1 / 56

Prof. K. Subramanian DDG(NIC) & IT Adviser to CAG of India

Creating Digital Trust For G- e P Beyond PKI & Digital Signatures ID Management, Standards & Certification and Assurance. Prof. K. Subramanian DDG(NIC) & IT Adviser to CAG of India.

vaughan-best
Télécharger la présentation

Prof. K. Subramanian DDG(NIC) & IT Adviser to CAG of India

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Creating Digital Trust For G-ePBeyond PKI & Digital SignaturesID Management, Standards & Certification and Assurance Prof. K. Subramanian DDG(NIC) & IT Adviser to CAG of India WB & ADBe-Procurement conference 19th May 2006

  2. Cyberspace is Dynamic, Undefined and Exponential Technology Management & Management of Technologies in general and security in particular are critical Issues of eGP Governance.Countries’ need dynamic laws, keeping pace with the technological advancements . WB & ADBe-Procurement conference 19th May 2006

  3. e-Procurement—EssentialsEnablers • The spread of fast, reliable broadband internet connectivity is a key factor in fuelling e-procurement /e-commerce initiatives • Internet has shrunk the cost of going into business– good for SME sector • A good reliable authenticated website is an essentiality—to reach customers worldwide • Empowerment of both consumers & entrepreneurs • With reliable, accurate and authentic information on products and services • Push and Pull technology working in a collaborative mode with multimodal delivery is a reality and a enabler WB & ADBe-Procurement conference 19th May 2006

  4. e-Procurement—EssentialsSecurity and Trust View Point • Safety and Security is the highest priority • Creating trust and confidence is important- Third party Certification and PKI/Digital signature may be one of the SOLUTION • Integration into enterprises workflow, ERP, EAI with proper identification, authorization and authentication within VPN/enterprise network or open Internet (Identity Infrastructure, Network Identity Infrastructure are utmost essential). User Permission based approach may be explored • Security has implications on Centralized & De-centralized implementations WB & ADBe-Procurement conference 19th May 2006

  5. e-Procurement—SuccessTechnology Integration to Work Process • The most successful e-procurement projects are those where the e-procurement function becomes totally embedded in the business process and where the system is sufficiently flexible to accommodate the rapid changes in technology which are inevitable. WB & ADBe-Procurement conference 19th May 2006

  6. Can we find out who is trying to reach us? Security concerns and desired controls framework Identification Can we ensure that the users are the same, who they pretend to be? Authentication Can we limit/control their actions? Authorisation Can we ensure that the privacy of sensitive information is maintained? Confidentiality Can we ensure that the data has not been manipulated during or after the transmission? Integrity Can we ensure that the sender and receiver are accountable/ responsible for their actions? Non-repudiation Auditability Can we ensure the traceability of actions? Can we detect any unauthorised access attempts? Intrusion Detection Can we correct the errors as soon as they are detected? Error Correction WB & ADBe-Procurement conference 19th May 2006

  7. Main Concerns PRIVACY SAFETY SECURITY & Creating And Maintaining Trust WB & ADBe-Procurement conference 19th May 2006

  8. e-Procurement- New Avenues • Internet e-procurement has huge scalability and, subject to implementation and security details, opens up a huge global market for procurement - including procurement from completely new suppliers. WB & ADBe-Procurement conference 19th May 2006

  9. Secure e-Procurement—TCO and ROI • As a business process, implementing secure electronic purchasing can be a highly effective way of reducing transaction costs and improving process efficiency. And with the savings and cost benefits going straight to the bottom line, e-procurement can deliver a significant return on investment, although analysts are divided over how long this can take. Secure eGP systems are applicable to high cost or high volume Purchases to become cost effective-the inference is it is not applicable to all Purchases unless centralization is possible. WB & ADBe-Procurement conference 19th May 2006

  10. Typical Network Identity Infrastructure Today • Figure 3. Typical Network Identity Infrastructure Today WB & ADBe-Procurement conference 19th May 2006

  11. Basic Network Identity Services Functions WB & ADBe-Procurement conference 19th May 2006

  12. Network ID Management Infrastructure & Control Authentication of Appliances • An intuitive GUI is accessible from web browsers. It provides a global management view of the network identity infrastructure from any location, based on that particular user’s access permissions. • There are no general user-logins. For security reasons, only an administrator can configure an appliance using a web browser, communicating with the appliance over an encrypted session. WB & ADBe-Procurement conference 19th May 2006

  13. Network ID Management Infrastructure & Control Authentication of Appliances • To populate the data store with each enterprise’s user and policy information, tools are available to export data from existing servers and import it into specified authorized appliances. • Network identity appliances come equipped with a rich set of standards-based reporting, logging, and advanced configuration and management features. Among them are SNMP support and web-based reporting functions. WB & ADBe-Procurement conference 19th May 2006

  14. First line of defense-IssuesFirewall & VOIP Incompatibility • To stop someone dumping a virus on your machine or defacing your homepage, it's essential to have some form of dedicated web server protection. But the use of firewalls, generally seen as the first line of defense in protecting data, has been interfering with the transmission of Voice over Internet Protocol (VoIP) calls. • The key problem is an incompatibility between aspects of VoIP and firewall technology. WB & ADBe-Procurement conference 19th May 2006

  15. Securing & Managing Interdependencies • Infrastructure characteristics (Organizational, operational, temporal, spatial) • Environment (economic, legal regulatory, technical, social/political) • Coupling and response behavior (adaptive, inflexible, loose/tight, linear/complex) • Type of failure (common cause, cascading, escalating) • Types of interdependencies (Physical, cyber, logical, geographic) • State of operations (normal, stressed /disrupted, repair/restoration) . WB & ADBe-Procurement conference 19th May 2006

  16. Identity Management WB & ADBe-Procurement conference 19th May 2006

  17. In a Virtual Space, Netizens Exist, Citizens Don’t! WB & ADBe-Procurement conference 19th May 2006

  18. Identity Management • Identity management is not new, but has evolved from the days of a single password entry onto the network to a comprehensive set of processes and systems that make it easier for all users to access information in real time and in a much more secure manner • ID management tend to center on the technical improvements in system security, the more important benefits are the opportunities gained by collaborating with vendors, suppliers, and customers across the supply chain. • A real value of an [ID management] solution enables ultimately this wide range of business enterprise. WB & ADBe-Procurement conference 19th May 2006

  19. ID: Metrics Requirements • UNIVERSALITY: Each person should have the characteristics • Distinctiveness: Any two persons should be different in terms of the characteristic. • Permanence: The characteristic should be sufficiently in-variant (w.r.to the matching criterion) over a period of time. • Collectibility: The characteristic should be quantatively measurable. WB & ADBe-Procurement conference 19th May 2006

  20. FOUR WAYS TO BECOME AN AUTOMATED IDENTITY-FOCUSED ENTERPRISE 1. Change Current Identity Concepts 2. Perform Automated User Provisioning Wisely 3. Integrate Automated Identity Management and User Provisioning 4. Control Identity Operations WB & ADBe-Procurement conference 19th May 2006

  21. 1. Change Current Identity Concepts. • Many business and IT leaders correlate identity with users; this is only part of the equation. The concept of identity must be expanded to include systems, servers, applications, data, and even transactions and events. • As auditors analyze business processes, they’ll see that all organizational components can be assigned identities that link corporate activities within the current IT infrastructure. • With the use of an all-encompassing identity, the road to continuous access management and compliance to regulations becomes more attainable. • Furthermore, with automated identity management tools, an organization is able to assign a permanent identity to every user, computer, server, and application, thus, monitoring what employees can and can't access. WB & ADBe-Procurement conference 19th May 2006

  22. 2. Perform Automated User Provisioning Wisely  User provisioning, the process of assigning system resources and privileges to users, automates and streamlines the creation of user accounts and the assignment of user privileges and provides account permission data. Incorporating automated user provisioning can not only help organizations comply with Sarbanes-Oxley, but also enhance their audit processes and monitoring of IT activities WB & ADBe-Procurement conference 19th May 2006

  23. 3. Integrate Automated Identity Management and User Provisioning. • The ultimate goal of automation is to inject identity in every session a machine initiates, track its activities and transactions across an enterprise, and integrate this ability into the existing IT infrastructure. • To integrate automated identity management and user provisioning successfully, organizations must first determine all users, assets, and applications in an identity-centric and consistent manner. This ensures user provisioning solutions are not compromised by unknown activity and are aligned with the broader IT environment. • Only properly provisioned users and applications, based on corporate policy, should have the ability to communicate. • Nevertheless, organizations must be able to control these interactions fully and provide a complete audit trail of these activities. • The organization must also confirm that nonauthorized users, such as employees who are no longer working for the organization, do not have access to IT resources, thus reducing the risk of invalid user actions. WB & ADBe-Procurement conference 19th May 2006

  24. 4. Control Identity Operations • To help meet Sarbanes-Oxley regulations, many organizations have given a higher priority to producing log files and report data. The reality is that many organizations don’t have the resources to process data logs, nor do they have the means to correlate information from disparate sources. Although newer security event management systems have improved, the fundamental problem of managing the data and automating its compilation still exists. WB & ADBe-Procurement conference 19th May 2006

  25. Identification • Why? • For Whom? • When? • How? WB & ADBe-Procurement conference 19th May 2006

  26. By Name Association with Father’s/Mothers Name Association with Family Name Association with sir Name By Given details Date of birth Place of birth Country of Birth Country of Naturalization Identification Measures and Parametric of Personal Identity WB & ADBe-Procurement conference 19th May 2006

  27. Biometric System Operates on • Verification • Identification WB & ADBe-Procurement conference 19th May 2006

  28. Biometrics Biometrics WB & ADBe-Procurement conference 19th May 2006

  29. Bio-Metric Unique Identifier WB & ADBe-Procurement conference 19th May 2006

  30. Building and Sustaining Trust • building a trusted relationship with suppliers is critical before dealing with them over the Internet. • Consumer comfort-while 60 per cent said they preferred to deal with bricks-and-mortar companies rather than Internet-only traders. • Concerns about security are paramount, even among those with significant experience of trading online with suppliers. Of the advanced users interviewed for the report, nine per cent said they had experienced security problems through e-procurement PriceWaterhouseCoopers' Survey report WB & ADBe-Procurement conference 19th May 2006

  31. Security & Trust • security and trust are inseparable. "Across the supply chain, people are demanding more and more exchange of current, pertinent information and they want to have confidence in their trading partners." WB & ADBe-Procurement conference 19th May 2006

  32. Definition of e-trust Development of mutual confidence within complex electronic environments through each player’s willingness to continuously demonstrate to the other player’s satisfaction that the game is honest, open, following the rules properly controlled WB & ADBe-Procurement conference 19th May 2006

  33. Conventional Information Security & e-trust • Conventional security practices do not reveal the nature or extent of our security capabilities. To do so, is considered as an act of compromise. • The network economy requires a series of external representations that will meet the expectations and support the confidence of all players. • Demonstrability WB & ADBe-Procurement conference 19th May 2006

  34. Trust and Security • Reciprocity-appropriate protection for all • Responsibility and liability • Standardization of processes, interfaces and technologies WB & ADBe-Procurement conference 19th May 2006

  35. e-trustBusiness partners & Network Economy • Can I trust the entities and infrastructures on which I depend? • Can the organizations involved trust me? • Together, can we trust our common infrastructure and processes? WB & ADBe-Procurement conference 19th May 2006

  36. Major Challenges and Issues • authentication of identity is the main issue. "People need to be satisfied about who they're dealing with. • They need to know that their messages have not been intercepted or corrupted on the way, • and, most importantly, that they are legally non-repudiable - meaning that the other party can't walk away from it in a court of law." WB & ADBe-Procurement conference 19th May 2006

  37. Security fears are well-founded • with the study showing that remarkably few companies had implemented the latest technology to secure business transactions. • Nearly two-thirds of companies said they rely solely on password protection when dealing with suppliers over the Internet. PriceWaterhouseCoopers' report WB & ADBe-Procurement conference 19th May 2006

  38. Security Standards & Certification WB & ADBe-Procurement conference 19th May 2006

  39. National CRYPTOGRAPHY POLICY • Complex area with : • Scientific, • Technical, • Political, • Social, • Business • Economic Dimensions WB & ADBe-Procurement conference 19th May 2006

  40. Mission Business Objectives Business Risks Applicable Risks Internal Controls Review Importance of Group Standards -no one standard meets all requirementsISO 27001/BS7799 Vs COBIT Vs CMM Vs ITIL WB & ADBe-Procurement conference 19th May 2006

  41. IS 14356-1996 guide for Protection of Information Resources IS 14357-1996 guide for Practice for Information Security ISO-17799-1:2000 Code of practice of ISM and will replace IS 14356-1996 ISO/IEC 15483 STANDARDS FOR TCSEC(IS14990:1 2001 ISO/IEC 15408 STANDARDS FOR TCSEC(IS14990:1 2001) New Integrated Harmonized Indian standard on ISMS IS 15150Nov 2002 ISO/IEC 21827 - Information Technology - Systems Security Engineering - Capability Maturity Model (SSE-CMM ) Information Technology-systems security engineering—Capability Maturity Model with PCMM—July 2006 BS 7799-1:1999 Code of Practice for Information Security Management BS 7799-2:1999 Specification for Information Security Management Systems BS 7799-1:2000 revised standard (Code of Practice for Information Security Management) BS 7799-2:2002 Sep 2002 ISO 27001-Oct 2005 Compliance to Security Standards and Good Practices Indian & International Standards WB & ADBe-Procurement conference 19th May 2006

  42. Business Assurance and Certification WB & ADBe-Procurement conference 19th May 2006

  43. There is no return without risk Rewards to go to those who take risks. Be Transparent Risk is measured, and managed by people, not mathematical models. Know what you Don’t know Question the assumptions you make Communicate Risk should be discussed openly Diversify Multiple risk will produce more consistent rewards Sow Discipline A consistent and rigorous approach will beat a constantly changing strategy Use common sense It is better to be approximately right, than to be precisely wrong. Return is only half the question Decisions to be made only by considering the risk and return of the possibilities. RiskMetrics Group 9 Rules of Risk Management WB & ADBe-Procurement conference 19th May 2006

  44. Risk • The lack of a trusted third party to guarantee online transactions is a key factor in companies' limited security. • Unlike the stock exchange, which underwrites transactions between traders, most online marketplaces merely facilitate the transaction between two parties. They simply warn businesses that they trade at their own risk. WB & ADBe-Procurement conference 19th May 2006

  45. PKI & Trusted Third Party Certificate • Many believe that confidence in online transactions would be dramatically increased by the use of public key infrastructure and encryption technologies to encrypt and seal messages. • But while the use of digital certificate technology would certainly increase confidence, the problem is finding a trusted third party to issue such a certificate. • who would be suitable to guarantee the security of e-business transactions, most public survey said they would rather rely on an accounting or telecoms firm than the Government? WB & ADBe-Procurement conference 19th May 2006

  46. Enhancement to certification • Certification alone cannot absolutely guarantee the trustworthiness of certificate holders or the organizations they represent. • Creating a family of certificates to enhance the confidence level. • Recognition of certification is not only based on knowledge, but also one’s identity. WB & ADBe-Procurement conference 19th May 2006

  47. Certification and Cost • IT certifications "are a commendable thing to do for a variety of reasons." However, they "require a considerable investment, and the benefit must be weighed against other needs and priorities for scarce resources“. WB & ADBe-Procurement conference 19th May 2006

  48. Product Cost Privacy of Data Security of Data Business Policies Transaction Processing Integrity Comparison of Seals WEB Certification BBB Online Low No No Lightly Covered No TRUSTe Low Yes No No No Veri-Sign Low to Medium No Yes: Data Transmittal No: Data Storage No No ICSA High Yes Yes Somewhat Covered Lightly Covered WebTrust High Yes Yes Yes Yes WB & ADBe-Procurement conference 19th May 2006

  49. The need and to do • Strong, demonstrable security and assurance process and the best practitioners to design, build and manage them. • Ensuring all the time the practices, products and personnel can pass the closest scrutiny. • Anticipate and keep pace with the security needs of the information market place • Protective measures, architecture, philosophy and best practices are as dynamic as the information process they support. • Ensure not just the currency of knowledge, but must anticipate new requirements and environments WB & ADBe-Procurement conference 19th May 2006

  50. The need and to do • Ready to respond with new certification offerings, updates examinations, expanded knowledge bases, publications, training and communications • Generate global trust without compromise to trustworthiness. WB & ADBe-Procurement conference 19th May 2006

More Related