by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : June 2014
CYBEREYE BY WILLIAM JACKSON THE HEARTBLEED vulnera- bility, which can leak sensitive data from supposedly secure Web connections, exposes the limits of using one-o credentials that must be au- thenticated separately for each transaction. Attack surfaces are greatly expanded when personally identifiable infor- mation (PII) is maintained by every agency and Web site o ering online services. "The idea that the user must have information everywhere is a bad idea," said Andre Boy- sen, executive vice president for marketing at SecureKey. Having a single credential that can be authenticated by a trusted authority and accepted by multiple users can reduce the attack surface by main- taining PII at a single point. It also helps relieve the burden of managing credentials and identities. This idea of federated identity is not new. Banks, merchants and credit card companies have been using a form of it for years. And online merchants do not have to worry about who you are as long as a credit card company vouches for the card. It is not a risk-free system, but the risk is managed. Credit card numbers are sometimes exposed, but the exposure is considerably less than if every merchant had to maintain PII for every customer. When a breach occurs, users have to change one credit card, not one for every merchant visited. Why can t government online authentication be this simple? "It is heading that way," Boysen said. Canada implemented a Federated Identity Manage- ment program to leverage interoperable security cre- dentials several years ago. In the United States, the Postal Service is preparing to roll out the Federal Cloud Credential Exchange (FCCX), a federated identity management hub that will let agencies accept online credentials issued by trusted third parties. The system is part of the National Strategy for Trusted Identities in Cyberspace. Per- sonal information and the identity of the original issuer of the credentials will be hid- den from the FCCX hub, and log-in information will not be shared or compared between agencies. But the agency will know what it needs to know: You are who you say you are. It should be noted that SecureKey is not exactly an impartial observer in this issue. The company has con- tracts with both Canada and USPS to provide a cloud-based platform for authenticating digital credentials. But this does not change the fact that a federated system o ers a way to improve both security and privacy at a time when attacks on online activities are growing. Government stands to benefit greatly from feder- ated identity schemes. Unlike banks, agencies tend to have relatively few transactions with each individual, which raises the overhead of authen- ticating each user that logs on. "Basically, every transaction is a re-enrollment," Boysen said. This is frustrating to the user, expensive for the agency, and each agency also must manage and secure its own database of PII. O oading authentication to a central hub eliminates the need to hold and protect that extra data. No scheme will provide absolute security or completely transparent authentication. But federation and an interop- erable system of trust can help. With such a system in place, agencies won t have to worry if PII is leaking from their sites, and users would be able to whittle down the number of passwords and other cre- dentials to be replaced when something does go wrong. • 12 GCN JUNE 2014 • GCN.COM HSPD-12 AT 10 YEARS: STILL A LONG WAY TO GO In August of 2004, President Bush mandated the creation and adoption of an interoperable smart ID card to be used by all executive branch workers and contractors both for physical and logical access. Homeland Security Presidential Directive 12 now is almost 10 years old, and millions of Personal Identity Veri cation (PIV) cards have been issued. Few of them are being fully taken advantage of, however. According to White House gures, six of 23 civilian agencies covered by HSPD- 12 had issued PIV cards to 100 percent of their workers as of March 2013. Most of the other agencies had at least 80 percent coverage. But hanging the cards around the necks of workers is one thing; using them to log onto IT systems is another. According to the latest progress report on Cross Agency Priority Goals, only one in ve civilian agency workers was required to use PIV cards for authentication when logging on to government IT systems at the end of scal year 2013. That is a signi cant increase from FY 2010, when just 1.24 percent of workers were using PIVs to log on, but the report notes there is "cause for concern." Despite the progress, "the outcome that is most likely to be observed" in achieving a passing mark for PIV implementation in 2014 "stands at zero." -- William Jackson Federated identity can ease authentication