Navy eases network access

ID management system knows who you are

The Navy is continuing work on an identity management system that, when finished, will allow all Navy personnel to log on to any of the service's computer networks from any Navy location.

The Space and Naval Warfare Systems Command (Spawar) has begun to deploy the authentication system, called Oblix NetPoint, and is integrating it with Microsoft Corp. Windows Server and Active Directory.

Oblix Inc. and Navy officials say the project is one of the largest such initiatives in the federal government. It is part of the Navy Enterprise Portal effort, said Terry Howell, program manager for the portal at Spawar.

"The portal is one small part of it," he said. "It's a service-oriented architecture. We've got a lot of networks across the department of the Navy. [The Navy Marine Corps Intranet] is one large one, but there are also a lot of legacy [networks] that are being phased out. We've also got multiple networks afloat and multiple networks outside the United States."

During the next six to nine months, "Oblix will touch every Navy person, scaling up to 800,000 users," said Jim Welch, the company's senior director of marketing.

The system interacts with the Navy Global Directory Service, which is part of the portal, he said. As various organizations within the service register their users in the directory, they will gain the ability to log on through the Oblix system.

Based on Security Assertion Markup Language (SAML), the system electronically vouches for a user who has signed on to a network that is part of the system, Howell said. SAML is an Extensible Markup Language framework for exchanging authentication and authorization information being developed by the Organization for the Advancement of Structured Information Standards.

"Until the Navy Global Directory Service is built out, we won't have the enterprisewide directory," Howell said. "For the most part, our single sign-on engine has been done. All we're waiting on is...money to roll out the hardware and additional software licenses."

The system is deployed through 12 ships in one battle group and land facilities in San Diego; Norfolk, Va.; Hawaii and Italy, he said.

The system is geared toward username and password authentication but will probably grow to use smart cards and a public-key infrastructure, Howell added.

The Navy decided not to use proprietary software except when it was unavoidable, he said. "We're going to stay with the open standards. As they mature, we'll mature with them," he said.

Howell expects to implement the system across two more battle groups starting in January 2004, he said.

"We're thrilled with what Terry's been able to do," Welch said. "It's really cool. It's very leading edge. This may be the largest deployed SAML implementation to date."

Ray Wagner, research director for information security strategies at Gartner Inc., said the Navy's project is one of the early potential success stories for a technology and approach that he believes will become more common. Company officials recently completed an analysis of the market, he said, that predicted that "the trickle of 2003 would become a stream in 2004 and a river in 2005. We expect to see much more of the kind of thing you're seeing here in the Navy, in the use of this technology internally."

Decentralized, or federated, identity management offers some useful advantages for a military organization, he said.

"It allows an organization cut off from the rest of the world to continue to operate," Wagner said. "If there's one battle group or one shore facility that for some reason is cut off from the rest of the Navy environment, individuals in that group can continue to operate."