USPS site is much more than just a presence on the Web

When he became Web master for the Postal Service about 12 years ago, Harold "Pete" Stark said security concerns were basic.

"Our early concerns were hackers and defacements," Stark said Thursday at the Federal Information Assurance Conference being held at the University of Maryland.

Today, the USPS Web site www.usps.com has gone from being merely a Web presence to a services portal handling financial transactions. It averages 1.5 million visitors a day and generated $425 million in gross revenues in fiscal 2006.

"The threats we face are more sophisticated now than what I had to worry about in the early days," Stark said.

He now is chief information security officer, and all USPS operations are now dependent on IP networks. The network perimeter has become less well defined, and more people have to be let in as well as kept out. "It's the internal threat that is increasingly critical. The real threats we're seeing now are spyware and keylogging."

The challenges to securing the enterprise are daunting.

"The Postal Service is big," Stark said. It includes more than 300,000 workers spread across 38,000 post offices, using 650 applications for day-to-day business. "Security is still thought of as an add-on."

Much of the data used by USPS to provide online services such as package tracking, purchasing postage and notifying for pickups reside on mainframes located well behind the firewall. USPS has developed a system of firewalls that enable the services without having to replicate data in the DMZ while controlling access. The system works, but firewalls are becoming increasingly inadequate on their own to protect the network.

USPS now is installing intrusion prevention systems on desktops to supplement antivirus programs and provide protection against new vulnerabilities while security patches are being tested and rolled out.

"The IPS can still watch for behavioral patterns" until desktops are patched, Stark said. "We are in the process of putting IPS on the perimeter at our main points of connection" with the Internet.

Some sizeable challenges remain to be met. Just identifying equipment on the 7,000-site network is difficult.

"We are recognizing now that we need some kind of network mapping capability," Stark said.

Identity management and access control also need improvement. The current online account provisioning system is inadequate to provide the control needed, Stark said. "We need to be able to identify better who is asking for what, for what purpose, and who is the manager responsible for that."

More attention needs to be given to protecting data rather than systems.

"We need to come up with an encryption capability, not just for desktops but for laptops, which are removable media," he said.

Removable media are becoming more commonly used, and USPS has until now supplied users with disks, CDs and portable drives for backing up data. This worries Stark.

"Frankly, it's a service I would like to discontinue," he said. All backup should be done to servers, and the question of what to encrypt and how to encrypt it should be automated and taken out of the hands of users, he added.

William Jackson is a staff writer for Washington Technology's sister publication, Government Computer News.