28 January, 2013
NASA aims for the cloud
Andrew Hudson, Contributing Editor, Avisian Publications
NASA and Google are enabling government employees to access networks more conveniently and securely using their agency-issued Personal Identity Verification (PIV) cards.
“NASA has been running a pilot with Google Apps for Government for more than a year,” says Tim Baldridge, former NASA ICAM Solutions Architect who presented the pilot at an Interagency Advisory Board meeting.
The pilot–open to 600 IT personnel at the agency–enables NASA users to connect to Google Apps for Government using their existing PIV smart card for access to networks and accounts.
Incorporating NASA’s user interface–NASA Access Launchpad–the initiative increases authentication security and convenience while taking advantage of the Federal ICAM architecture.
“The Launchpad is a customized front-end program that we’ve built around Oracle Open SSO,” explains Baldridge. “The user interface is based on the four mechanisms in place: Windows Desktop single sign on, username and password, RSA token and Level of Assurance 3/PIV.”
The pilot configuration is mindful of the stringent conformance demands that can sometimes befall verification initiatives. “Google Apps is a SAML 2.0 capable ‘software as a service’ offering,” says Baldridge. The Access Launchpad uses SAML 2.0 but, he notes, the version recently put into production supports OpenID as well.
OpenID is an interest for future consideration for NASA though not currently incorporated in the Google Apps pilot. Baldridge makes it clear that the pilot initiative is not a final product. “We do not put any sensitive data up on the pilot,” explains Baldridge. “The pilot hasn’t gone through all the FISMA conformance, so everybody knows to treat this as low assurance.”
What does Google offer?
The NASA pilot is using four components–documents, sites, groups and contacts–of the Google Apps offering, explains Baldridge. Google Apps also features email and calendar support though NASA has foregone these applications in favor of its own mail and calendar functions based on Microsoft Exchange.
The pilot enables verification on a number of levels. The Access Launchpad logon screen will accept username and password, smart card and RSA tokens as credentials, says Baldridge.
Access to the service is simple. The user goes to Google Apps, is given a redirect back to NASA’s Launchpad token service and based on the login, an assertion is generated, explains Baldridge. “The Launchpad also has an implementation that includes Windows desktop single sign on,” he adds.