Security requirements for e-government services: a methodological approach for developing a common PKI-based security policy Authors: C. Lambrinoudakis,

Slides:

Advertisements

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Advertisements

Doug Couto Information Systems and Technology Committee (ABJ50) Washington, DC January 25, 2011.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

Public Key Infrastructure (PKI) Hosting Services.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

E-Business Risks Chapter Seven. E-Business Models EDI Web pages The online environment Distributed e-business and intranets Supply chain linkage Collaborative.

Public Key Infrastructure Ben Sangster February 23, 2006.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.

Security Controls – What Works

Figure 1: SDR / MExE Download Framework SDR Framework Network Server Gateway MExE Download + Verification Using MExE Repository (Java sandbox) MExE Applet.

Building a Successful Security Infrastructure

Understanding Active Directory

02/12/00 E-Business Architecture

Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Database Administration Chapter 16. Need for Databases  Data is used by different people, in different departments, for different reasons  Interpretation.

INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.

Public Key Infrastructure Ammar Hasayen ….

Security in Cloud Computing Presented by : Ahmed Alalawi.

Intranets Lessons from Global Experiences J Satyanarayana Chief Executive Officer National Institute for Smart Government Hyderabad, India.

Security Guide for Interconnecting Information Technology Systems

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

The Internetworked E-Business Enterprise

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam

Copyright © 2008, CIBER Norge AS 1 Using eID and PKI – Status from Norway Nina Ingvaldsen and Mona Naomi Lintvedt 22 nd October 2008.

Mobile Databases: a Selection of Open Issues and Research Directions Authors: Rachid Guerraoui et al. Sources: SIGMOD Record, 33(2), pp.78-83, 2004 Adviser:

Dao Dinh Kha National Centre of Digital Signature Authentication - Agency of Information Technology Application A vision on a national Electronic Authentication.

Transforming Services Creating Efficiencies Empowering Citizens Transforming Services Creating Efficiencies Empowering Citizens Transforming Services Creating.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

IT in the Swedish public sector Britta Johansson

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

Information Technologies for Education & Training in E-Government Author: Ranjit Bose Source: Proceedings of the International Conference on Information.

©2003 Hathai Tanta-ngai, Tony Abou-Assaleh, Sittichai Jiampojamarn, and Nick Cercone 1 IPSI 2003 Hathai Tanta-ngai, Tony Abou-Assaleh, Sittichai Jiampojamarn,

X-Road – Estonian Interoperability Platform

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

PKI Forum Business Panel March 6, 2000 Dr. Ray Wagner Sr. Director, Technology Research.

Privacy Communication Privacy Confidentiality Access Policies Systems Crypto Enforced Computing on Encrypted Data Searching and Reporting Fully Homomorphic.

Security Overview  System protection requirements areas  Types of information protection  Information Architecture dimensions  Public Key Infrastructure.

Eliza de Guzman HTM 520 Health Information Exchange.

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

1 產業電子化卓越中心 Electronic Business Excellency Center 清華大學工業工程與工程管理學系張瑞芬教授.

By Umair Ali. Dec 2004Version 1 -PKI - a security architecture – over the internet. -Provides an increased level of confidence for exchanging information.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Brenda Watkins Director Policy and Business Strategies Information.

A flexible biometrics remote user authentication scheme Authors: Chu-Hsing Lin and Yi-Yi Lai Sources: Computer Standards & Interfaces, 27(1), pp.19-23,

© 2013, published by Flat World Knowledge Chapter 10 Understanding Software: A Primer for Managers 10-1.

Password-based user authentication and key distribution protocols for client-server applications Authors: Her-Tyan Yeh and Hung-Min Sun Sources: The Journal.

Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.

Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University

PKI Policy Determination Process Input from PKI Decision Process PKI Policy Determination Process Application(s) Workflows Players.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

A Novel Privacy Preserving Authentication and Access Control Scheme for Pervasive Computing Environments Authors: Kui Ren, Wenjing Lou, Kwangjo Kim, and.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Electronic Information System for Civil Registration and Administrative Services European eGovernment Conference July, Como, Italy Toma Bussarov.

Chapter 1: Security Governance Through Principles and Policies

Conference Pan-European eGovernment services for citizens & enterprises E.3 Services for enterprises Development and improvement of Information Systems.

IS3220 Information Technology Infrastructure Security

TAG Presentation 18th May 2004 Paul Butler

Efficient and secure transborder exchange of patient data

TAG Presentation 18th May 2004 Paul Butler

Smart Meter Data Privacy: A Survey

National Trust Platform

Presentation transcript:

Security requirements for e-government services: a methodological approach for developing a common PKI-based security policy Authors: C. Lambrinoudakis, S. Gritzalis, F. Dridi, and G. Pernul Source: Computer Communications, 26(16), pp , Adviser: Min-Shiang Hwang Speaker: Chun-Ta Li ( 李俊達 )

2 Outline IntroductionIntroduction The e-government platformThe e-government platform Security issuesSecurity issues The Public Key InfrastructureThe Public Key Infrastructure A case-study: the e-government system WebocratA case-study: the e-government system Webocrat ConclusionConclusion CommentComment

3 Introduction e-governmente-government –Improving the quality of life, Disseminating knowledge, Generating earnings et al. Information securityInformation security User privacyUser privacy Security measures – Risk analysis (RA)Security measures – Risk analysis (RA) –Assess the consequences from a potential security incident –Select the countermeasures

4 Introduction (cont.) RA is to have precisely specified boundariesRA is to have precisely specified boundaries e-government – amalgam of heterogeneous information systeme-government – amalgam of heterogeneous information system A framework can facilitate the development of a unified e-government security policyA framework can facilitate the development of a unified e-government security policy –Isolated system  component of the e-government platform Organizational Framework for the Security Requirements of e-government services (e-GOV-OFSR)Organizational Framework for the Security Requirements of e-government services (e-GOV-OFSR) [Gritzalis and Lambrinoudakis, 2002 ] [Gritzalis and Lambrinoudakis, 2002 ]

5 The e-government platform [Wimmer and Traunmuller, 2002][Wimmer and Traunmuller, 2002] User …… Internet Wireless Governmental Portal Global Access Point Local (state) Users Local (state) Users Central Server (National Authority) Remote Server (Local Authority) Remote Server (Local Authority) … SUPPORTED SERVICES

6 Security issues Identifying security requirementsIdentifying security requirements –e-University –e-Voting –Electronic collaboration of governmental departments –Web-based public services Security requirementSecurity requirement –service phases –actor type

7 Security issues (cont.) e-Universitye-University

8 Security issues (cont.) e-Votinge-Voting

9 Security issues (cont.) Electronic collaboration of governmental departmentsElectronic collaboration of governmental departments

10 Security issues (cont.) Web-based public servicesWeb-based public services

11 Security issues (cont.) A consolidated view of the security requirements for an e-Government platformA consolidated view of the security requirements for an e-Government platform

12 The Public Key Infrastructure Registration Digital signatures Encryption Time stamping Non-repudiation Key management Certificate management Information repository Directory services Camouflaging communication TTP to TTP interoperability Authorization Audit PKI services Use of PKI services for fulfilling e-government security requirements Security requirements Availability Performance Authentication Logging Management of privileges Integrity Confidentiality Non- repudiation Anonymity Public trust Untraceability Secure storage a Not in the context of e-voting. a a a

13 The Public Key Infrastructure (cont.) The hardware and software infrastructure supporting the e-government portalThe hardware and software infrastructure supporting the e-government portal –Risks: Unreliable hardware, Limited computing resources, Unstable software, maintainability, Poor communication infrastructure et al.Unreliable hardware, Limited computing resources, Unstable software, maintainability, Poor communication infrastructure et al. –Countermeasures: Redundant servers, backup communication lines, services contracts, testing procedures et al.Redundant servers, backup communication lines, services contracts, testing procedures et al.

14 A case-study: the e-government system Webocrat e-GOV-OFSR framework  Webocrate-GOV-OFSR framework  Webocrat Webocrat – implemented within the Webocracy ProjectWebocrat – implemented within the Webocracy Project Protecting the system – PKI-based security architecture (CSAP)Protecting the system – PKI-based security architecture (CSAP) –Communication (C) –Security (S) –Authentication (A) –Privacy (P)

15 A case-study: the e-government system Webocrat (cont.) Webocracy project – EU funded research projectWebocracy project – EU funded research project // Webocracy – Democracy on the Web Service Operator Service Customers System Administrator Knowledge Management Knowledge Management Discussion Management Opinion-Polling- Management CSAP: Security Services

16 A case-study: the e-government system Webocrat (cont.) actor types:actor types: –System administrators Setting up the hardware/software infrastructureSetting up the hardware/software infrastructure Implemented the security services through the CSAP moduleImplemented the security services through the CSAP module –Service operators (government employees) Setting up the Webocrat modulesSetting up the Webocrat modules –Service customers (citizens, politicians) Accessing the system via well-specified “User Interfaces”Accessing the system via well-specified “User Interfaces” Citizens Information HelpdeskCitizens Information Helpdesk

17 A case-study: the e-government system Webocrat (cont.) Webocrat-WebspaceWebocrat-Webspace –Publishing Space Different types of documentsDifferent types of documents –Laws, Resolutions, Budgets et al. –Discussion Space Supporting intelligent communicationSupporting intelligent communication –Inputs and comments – published in the Discussion space –Opinion Polling Space Electronic opinion polling on several issues/questionsElectronic opinion polling on several issues/questions –Knowledge Management

18 A case-study: the e-government system Webocrat (cont.) Security requirements & risk analysisSecurity requirements & risk analysis

19 A case-study: the e-government system Webocrat (cont.) CSAP security architectureCSAP security architecture Integrity, Confidentiality, Non-repudiation Secure Storage Logging (Audit) Access Control and Authorization (Management of Privileges) Identification and Authentication ． Registration ． Authorization ． Key Management ． Certificate Management ． Directory Services ． Time Stamping ． Non-repudiation ． Information ． Repository ． Audit ． Digital Signatures ． Encryption ． TTP to TTP ． Interoperability ． Camouflaging ． Communication

20 Conclusions RA methodologiesRA methodologies –Information system with well-defined boundaries –Each information system must study independently –Consolidated list of requirements e-GOV-OFSR frameworke-GOV-OFSR framework –service phases –actor types PKI security servicesPKI security services

21 Comments Methodologies  requirements  existing approach  framework (architecture)Methodologies  requirements  existing approach  framework (architecture) RA  each information system  frameworkRA  each information system  framework PKI-based approach  other approachPKI-based approach  other approach –Security –Efficiency –Cost