating a hole in data secu- rity. "That made a lot of agencies nervous," Schoen said. Using the EMS appliance al- lows e-mails to be decrypted for scanning as well as for archiving in the clear if needed. Although DOE began using EMS bound- ary encryption more than a year ago, it has not yet been adopted throughout the de- partment. To date, four national labs and headquarters are using it, Thomas said. "We have some others that are considering it." The PIV card is a key component of the Federal CIO Council's Identity, Credential and Access Management framework. And although the basic elements of a standards- based system are in place, the technology still is evolving and not yet ready for blanket implementation for all types of access and use of digital certificates, Thomas said. "The PIV card needs to mature before it can be used for these things," she said. "We are all in transition on this." • DOE is using a cloud- based appliance to handle encryption of unclassified e-mail, but the solution is not for everybody