Safeguards Technical Assistance for Protecting Federal Tax Information (FTI) in Web Portals
The IRS Office of Safeguards has recently observed an increase in the number of agencies using web portals to process and transmit federal tax information (FTI) to their external customers. Web portals present opportunities for agencies to provide a convenient method for customers to access account information that may include FTI. This method of providing FTI to customers opens a new avenue for accessing FTI over the Internet and potentially exposing the FTI to compromise of confidentiality. For this reason measures need to be taken to protect the FTI that is provided to customers through a web portal.
Additionally the IRS Office of Safeguards has observed scenarios where agency employees, including systems administrators may have the ability to access applications with FTI remotely through a web portal.
A "Portal" as used in this memo is defined as the web based infrastructure (hardware and software) that serves as the entry point for web access to applications that process FTI. Whether currently in use or planned to be deployed, there are FTI safeguarding measures required by the IRS Office of Safeguards to be in place given the inherent security vulnerabilities associated with providing data via a Internet web portal. This memo will provide the policy requirements for ensuing the confidentiality of FTI is maintained by agencies that provide access to customers and/or employees through a web portal environment.
Requirements for FTI in a Web Portal Environment
To utilize a web portal that provides FTI over the Internet to a customer, the agency must meet the following requirements:
- The system architecture is configured as a three-tier architecture with physically separate systems that provide layered security of the FTI and access to the database through the application is limited.
- Each system within the architecture that receives, processes, stores or transmits FTI to an external customer through the web portal is hardened in accordance with the requirements of Publication 1075 and is subject to frequent vulnerability testing.
- Access to FTI via the web portal requires a strong identity verification process. The authentication must use a minimum of two pieces of information although more than two are recommended to verify the identity. One of the authentication elements must be a shared secret only known to the parties involved and issued by the agency directly to the customer. Examples of shared secrets include: a unique username, PIN number, password or passphrase issued by the agency to the customer through a secure mechanism. Case number does not meet the standard as a shared secret because that case number is likely shown on all documents the customer receives and does not provide assurance that it is only known to the parties involved in the communication.
These requirements are explained in detail in the sections below.
#1 Three-Tier Architecture for Web Portal Environments
The physical separation of systems into a tiered architecture can increase security of the environment because additional layers will have to be traversed to gain access to FTI. In a situation where the web server, application server and database are located on the same host but logically separated, if that host is compromised, all three tiers are vulnerable.
The first tier (Web Tier) consists of the web server that is presenting the web pages to the agency customers and accepts requests. Systems within this tier are the most vulnerable to attack because they are exposed to the Internet. All connections from the web server to the customer over the Internet that contain FTI must be encrypted, i.e., HTTPS.
The middle tier (Application Tier) is where the business logic resides, and the processing of data and customer requests occurs on an application server. This tier provides a layer of protection between the customers on the Internet and the FTI stored in the agency’s database.
The backend tier (Database Tier) is where the database server is contained that stores the FTI. No requests should be made from the Internet directly to the backend database with FTI.
A firewall is placed between customer on the Internet and the Web Tier to filter traffic from the Internet to the web server. The second firewall is placed between the Application Tier and the Database Tier to filter requests from the application server to the database.
Access to the database from the application must be restricted to specific database tables, rows and columns that contain FTI and that access must be read only. There should be no ability to overwrite data in the database from the application.
#2 System Hardening
Each system within the architecture that receives, processes, stores, or transmits FTI to an external customer through the web portal is hardened in accordance with IRS Publication 1075 policy. The Publication 1075 policy can be met by utilizing the Safeguards Computer Security Evaluation Matrix (SCSEM) to configure the security settings for the applicable operating system of the web server, application server and database server. These SCSEMs are available for download from the IRS Safeguards web site
Prior to implementing the web portal, the agency must conduct a thorough penetration test of the web portal environment to ensure the FTI is not vulnerable to internal and external threats. The results of the penetration test should be shared with the IRS Office of Safeguards, along with a corrective action plan for addressing vulnerabilities identified.
Additionally, when FTI is provided to customers through a web portal, the required frequency with which agencies conduct vulnerability scanning of the web portal architecture is increased to monthly to allow for more proactive vulnerability management of systems that provide FTI over the Internet.
In addition there are other resources available specific to web servers and web sessions to supplement the IRS Safeguards SCSEMs and ensure the FTI is secured properly in the web portal environment:
- NIST Special Publication 800-44, Guidelines on Securing Public Web Servers provides guidance for deploying, configuring and managing secure web servers.
- Defense Information Systems Agency (DISA) publication, Web Server Security Technical Implementation Guide, provides guidance on the technologies used to ensure the appropriate level of protection for web server connections, e.g., Secure Sockets Layer/Transport Layer Security (SSL/TLS).
#3 Identity Verification and Authentication
If external customers have the ability to access FTI through the web portal, a strong authentication mechanism must be used to authenticate those external customers to the system. The authentication must use at least two pieces of information to verify the identity, one of which must be a shared secret only known to the parties involved, and issued by the agency directly to the customer. Examples of shared secrets include: a unique username, PIN number, password or passphrase issued by the agency to the customer through a secure mechanism. Case number does not meet the standard as a shared secret because that case number is likely on all case documents the customer receives and does not provide assurance that it’s only known to the parties involved in the communication.
Two factor authentication is applicable to employees and contractors, including system and application administrators with access to FTI through a web portal from a network external to the agency’s network. This does not apply to the agency’s customers who access FTI through a customer service web portal. All agency employees and contractors accessing FTI data remotely from an external network through an Internet web portal are required to be authenticated by an application that utilizes a two-factor authentication mechanism. Two-factor authentication (strong authentication) is defined as using at least two out of the three authentication factors: (i) something you know (e.g. password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Using strong authentication provides more protection for FTI than a simple username and password can provide.
Additional information can be found in the following documents:
- IRS Publication 1075
- Web Server and Web Application Server Security" title="IRS Internal Revenue Manual (IRM) 10.8.42, Web Server and Web Application Server Security">IRS Internal Revenue Manual (IRM) 10.8.42, Web Server and Web Application Server Security
- Web Server Security Technical Implementation Guide, Version 6, Release 1" title="Defense Information Systems Agency (DISA), Web Server Security Technical Implementation Guide, Version 6, Release 1">Defense Information Systems Agency (DISA), Web Server Security Technical Implementation Guide, Version 6, Release 1
- Guide to Securing Public Web Servers" title="NIST SP 800-44, Guide to Securing Public Web Servers">NIST SP 800-44, Guide to Securing Public Web Servers
- Guide to Secure Web Services" title="NIST SP 800-95, Guide to Secure Web Services">NIST SP 800-95, Guide to Secure Web Services
- Guide to General Server Security" title="NIST SP 800-123, Guide to General Server Security">NIST SP 800-123, Guide to General Server Security
- Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and Entities
- Safeguards Program
- Additional Requirements for Publication 1075