Creating Digital Trust For G-e. P Beyond PKI & Digital Signatures ID Management, Standards & Certification and Assurance Prof. K. Subramanian DDG(NIC) & IT Adviser to CAG of India Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Cyberspace is Dynamic, Undefined and Exponential Technology Management & Management of Technologies in general and security in particular are critical Issues of e. GP Governance. . Countries’ need dynamic laws, keeping pace with the technological advancements Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
e-Procurement—Essentials Enablers • The spread of fast, reliable broadband internet connectivity is a key factor in fuelling e-procurement /e -commerce initiatives • Internet has shrunk the cost of going into business– good for SME sector • A good reliable authenticated website is an essentiality—to reach customers worldwide • Empowerment of both consumers & entrepreneurs • With reliable, accurate and authentic information on products and services • Push and Pull technology working in a collaborative mode& ADBe-Procurement conference 19 th delivery is a reality with multimodal Special Security Issues Prof. KS WB @2006 May 2006 and a enabler
e-Procurement—Essentials Security and Trust View Point • Safety and Security is the highest priority • Creating trust and confidence is important- Third party Certification and PKI/Digital signature may be one of the SOLUTION • Integration into enterprises workflow, ERP, EAI with proper identification, authorization and authentication within VPN/enterprise network or open Internet (Identity Infrastructure, Network Identity Infrastructure are utmost essential). User Permission based approach may be explored • Security has implications on Centralized & Decentralized implementations Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
e-Procurement—Success Technology Integration to Work Process • The most successful e-procurement projects are those where the e-procurement function becomes totally embedded in the business process and where the system is sufficiently flexible to accommodate the rapid changes in technology which are inevitable. Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Security concerns and desired controls framework Identification Authentication Can we ensure who is users to the same, Can we find outthat the trying arereach us? who they pretend to be? Authorisation Can we limit/control their actions? Confidentiality Integrity Non-repudiation Auditability Intrusion Detection Can we ensure that the privacy of sensitive information is maintained? Can we ensure that the data has not been manipulated during or after the transmission? Can we ensure that the sender and receiver are accountable/ responsible for their actions? Can we ensure the traceability of actions? Can we detect any unauthorised access attempts? correct the errors as 19 th Error Correction KSCan we. WB & ADBe-Procurement conference soon as they are detected? Special Security Issues Prof. @2006 May 2006
Main Concerns PRIVACY • SAFETY SECURITY & Creating And Maintaining Trust Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
e-Procurement- New Avenues • Internet e-procurement has huge scalability and, subject to implementation and security details, opens up a huge global market for procurement - including procurement from completely new suppliers. Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Secure e-Procurement—TCO and ROI • As a business process, implementing secure electronic purchasing can be a highly effective way of reducing transaction costs and improving process efficiency. And with the savings and cost benefits going straight to the bottom line, e-procurement can deliver a significant return on investment, although analysts are divided over how long this can take. Secure e. GP systems are applicable to high cost or high volume Purchases to become cost effectivethe inference is it is not applicable to all Purchases unless centralization is possible. Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Typical Network Identity Infrastructure Today • Figure 3. Typical Network Identity Infrastructure Today • Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Basic Network Identity Services Functions • Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Network ID Management Infrastructure & Control Authentication of Appliances • An intuitive GUI is accessible from web browsers. It provides a global management view of the network identity infrastructure from any location, based on that particular user’s access permissions. • There are no general user-logins. For security reasons, only an administrator can configure an appliance using a web browser, communicating with the appliance over an encrypted session. Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Network ID Management Infrastructure & Control Authentication of Appliances • To populate the data store with each enterprise’s user and policy information, tools are available to export data from existing servers and import it into specified authorized appliances. • Network identity appliances come equipped with a rich set of standards-based reporting, logging, and advanced configuration and management features. Among them are SNMP support and web-based reporting functions. Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
First line of defense-Issues Firewall & VOIP Incompatibility • To stop someone dumping a virus on your machine or defacing your homepage, it's essential to have some form of dedicated web server protection. But the use of firewalls, generally seen as the first line of defense in protecting data, has been interfering with the transmission of Voice over Internet Protocol (Vo. IP) calls. • The key problem is an incompatibility between aspects of Vo. IP and firewall technology. Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Securing & Managing Interdependencies • Infrastructure characteristics (Organizational, • • • operational, temporal, spatial) Environment (economic, legal regulatory, technical, social/political) Coupling and response behavior (adaptive, inflexible, loose/tight, linear/complex) Type of failure (common cause, cascading, escalating) • Types of interdependencies (Physical, cyber, logical, geographic) • State of operations (normal, stressed /disrupted, repair/restoration) . Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Identity Management Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
In a Virtual Space, Netizens Exist, Citizens Don’t! Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Identity Management • Identity management is not new, but has evolved from the days of a single password entry onto the network to a comprehensive set of processes and systems that make it easier for all users to access information in real time and in a much more secure manner • ID management tend to center on the technical improvements in system security, the more important benefits are the opportunities gained by collaborating with vendors, suppliers, and customers across the supply chain. • A real value of an [ID management] solution enables ultimately this wide range of business enterprise. Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
ID: Metrics Requirements • UNIVERSALITY: Each person should have the characteristics • Distinctiveness: Any two persons should be different in terms of the characteristic. • Permanence: The characteristic should be sufficiently in-variant (w. r. to the matching criterion) over a period of time. • Collectibility: The characteristic should be quantatively measurable. Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
FOUR WAYS TO BECOME AN AUTOMATED IDENTITYFOCUSED ENTERPRISE 1. Change Current Identity Concepts 2. Perform Automated User Provisioning Wisely 3. Integrate Automated Identity Management and User Provisioning 4. Control Identity Operations Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
1. Change Current Identity Concepts. • Many business and IT leaders correlate identity with users; this is only part of the equation. The concept of identity must be expanded to include systems, servers, applications, data, and even transactions and events. • As auditors analyze business processes, they’ll see that all organizational components can be assigned identities that link corporate activities within the current IT infrastructure. • With the use of an all-encompassing identity, the road to continuous access management and compliance to regulations becomes more attainable. • Furthermore, with automated identity management tools, an organization is able to assign a permanent identity to every user, computer, server, and application, thus, monitoring what employees can and can't access. Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
2. Perform Automated User Provisioning Wisely User provisioning, the process of assigning system resources and privileges to users, automates and streamlines the creation of user accounts and the assignment of user privileges and provides account permission data. Incorporating automated user provisioning can not only help organizations comply with Sarbanes-Oxley, but also enhance their audit processes and monitoring of IT activities Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
• • • 3. Integrate Automated Identity Management andinject identity in every session a machine User Provisioning. The ultimate goal of automation is to initiates, track its activities and transactions across an enterprise, and integrate this ability into the existing IT infrastructure. To integrate automated identity management and user provisioning successfully, organizations must first determine all users, assets, and applications in an identitycentric and consistent manner. This ensures user provisioning solutions are not compromised by unknown activity and are aligned with the broader IT environment. Only properly provisioned users and applications, based on corporate policy, should have the ability to communicate. Nevertheless, organizations must be able to control these interactions fully and provide a complete audit trail of these activities. The organization must also confirm that nonauthorized users, such as employees who are no longer working for the organization, do not have access to IT resources, thus reducing the risk of invalid user actions. Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
4. Control Identity Operations • To help meet Sarbanes-Oxley regulations, many organizations have given a higher priority to producing log files and report data. The reality is that many organizations don’t have the resources to process data logs, nor do they have the means to correlate information from disparate sources. Although newer security event management systems have improved, the fundamental problem of managing the data and automating its compilation still exists. Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Identification • Why? • For Whom? • When? • How? Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Identification Measures and Parametric of Personal Identity • By Name • By Given details – Association with Father’s/Mothers Name – Association with Family Name – Association with sir Name Special Security Issues Prof. KS @2006 – – Date of birth Place of birth Country of Birth Country of Naturalization WB & ADBe-Procurement conference 19 th May 2006
Biometric System Operates on • Verification • Identification Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Biometrics Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Bio-Metric Unique Identifier Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Building and Sustaining Trust • building a trusted relationship with suppliers is critical before dealing with them over the Internet. • Consumer comfort-while 60 per cent said they preferred to deal with bricks-and-mortar companies rather than Internet-only traders. • Concerns about security are paramount, even among those with significant experience of trading online with suppliers. Of the advanced users interviewed for the report, nine per cent said they had experienced security problems through e-procurement Price. Waterhouse. Coopers' Survey report Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Security & Trust • security and trust are inseparable. "Across the supply chain, people are demanding more and more exchange of current, pertinent information and they want to have confidence in their trading partners. " Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Definition of e-trust Development of mutual confidence within complex electronic environments through each player’s willingness to continuously demonstrate to the other player’s satisfaction that the game is honest, open, following the rules properly controlled Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Conventional Information Security & e-trust • Conventional security practices do not reveal the nature or extent of our security capabilities. To do so, is considered as an act of compromise. • The network economy requires a series of external representations that will meet the expectations and support the confidence of all players. • Demonstrability Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Trust and Security • • • Reciprocity-appropriate protection for all Responsibility and liability Standardization of processes, interfaces and technologies Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
e-trust Business partners & Network Economy • Can I trust the entities and infrastructures on which I depend? • Can the organizations involved trust me? • Together, can we trust our common infrastructure and processes? Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Major Challenges and Issues • authentication of identity is the main issue. "People need to be satisfied about who they're dealing with. • They need to know that their messages have not been intercepted or corrupted on the way, • and, most importantly, that they are legally nonrepudiable - meaning that the other party can't walk away from it in a court of law. " Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Security fears are well-founded • with the study showing that remarkably few companies had implemented the latest technology to secure business transactions. • Nearly two-thirds of companies said they rely solely on password protection when dealing with suppliers over the Internet. Price. Waterhouse. Cooper s' report Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Security Standards & Certification Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
National CRYPTOGRAPHY POLICY Complex area with : • Scientific, • Technical, • Political, • Social, • Business • Economic Dimensions Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Importance of Group Standards -no one standard meets all requirements ISO 27001/BS 7799 Vs COBIT Vs CMM Vs ITIL Mission Business Objectives Business Risks Applicable Risks Internal Controls Review Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
• • Compliance to Security Standards and Good Practices Indian & International Standards IS 14356 -1996 guide for Protection of Information Resources IS 14357 -1996 guide for Practice for Information Security ISO-17799 -1: 2000 Code of practice of ISM and will replace IS 14356 -1996 ISO/IEC 15483 STANDARDS FOR TCSEC(IS 14990: 1 2001 ISO/IEC 15408 STANDARDS FOR TCSEC(IS 14990: 1 2001) New Integrated Harmonized Indian standard on ISMS IS 15150 Nov 2002 ISO/IEC 21827 - Information Technology - Systems Security Engineering - Capability Maturity Model (SSE-CMM ) Information Technology-systems security engineering—Capability Maturity Model with PCMM—July 2006 Special Security Issues Prof. KS @2006 • BS 7799 -1: 1999 Code of Practice for Information Security Management • BS 7799 -2: 1999 Specification for Information Security Management Systems • BS 7799 -1: 2000 revised standard (Code of Practice for Information Security Management) • BS 7799 -2: 2002 Sep 2002 • ISO 27001 -Oct 2005 WB & ADBe-Procurement conference 19 th May 2006
Business Assurance and Certification Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
9 Rules of Risk Management • • There is no return without risk – Rewards to go to those who take risks. Be Transparent – Risk is measured, and managed by people, not mathematical models. Know what you Don’t know – Question the assumptions you make Communicate – Risk should be discussed openly Diversify – Multiple risk will produce more consistent rewards Sow Discipline – A consistent and rigorous approach will beat a constantly changing strategy Use common sense – It is better to be approximately right, than to be precisely wrong. Return is only half the question – Decisions to be made only by considering the risk and return of the possibilities. Risk. Metrics Group Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Risk • The lack of a trusted third party to guarantee online transactions is a key factor in companies' limited security. • Unlike the stock exchange, which underwrites transactions between traders, most online marketplaces merely facilitate the transaction between two parties. They simply warn businesses that they trade at their own risk. Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
PKI & Trusted Third Party Certificate • Many believe that confidence in online transactions would be dramatically increased by the use of public key infrastructure and encryption technologies to encrypt and seal messages. • But while the use of digital certificate technology would certainly increase confidence, the problem is finding a trusted third party to issue such a certificate. • who would be suitable to guarantee the security of e-business transactions, most public survey said they would rather rely on an accounting or telecoms firm than the Government? Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Enhancement to certification • Certification alone cannot absolutely guarantee the trustworthiness of certificate holders or the organizations they represent. • Creating a family of certificates to enhance the confidence level. • Recognition of certification is not only based on knowledge, but also one’s identity. Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Certification and Cost • IT certifications "are a commendable thing to do for a variety of reasons. " However, they "require a considerable investment, and the benefit must be weighed against other needs and priorities for scarce resources“. Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Comparison of Seals WEB Certification Security of Data Business Policies Transaction Processing Integrity Product Cost Privacy of Data BBB Online Low No No Lightly Covered No TRUSTe Low Yes No No No Veri-Sign Low to Medium No Yes: Data Transmittal No: Data Storage No No ICSA High Yes Somewhat Covered Lightly Covered Web. Trust High Yes Yes Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
The need and to do • Strong, demonstrable security and assurance process and the best practitioners to design, build and manage them. • Ensuring all the time the practices, products and personnel can pass the closest scrutiny. • Anticipate and keep pace with the security needs of the information market place • Protective measures, architecture, philosophy and best practices are as dynamic as the information process they support. • Ensure not just the currency of knowledge, but must anticipate new requirements and environments Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
The need and to do • Ready to respond with new certification offerings, updates examinations, expanded knowledge bases, publications, training and communications • Generate global trust without compromise to trustworthiness. Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Reliability of national/Global critical infrastructure • • Measuring system risk and resiliency Understanding and managing interdependencies Overcoming barrier to technological change Selecting appropriate forms of infrastructure governance • Developing efficient incentive structures • Adopting an integrated systems perspective Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Risk and Resiliency • • Economic consequences Non-economic consequences Environmental risk assessments Socio-community and individual risk perceptions Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
• The interface between technology and human behavior is an important subject for investigation. • The use of detection/prevention technologies • The ways in which deployment of technologies can complement or conflict with the values of privacy and civil liberty • The factors influence the trustworthiness of individuals in a position to compromise or thwart security Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Conclusion • Technology alone is not going to guarantee cyber and critical infrastructure reliability and security • Policies and approaches that recognize that critical national/global infrastructure are complex adaptive systems, with behaviors and responses that may not be well understood. • A better grasp on how to measure infrastructure risk, and how better to create the governance and incentive systems—including the human factors—to improve reliability. Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
E-Procurement & Cyber Security Final Message “In security matters Past is no guarantee; Present is imperfect and Future is uncertain“ “Failure is not when we fall down, but when we fail to get up” Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006
Than k You THANK YOU For Interaction: Prof. K. Subramanian ksdir@nic. in ksmanian 48@gmail. com ksmanian 20032004@yahoo. com Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19 th May 2006 Tele: 23239560
Скачать презентацию Creating Digital Trust For G-e P Beyond PKI
c3a8642bf6d80018b275e6e8b6f9a5a9.ppt