Download presentation
Presentation is loading. Please wait.
1
The new EDAMIS and its security
ESDEN The new EDAMIS and its security ESDEN Steering Group meeting Javier MANSO DEL VALLE Directorate B - Methodology; corporate statistical and IT services Eurostat October 11th, 2017
2
Agenda Introduction Encryption in EDAMIS 4 Authentication
EDAMIS main components Architecture: flows and protocols used Encryption in EDAMIS 4 Authentication Network topology Availability
3
Introduction
4
EDAMIS main components
EDAMIS Web Portal Includes Web Forms New portal, HTML5-based Stadium Routing back-end Replaced by ESDEN Inventory Contains definition of domains, datasets, users, rights, etc. EWP3 EWP4 STADIUM ESDEN Inventory v3 Inventory v4
5
How to send files? NSI Standard protocols Non standard protocols AS4
EDAMIS 4 AS4 AS4 access point Application ESDEN Web services ESDEN Client Automatic data exchange Application What else do we want to add to this timetable? sFTP sFTP server Web Application Manual data exchange EDAMIS 4 Web Portal NSI
6
Encryption in EDAMIS 4
7
Encryption: already in EDAMIS 3
Files encrypted with PGP Asymmetric encryption Key pair generated by Eurostat Private key kept by Eurostat Public key provided to data providers Encryption only from the NSI TO Eurostat EDAMIS maintains a list of public keys One key pair per domain What else do we want to add to this timetable?
8
Encryption: improved in EDAMIS 4
Encryption supported TO and FROM Eurostat Key management One encryption key for each dataset + receiving organisation EDAMIS keeps a list of all public keys Organisations can generate their own keys, and upload public keys in EDAMIS 4 What else do we want to add to this timetable?
9
Two-way encryption in EDAMIS 4
From Member States to Eurostat Encryption with the public key of the corresponding domain Public keys of all domains are available in the EDAMIS portal From Eurostat to Member State Organisations update their public key in the EDAMIS portal EDAMIS uses that public key to encrypt data sent to that organisation NSI What else do we want to add to this timetable? NSI
10
Encryption in EDAMIS 4 Web Portal
Encryption of files Maintains PGP used in EDAMIS 3 Encryption of communication NSI-Eurostat-NSI HTTPS (not available in CCN yet) Additional encryption when using TESTA or CCN Encryption of communication Eurostat-Eurostat sFTP HTTP through reverse proxies What else do we want to add to this timetable?
11
Example: EDAMIS 4 Web Portal
ESDEN EDAMIS 4 Web Portal What else do we want to add to this timetable? Application NSI
12
Example: EDAMIS 4 Web Portal
User attaches the file, which is encrypted in the browser PGP encryption Public key of the domain EDAMIS 4 ESDEN EDAMIS 4 Web Portal User submits the encrypted file HTTPS Internet / TESTA ESDEN delivers the file ESDEN keeps an encrypted copy of the file for a defined retention period User accesses EDAMIS HTTPS Internet / TESTA What else do we want to add to this timetable? Application NSI
13
Retention period in EDAMIS
Feature intended for compliance… Domain managers can define a retention period for their datasets ESDEN keeps an encrypted copy of all files for the defined period When the retention period is reached, EDAMIS deletes the file Expiration period can be 0, EDAMIS will delete the file immediately after delivery What else do we want to add to this timetable?
14
Retention period in EDAMIS
… also has other uses Copy of official submissions to Eurostat available Copy of files received from Eurostat available Verify the version of the file that was submitted Recover files that were lost or modified What else do we want to add to this timetable?
15
Consolidated logging EDAMIS centralises all information on actions performed on every file All actions done (e.g. file received, chunks joined, signature checked, file available, file delivered) All files are hashed, possible to tell whether a file was ever received What else do we want to add to this timetable?
17
Authentication in EDAMIS 4
18
Authentication in EDAMIS 4
AS4 access point Application ESDEN ESDEN Client Automatic data exchange Application What else do we want to add to this timetable? sFTP server Application Manual data exchange EDAMIS 4 Web Portal NSI
19
Authentication in Web Portal
EDAMIS 4 AS4 access point Application ESDEN ESDEN Client Automatic data exchange Application What else do we want to add to this timetable? sFTP server Application Manual data exchange EDAMIS 4 Web Portal NSI
20
Authentication in Web Portal
Access through Internet and TESTA: EU Login Access through CCN: CCN-specific LDAP Authorisation: role-based access All actions in EDAMIS need permissions Permissions are grouped into roles EDAMIS administrators grant roles to users What else do we want to add to this timetable?
21
Authentication in sFTP
EDAMIS 4 AS4 access point Application ESDEN ESDEN Client Automatic data exchange Application What else do we want to add to this timetable? sFTP server Application Manual data exchange EDAMIS 4 Web Portal NSI
22
Authentication in sFTP
Authentication of the sFTP server sFTP servers provide their key in every connection The key can be checked in the portal Authentication of the sFTP client DIGIT provides accounts (user and password) for each organisation and for Eurostat All files sent must be signed using PGP Authorisation The sFTP client is linked to an organisation ESDEN checks that the organisation has the right to send files for the corresponding dataset What else do we want to add to this timetable?
23
Authentication AS4 and ESDEN client
EDAMIS 4 AS4 access point Application ESDEN ESDEN Client Automatic data exchange Application What else do we want to add to this timetable? sFTP server Application Manual data exchange EDAMIS 4 Web Portal NSI
24
Configuration of an ESDEN client
The organisation Installs the ESDEN client in their premises Generate a PGP key pair for the ESDEN client Provide the public key to Eurostat Eurostat Adds the public key to EDAMIS Links the public key to the corresponding organisation Creates an eTrustEx user for the ESDEN client What else do we want to add to this timetable?
25
Authentication using ESDEN client
Authentication of the ESDEN client The ESDEN client is authenticated by eTrustEx using user/password (over HTTPS) The ESDEN client signs all files with PGP Authorisation The ESDEN client is linked to an organisation, and the corresponding rights are present in the EDAMIS databas The same mechanisms are used for AS4 What else do we want to add to this timetable?
26
Authentication inside EDAMIS
AS4 access point Application ESDEN ESDEN Client Automatic data exchange Application What else do we want to add to this timetable? sFTP server Application Manual data exchange EDAMIS 4 Web Portal NSI
27
Authentication using ESDEN client
Authentication of Web Portal and ESDEN When exchanging information, the Web Portal and the ESDEN server do client-side authentication X.509 certificates Direct trust of the certificate, no CA involved Connectivity HTTP for transfer of big files HTTPS also possible through reverse proxies Allows filtering by network equipment What else do we want to add to this timetable?
28
Authentication for delivery
EDAMIS 4 AS4 access point Application ESDEN ESDEN Client Automatic data exchange Application What else do we want to add to this timetable? sFTP server Application Manual data exchange EDAMIS 4 Web Portal NSI
29
Authentication for delivery - push
Delivery through sFTP Authentication sFTP client: user and password provided by destination application sFTP server: key provided in every connection Authorisation The destination application has to be defined in EDAMIS and linked to an organisation with the right to receive What else do we want to add to this timetable?
30
Authentication for delivery - pull
Client application must identify itself using a certificate (X.509) Direct trust of the certificate, no CA involved Authorisation The public key needs to be configured in EDAMIS The destination application has to be defined in EDAMIS and linked to an organisation with the right to receive What else do we want to add to this timetable?
31
Availability
32
New architecture Java applets replaced completely
New architecture based on Java 2 Enterprise Edition Javascript Availability offered by DIGIT hosting services Reverse proxies (Internet, TESTA) Load balancers Oracle WebLogic Prepared for scalability What else do we want to add to this timetable?
33
WebLogic architecture
Linux VM1 WebLogic Cluster Managed server 1 Reverse proxy Load balancer Session replication Reverse proxy Load balancer What else do we want to add to this timetable? Linux VM2 Managed server 2
34
Vulnerability testing
Plan to introduce vulnerability testing Using services offered by DIGIT Cycle: test -> identify -> fix -> test What else do we want to add to this timetable?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.