290 likes | 631 Vues
Security and Privacy. 1. Security and Privacy. Public confidence is key to success of E-Government implementation Information and individual privacy National security Global competitiveness Protection of civil liberties Approaches Uniform privacy practices Digital signature standards
E N D
Security and Privacy • Public confidence is key to success of E-Government implementation • Information and individual privacy • National security • Global competitiveness • Protection of civil liberties • Approaches • Uniform privacy practices • Digital signature standards • Cryptography standards 2
Security and Privacy • Level of security is to correspond to the service concerned • It’s not a matter of whether to protect, but how best to protect and how effective the protection is 3
Security and Privacy • The networked world of E-Government opens another dimension of fear and vulnerability • Increase in information stored in digital form will have a potential consequence of increased susceptibility to unauthorised access 4
Security and Privacy • A security model should be ideally across multiple hardware and software platforms and networks, integrating the various aspects of • Security services • Mechanisms • Objects • Management functions 5
Conceptual Security Model SYSTEM INTRGRITY Security Management Security Services Identification and Authentication Non Repudiation Data Integrity POLICY MANAGEMENT Access Control Confidentiality Service Mgt Security Mechanisms Audit and Alert Mgt Message Authentication Notification Detection Access Control Lists/Security Labels Encipher Decipher Entity Authentication Digital Signature Mechanism Mgt Security Objects Encryp-tion Keys Audit Logs Groups Object Mgt Pass-words Users Privileges Policies 6
Conceptual Security Model • Four major components in security model • Security Management – apparatus used to administer, control and review the security policy being implemented • Security Services – facilities and functions necessary to ensure the protection of resources • Security Mechanisms – technical tools and techniques necessary to implement the required security services • Security Objects – key security-related entities within system environment 7
Government Initiatives in ICT Security • Challenges to Government’s initiatives in ICT security : • Increased spending in security-related products and services • Availability, capability and limitations of ICT security technology must be well understood • Human resource development to have sufficient number of skilled and experienced ICT security experts • Supporting infrastructure should be developed 8
Government Initiatives in ICT Security • Organisational unit that is to ensure consistency and sufficiency in ICT security implementation should focus on • Definition of comprehensive and documented guidelines for the formulation and implementation of security policies • Coordination of skills development • Review and validation of implementation • To be a key point of referral for all security matters 9
Steering Security Implementation • An ICT Security Division was established within MAMPU in January 2000 • Plans, coordinates, streamlines and consolidates the efforts to strategise public sector ICT security implementation • Serves as a referral point for ICT security-related matters within government organisations 10
Steering Security Implementation • Formulate policy and guidelines as well as the adoption of relevant ICT security standards and their dissemination • Implement business resumption, cryptology, computer emergency response and audit • Responsible for ICT security training and acculturation programmes which include the development of a certification plan for public sector ICT Security Officers 11
The Government ICT Security Framework • “Government Information and Communication Technology (ICT) Security Framework” was published in October 2002 • Addresses issues of confidentiality, integrity, availability, non-repudiation and authenticity • Mandate the appointment of ICT Security Officers in ministries and departments who are responsible to conduct risk analysis and security programmes based on standards, guidelines and ICT security measures 12
The Government ICT Security Framework • “Malaysian Public Sector Management of ICT Security Handbook” (MyMIS) was published in January 2002 • A detailed guide for ICT infrastructure development and management • Covers • Identification of risks and threats • Roles and responsibilities for ICT security • Investigation of computer crimes • Includes templates, checklist and procedures that serves as a guide for public sector agencies in the development of ICT security policy 13
Government Computer Emergency Response Team • The Government Computer Emergency Response Team (GCERT) was formed in January 2001 • The team • Acts on reported ICT security incidences • Disseminates information to assist in ICT security for the public sector • Provides advisory services in security incidence handling • Coordinates with relevant agencies such as MyCERT, Internet Service Providers (ISPs) and enforcement agencies 14
Malaysian Public Sector Network Surveillance • MAMPU establish Malaysian Public Sector Network Surveillance (PRISMA) to protect public sector ICT installations and critical information assets from exposure to the vulnerabilities of public network electronic systems • Basis for establishment • The need to have a first layer defence to protect government ICT installations and critical information assets • The need for a reliable and trusted information base • The rise of cyber threats and attacks 15
Malaysian Public Sector Network Surveillance • The increasing cost of implementing ICT security protection and management • The lack of knowledgeable and focus ICT security professionals • The need to uplift the knowledge and awareness of ICT security • PRISMA operated 24x7 in real time, proactively monitoring and managing a government agency’s firewalls and intrusion detection systems 16
Malaysian Public Sector Network Surveillance • Capabilities include • Cyber attack monitoring • Periodic vulnerability scanning • Automated web recovery • Provision of a government security web portal • PKI integration 17
Security in Government • The sophistication of the security mechanisms employed must commensurate with the importance of the applications and the risk factors involved • The scale of implementation of applications • Direct interaction with citizens and businesses electronically 18
Network Security • EG*Net, as the government’s dedicated network, requires a tightly secured architecture, especially for connections to public or external networks such as Internet or gateways to business partners 19
Security Architecture for EG*Net B2G/C2G Service Provider EG Public DNS EG Public DNS Radius External Secure Gateway EG*Net IP Backbone Internet FR/ATM/Digital ad Analog Leased Lines Firewall B2G/C2G Secure Gateway PSTN Dial-up Access Dial-up Gateway EG Server EG Workstations RAS 20 Untrusted domain
Network Security • Secure gateways which control access to EG*Net from external networks or connection points • Internet • Public Switched Telephone Network (PSTN) • Integrated Service Digital Network (ISDN) • Gateways to other government intranets and partners 21
Network Security • Key security technologies • Multiple firewalls protect E-government servers located at the project implementation sites at different levels • Remote Access Server (RAS) and Authentication Server (RADIUS) provide ID and password for dial-up users • Virtual private networks further limit access to key computer installations within EG*Net and encrypt confidential information in transit within the network • Network monitoring and intrusion detection systems proactively detect and automatically defeat attempts at penetrating network access points and/or devices within the network 22
Controlling Access to Applications and Data • Many of E-Government applications’ functions are sensitive or controlled, security must be enforced at the application level • Login with the use of an identification and password • Smart-card secured logins • Controlled user profiles • Digital signing of electronic documentation • Encryption of sensitive data • Logging of all critical activities 23
E-Government Information Technology Policy & Standards • Government has formulated the E-Government Information Technology Policy and Standards (EGIT) • Details out government policies concerning the specified technologies and the current ICT security standards that must be considered when designing E-Government applications • Security mechanisms available • Authentication and authorisation • Audit controls • Enhanced services (encryption, decryption, digital signature and secure electronic transfers) • Administration 24
E-Government Information Technology Policy & Standards • EGIT is the security benchmark for all E-Government projects • To ensure consistency in the implementation and to avoid unwanted vulnerabilities, compliance to EGIT is a mandatory requirement in every E-Government project contract 25
Digital Identities and Signatures • Certification Authorities (CA) are trusted third parties who confirm the identity of participants in a commercial interaction via the use of PKI technology • The method of authentication is extremely useful and reliable for access control purposes as a substitute or complement to standard system login methods • Digital certificates contain small amount of data to uniquely identify an individual or an organisation • The content of these digital certificates is used by computer applications to sign documents or to determine an identity, which can in turn be verified by communicating with issuing CA 26
Digital Identities and Signatures • Digital certificates are virtually impossible to forge • They can be performed remotely, allowing business transactions to be conducted even when the participants in the transaction are half a world away • Digital signature technologies are being employed in E-Government with the purpose • Securing access to applications and data • Records of decisions made • Sign transactions between the government and its business partners 27
Digital Identities and Signatures • A major benefit of the non-repudiating nature of the technology employed is that it immediately enforces a high degree of authenticity to the decisions recorded and the associated levels of accountability and transparency • E-Procurement – government’s suppliers are also issued with similar smart cards, thus allowing all procurement transactions conducted on the system to be concluded with maximum efficiency and security 28
Future Plans • There are plans being formulated to incorporate digital certificates into MyKad • Advantages – able to interact with the government through an entirely new channel promise greater efficiencies and an enhanced service experience • Challenges – possible abuse • To ensure that there are sufficient incentives in the form of added services and convenience for citizens to use MyKad 29