The new EDAMIS and its security

Slides:



Advertisements
Similar presentations
InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team (Nanjing)
Advertisements

Enabling Secure Internet Access with ISA Server
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Course 201 – Administration, Content Inspection and SSL VPN
Eurostat Unit B3 – Statistical Information Technologies Data transmission tools and services 15/05/ eDAMIS The standard solution for transmitting.
Masud Hasan Secue VS Hushmail Project 2.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
ArcGIS Server and Portal for ArcGIS An Introduction to Security
BASIC FUNCTIONALITY. Page 2 Agenda Main topics Policy Manager Communication Understanding communication Information flow Communication modules F-Secure.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
SOA-14: Deploying your SOA Application David Cleary Principal Software Engineer.
PLANNING A MICROSOFT EXCHANGE SERVER 2003 INFRASTRUCTURE Chapter 2.
Security fundamentals Topic 2 Establishing and maintaining baseline security.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
ESDEN - modernisation of data exchange in the ESS
(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,
Apr 1, 2003Mårten Trolin1 Previous lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
Unit 3 Section 6.4: Internet Security
ArcGIS for Server Security: Advanced
Key management issues in PGP
SFS-HTTP: Securing the Web with Self-Certifying URLs
Using E-Business Suite Attachments
Secure Sockets Layer (SSL)
SUBMITTED BY: NAIMISHYA ATRI(7TH SEM) IT BRANCH
COMP3220 Web Infrastructure COMP6218 Web Architecture
THE STEPS TO MANAGE THE GRID
Virtual LANs.
IBM Certified WAS 8.5 Administrator
Utilize Group Policy Terminal Server Settings
Migration to the new EDAMIS
Item 3 - Progress and deployment of services
Goals Introduce the Windows Server 2003 family of operating systems
Communication and Information Resource Centre Administrator
Configuring Internet-related services
X-Road as a Platform to Exchange MyData
A Network Operating System Edited By Maysoon AlDuwais
Agricultural Data Collection System
CRIME - Data Transmission
Unit 8 Network Security.
EDAMIS - current status / further development
System Center Configuration Manager Cloud Services – Cloud Distribution Point Presented By: Ginu Tausif.
Features Overview.
Conclusions of the June 2018 DTCG meeting
Cryptography and Network Security
ESDEN - modernisation of data exchange in the ESS
Item 2.2 of the agenda IT Working Group meeting 2016
EDAMIS The new EDAMIS 4 EDAMIS and VALIDATION SERVICES User Group
Fast-Track UiPath Developer Module 10: Sensitive Data Handling
The migration to the new EDAMIS
Sending data to EUROSTAT using STATEL and STADIUM web client
Connectivity to secure networks
The migration to the new EDAMIS
Connection of Statistics Austria to TESTA
Project objectives and benefits
New transmission methods: Use the most adapted transmission methods.
EDAMIS 4 Status and outlook
Presentation transcript:

The new EDAMIS and its security ESDEN The new EDAMIS and its security ESDEN Steering Group meeting Javier MANSO DEL VALLE Directorate B - Methodology; corporate statistical and IT services Eurostat October 11th, 2017

Agenda Introduction Encryption in EDAMIS 4 Authentication EDAMIS main components Architecture: flows and protocols used Encryption in EDAMIS 4 Authentication Network topology Availability

Introduction

EDAMIS main components EDAMIS Web Portal Includes Web Forms New portal, HTML5-based Stadium Routing back-end Replaced by ESDEN Inventory Contains definition of domains, datasets, users, rights, etc. EWP3 EWP4 STADIUM ESDEN Inventory v3 Inventory v4

How to send files? NSI Standard protocols Non standard protocols AS4 EDAMIS 4 AS4 AS4 access point Application ESDEN Web services ESDEN Client Automatic data exchange Application What else do we want to add to this timetable? sFTP sFTP server Web Application Manual data exchange EDAMIS 4 Web Portal NSI

Encryption in EDAMIS 4

Encryption: already in EDAMIS 3 Files encrypted with PGP Asymmetric encryption Key pair generated by Eurostat Private key kept by Eurostat Public key provided to data providers Encryption only from the NSI TO Eurostat EDAMIS maintains a list of public keys One key pair per domain What else do we want to add to this timetable?

Encryption: improved in EDAMIS 4 Encryption supported TO and FROM Eurostat Key management One encryption key for each dataset + receiving organisation EDAMIS keeps a list of all public keys Organisations can generate their own keys, and upload public keys in EDAMIS 4 What else do we want to add to this timetable?

Two-way encryption in EDAMIS 4 From Member States to Eurostat Encryption with the public key of the corresponding domain Public keys of all domains are available in the EDAMIS portal From Eurostat to Member State Organisations update their public key in the EDAMIS portal EDAMIS uses that public key to encrypt data sent to that organisation NSI What else do we want to add to this timetable? NSI

Encryption in EDAMIS 4 Web Portal Encryption of files Maintains PGP used in EDAMIS 3 Encryption of communication NSI-Eurostat-NSI HTTPS (not available in CCN yet) Additional encryption when using TESTA or CCN Encryption of communication Eurostat-Eurostat sFTP HTTP through reverse proxies What else do we want to add to this timetable?

Example: EDAMIS 4 Web Portal ESDEN EDAMIS 4 Web Portal What else do we want to add to this timetable? Application NSI

Example: EDAMIS 4 Web Portal User attaches the file, which is encrypted in the browser PGP encryption Public key of the domain EDAMIS 4 ESDEN EDAMIS 4 Web Portal User submits the encrypted file HTTPS Internet / TESTA ESDEN delivers the file ESDEN keeps an encrypted copy of the file for a defined retention period User accesses EDAMIS HTTPS Internet / TESTA What else do we want to add to this timetable? Application NSI

Retention period in EDAMIS Feature intended for compliance… Domain managers can define a retention period for their datasets ESDEN keeps an encrypted copy of all files for the defined period When the retention period is reached, EDAMIS deletes the file Expiration period can be 0, EDAMIS will delete the file immediately after delivery What else do we want to add to this timetable?

Retention period in EDAMIS … also has other uses Copy of official submissions to Eurostat available Copy of files received from Eurostat available Verify the version of the file that was submitted Recover files that were lost or modified What else do we want to add to this timetable?

Consolidated logging EDAMIS centralises all information on actions performed on every file All actions done (e.g. file received, chunks joined, signature checked, file available, file delivered) All files are hashed, possible to tell whether a file was ever received What else do we want to add to this timetable?

Authentication in EDAMIS 4

Authentication in EDAMIS 4 AS4 access point Application ESDEN ESDEN Client Automatic data exchange Application What else do we want to add to this timetable? sFTP server Application Manual data exchange EDAMIS 4 Web Portal NSI

Authentication in Web Portal EDAMIS 4 AS4 access point Application ESDEN ESDEN Client Automatic data exchange Application What else do we want to add to this timetable? sFTP server Application Manual data exchange EDAMIS 4 Web Portal NSI

Authentication in Web Portal Access through Internet and TESTA: EU Login Access through CCN: CCN-specific LDAP Authorisation: role-based access All actions in EDAMIS need permissions Permissions are grouped into roles EDAMIS administrators grant roles to users What else do we want to add to this timetable?

Authentication in sFTP EDAMIS 4 AS4 access point Application ESDEN ESDEN Client Automatic data exchange Application What else do we want to add to this timetable? sFTP server Application Manual data exchange EDAMIS 4 Web Portal NSI

Authentication in sFTP Authentication of the sFTP server sFTP servers provide their key in every connection The key can be checked in the portal Authentication of the sFTP client DIGIT provides accounts (user and password) for each organisation and for Eurostat All files sent must be signed using PGP Authorisation The sFTP client is linked to an organisation ESDEN checks that the organisation has the right to send files for the corresponding dataset What else do we want to add to this timetable?

Authentication AS4 and ESDEN client EDAMIS 4 AS4 access point Application ESDEN ESDEN Client Automatic data exchange Application What else do we want to add to this timetable? sFTP server Application Manual data exchange EDAMIS 4 Web Portal NSI

Configuration of an ESDEN client The organisation Installs the ESDEN client in their premises Generate a PGP key pair for the ESDEN client Provide the public key to Eurostat Eurostat Adds the public key to EDAMIS Links the public key to the corresponding organisation Creates an eTrustEx user for the ESDEN client What else do we want to add to this timetable?

Authentication using ESDEN client Authentication of the ESDEN client The ESDEN client is authenticated by eTrustEx using user/password (over HTTPS) The ESDEN client signs all files with PGP Authorisation The ESDEN client is linked to an organisation, and the corresponding rights are present in the EDAMIS databas The same mechanisms are used for AS4 What else do we want to add to this timetable?

Authentication inside EDAMIS AS4 access point Application ESDEN ESDEN Client Automatic data exchange Application What else do we want to add to this timetable? sFTP server Application Manual data exchange EDAMIS 4 Web Portal NSI

Authentication using ESDEN client Authentication of Web Portal and ESDEN When exchanging information, the Web Portal and the ESDEN server do client-side authentication X.509 certificates Direct trust of the certificate, no CA involved Connectivity HTTP for transfer of big files HTTPS also possible through reverse proxies Allows filtering by network equipment What else do we want to add to this timetable?

Authentication for delivery EDAMIS 4 AS4 access point Application ESDEN ESDEN Client Automatic data exchange Application What else do we want to add to this timetable? sFTP server Application Manual data exchange EDAMIS 4 Web Portal NSI

Authentication for delivery - push Delivery through sFTP Authentication sFTP client: user and password provided by destination application sFTP server: key provided in every connection Authorisation The destination application has to be defined in EDAMIS and linked to an organisation with the right to receive What else do we want to add to this timetable?

Authentication for delivery - pull Client application must identify itself using a certificate (X.509) Direct trust of the certificate, no CA involved Authorisation The public key needs to be configured in EDAMIS The destination application has to be defined in EDAMIS and linked to an organisation with the right to receive What else do we want to add to this timetable?

Availability

New architecture Java applets replaced completely New architecture based on Java 2 Enterprise Edition Javascript Availability offered by DIGIT hosting services Reverse proxies (Internet, TESTA) Load balancers Oracle WebLogic Prepared for scalability What else do we want to add to this timetable?

WebLogic architecture Linux VM1 WebLogic Cluster Managed server 1 Reverse proxy Load balancer Session replication Reverse proxy Load balancer What else do we want to add to this timetable? Linux VM2 Managed server 2

Vulnerability testing Plan to introduce vulnerability testing Using services offered by DIGIT Cycle: test -> identify -> fix -> test What else do we want to add to this timetable?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.