Apr 16 2013

The Challenge of Moving User Identities to the Cloud

A pilot initiative will test how best to use the cloud for user authentication.

After the White House’s National Strategy for Trusted Identities in Cyberspace (NSTIC) in 2011 gave agencies the impetus to use third-party credential providers to validate the identities of online users, IT administrators discovered that accomplishing this task was no easy feat.

“Accepting an external identity provider isn’t always as easy as it’s cracked up to be,” explains Naomi Lefkovitz, a senior privacy policy advisor for the National Institute of Standards and Technology (NIST), who notes that agencies have different platforms and different policies that may necessitate specialized programming in order to integrate with the various credential providers. “We realized that we needed to provide an easy button for them.”

That “easy button” is the Federal Cloud Credential Exchange (FCCX), a cloud-based hub that will act as a middleman between third-party credential providers and agencies.


of online users dislike being asked to register on a website, with 51 percent saying it’s because they dislike the prospect of having another username and password to keep track of.

Source: “2012 Online Registration and Password Study” (Janrain/Harris Interactive, August 2012)

In November, the FCCX Tiger Team — a White House–sponsored group that defines requirements for the initiative — chose the U.S. Postal Service’s Secure Digital Solutions group to implement a yearlong pilot version of FCCX.

The Postal Service, which has invested in identity management solutions over the years for various services, “will leverage its vast experience in information security and the unique legal and enforcement resources of the Postal Inspection Service, apply best practices in digital credentialing and collaborate with the private sector to develop the FCCX pilot,” says Randy Miskanic, vice president of secure digital solutions for USPS.

Although the specifics have yet to be determined, Lefkovitz says FCCX will rely on a common set of policies, technical protocols and transmission standards to allow the secure exchange of credential information among multiple organizations.

“The idea is that FCCX will manage all of the integration with the different providers,” Lefkovitz says, adding that agencies would need to integrate with the exchange just once for each application. “Then any credential, any protocol, no matter what level or via any protocol, would all come through FCCX and get translated into one easily consumable protocol for the agency. It’s the concept of ‘many pipes in, but just one pipe out’ to the agency.”

Privacy Concerns

A major concern about FCCX is that it could be used for data aggregation that could compromise users’ privacy, says Ian Glazer, research vice president and agenda manager for identity and privacy strategies at Gartner.

“If done poorly, there is an opportunity for FCCX to observe a user, then look across all the agency websites and take note of everything that user is doing,” he explains. “People won’t use it if they feel like this is a government attempt to spy on their behavior, so it must be clearly demonstrated that this will be implemented with privacy principles at the forefront.”

In fact, NIST’s Lefkovitz says finding the best way to limit the visibility of the hub into users’ identities is a top priority. “There may be various technical ways to do that, such as cryptography, and we’re going to look at those different ways,” she says.

If that issue is addressed, FCCX will go a long way toward helping digital government really begin to take off, Glazer says. “If this is done right, from a citizen’s perspective, there will be a lot fewer barriers to adoption and a lot more choice, because people will be able to use credentials from a provider they know and trust, and for agencies, it will remove a lot of the identity management costs and effort needed to put public-facing web services out there.”