NASA aims for the cloud
NASA and Google are enabling government employees to access networks more conveniently and securely using their agency-issued Personal Identity Verification (PIV) cards.
“NASA has been running a pilot with Google Apps for Government for more than a year,” says Tim Baldridge, former NASA ICAM Solutions Architect who presented the pilot at an Interagency Advisory Board meeting.
The pilot–open to 600 IT personnel at the agency–enables NASA users to connect to Google Apps for Government using their existing PIV smart card for access to networks and accounts.
Incorporating NASA’s user interface–NASA Access Launchpad–the initiative increases authentication security and convenience while taking advantage of the Federal ICAM architecture.
“The Launchpad is a customized front-end program that we’ve built around Oracle Open SSO,” explains Baldridge. “The user interface is based on the four mechanisms in place: Windows Desktop single sign on, username and password, RSA token and Level of Assurance 3/PIV.”
The pilot configuration is mindful of the stringent conformance demands that can sometimes befall verification initiatives. “Google Apps is a SAML 2.0 capable ‘software as a service’ offering,” says Baldridge. The Access Launchpad uses SAML 2.0 but, he notes, the version recently put into production supports OpenID as well.
OpenID is an interest for future consideration for NASA though not currently incorporated in the Google Apps pilot. Baldridge makes it clear that the pilot initiative is not a final product. “We do not put any sensitive data up on the pilot,” explains Baldridge. “The pilot hasn’t gone through all the FISMA conformance, so everybody knows to treat this as low assurance.”
What does Google offer?
The NASA pilot is using four components–documents, sites, groups and contacts–of the Google Apps offering, explains Baldridge. Google Apps also features email and calendar support though NASA has foregone these applications in favor of its own mail and calendar functions based on Microsoft Exchange.
The pilot enables verification on a number of levels. The Access Launchpad logon screen will accept username and password, smart card and RSA tokens as credentials, says Baldridge.
Access to the service is simple. The user goes to Google Apps, is given a redirect back to NASA’s Launchpad token service and based on the login, an assertion is generated, explains Baldridge. “The Launchpad also has an implementation that includes Windows desktop single sign on,” he adds.
With multiple forms of authentication, identifying the type of login as well as the identity associated with it becomes important.
Access Launchpad serves a verifier function delineating between authentication technologies used at the time of login. “Whether we’re using a PIV card, PIV-I credential or a credential on a mobile device, we can verify it and make the assertion based on what we’ve verified,” says Baldridge.
The system can tell the difference between PIV-I and PIV, a mobile device or thumb drive/USB based device, says Baldridge. “The idea here is to remain extensible in the architecture where different kinds of form factors can be used according to their levels of assurance.”
The pilot, as expected, is a relatively stripped down version of the proposed final product and is only operating on Level of Assurance Two. For Baldridge, the fact that employees can use a one-time password or a PIV is the takeaway.
Simplicity is a key factor for the NASA initiative. The system enables an organization to sync massive rosters of credentials with Google in a simple and efficient manner, says Baldridge.
“We can take all 96,000 identities at NASA and present them to Google Apps for access if they are authorized,” says Baldridge. “We simply go into Google Apps, provide a spreadsheet of identities for authorization and after literally five minutes of configuration, all these identities are accessible–thru their PIV cards–to Google Apps.”
Speed and efficiency are key to any business model and Baldridge suggests that those interested in the bottom line should not discount the NASA/Google initiative. “Five minutes of configurations to turn your application on to 100,000 accounts, that’s a return on your investment,” says Baldridge. “You’re not redoing what you already did–provisioning and managing passwords.”
Cloud: the final frontier
The value in using PIV cards in NASA’s new system is that creates a secure application for authentication in the cloud. “All we would need to do to lift up the level of assurance is for the application to say ‘I need an authentication context that is level two or level three,'” Baldridge says.
This may seem a simple explanation for a rather complex solution. However, the results, according to NASA and Baldridge, are substantial. “We can say that the cloud is PIV capable, that is the message–the public statement,” says Baldridge.
Using the system is simple as well. NASA has a SAML 2.0 conformant configuration in place for Max.gov, a commonly used government portal. “If you’re logged on to your NASA issued desktop, you can simply click the button without providing password or PIV–it is, in fact, the Windows desktop single sign on of NASA Launchpad.”
Baldridge sees this as a convenient, especially when traveling. “When you travel, you don’t have to remember username and passwords.”
For all that NASA’s initiative with Google promises, Baldridge was sure to mention one caveat associated with the project. “The Federal SAML 2.0 single sign-on profile had an overly restrictive statement in it where (NIST Special Publication 800-63) actually says you have a secure channel or an encrypted assertion,” explains Baldridge. “But the profile only said encrypted assertion.”
“Google doesn’t encrypt the assertion, it only encrypts the channel,” explains Baldridge. “We were trying to fix that language but didn’t quite fix it right so we have another iteration to go through to get that right,” says Baldridge.
It’s a fine print issue that does little to take away from the NASA and Google Apps initiative.
Using the cloud to provide secure and streamlined employee verification is a key step to enable access anytime, anywhere. Add the fact that it incorporates PIV credentials that are already in the hands of government employees and the solution’s value rises.