E-Procurement for Improving Governance A World Bank live e-learning event addressing the design and implementation of e-procurement infrastructure Session 5:Integrity Protection of eProcurement systems
Topics Integrity Protection of e-Procurement Systems • In this session, you will review: • Security Issues in an eProcurement platform; • Risk Management - Confidentiality Integrity and Availability (CIA); • Integrity Protection – “must have” Security Mechanisms; • Integrity Protection – “must have” Security Controls; • Lessons learned from operating the Italian eProcurement System
eProcurement Systems from a Security Perspective An e-procurement system shares the same security issues of any electronic system
In a eProcurement system, the higher the value or confidentiality of the transaction through the system, the higher the security level. The security level will affect a number of security decisions: User identification - verification of use by unique user identification; Authentication - validation that the user’s identification belong to the user; Access control – managing who has access to the computer system; Integrity- verification that data does not change in any point of the process; Non-repudiation – ensuring that messages are sent and received by untended parties; Confidentiality- information is only accessible to those with authorized access. eProcurement Systems Present a Multi-Faceted Security Problem
How to Choose the Right Security Level The level of security for a computer system is based on a number of different elements, from physical components to procedures and business processes. Some components are technical (encryption) and some are non-technical (security policies). The required level of security required will differ for each type of the system, based on the specific combination of business and security goals and requirements. Tool Security
AIC Triads – Security Principles Availability - The reliability and accessibility of data and resources to the authorized individuals in a timely manner Confidentiality – ensuring that information is not disclosed to unauthorized subjects Integrity - ensuring that information and systems are not modified maliciously or accidentally All security controls, mechanisms, and safeguards are intended to address one or more of these principles, and All risks, threats, and vulnerabilities are measured for their potential capability to compromise one or all of these AIC principles.
Risk Management and Analysis Risk Management is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. There is no 100 percent secure environment. Every environment has vulnerabilities and threats to a certain degree. Step 1 Asset and information value assignment Step 2 Identify vulnerabilities and threats Step 3 Risk analysis and assessment Step 4 Countermeasure selection and implementation
Security Definitions • A vulnerability is a software, hardware, or procedural weakness that may provide an attacker an unauthorized access to resources within the environment. • A threat is any potential danger to information or systems. • A threat agent is the entity that takes advantage of a vulnerability. • A risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. • An exposure is an instance of being exposed to losses from a threat agent. • A countermeasure may be a software configuration, a hardware device, or procedure that eliminates a vulnerability.
Top-Down Approach to Security Administrative, technical, and physical controls should work in a synergistic manner to protect the assets of eProcurement system Physical Controls: Facility protection, security guards, locks, monitoring, environmental controls, intrusion detection Technical Controls: Logical access controls, encryption, security devices, identification and authentication Administrative Controls: Policies, standards, procedures, guidelines, screening personnel, and security-awareness training Company data and assets
Risk Analysis – A Real Case Initial Risk Value = 6558 (before countermeasures) Residual Risk Value = 924 (after countermeasures) TargetRisk Value = 723
Digital Signature Integrity Protection: “Must Have” Security Mechanisms • Encryption
Encryption Encryption is the capability of hiding data in such way that its true form is not revealed unless the user has special information. Usually in computing terms, this means that a “key” is provided to encrypt (hide) data or to decrypt (reveal) data. Many encryption systems deal with two types of encryption: Symmetric encryption where K=K1=K2 Asymmetric encryption where K1≠K2
Symmetric Encryption The sender generates a random symmetric key and encrypts the message using it. The same symmetric key is used by the receiver to decrypt the message. Symmetric Decrypt Advantage - Symmetric encryption is extremely fast Disadvantage - How to securely transfer the secret key at the receiver’s site and keep it secure?
Asymmetric Encryption (Public Key Cryptography) Asymmetric encryption provides the ability to hide some information and then allow someone else access to the information but not allow that person to hide information using the same key Advantage - With an asymmetric algorithm, the secret key (private key) is never to be transmitted; it always remains securely kept by its owner. Disadvantage - Asymmetric encryption is slow. It involves a very computationally intense sequence of operations
When a legal document is signed, all parties to the transaction act on certain basic assumptions regarding the signature: The signer intended to sign. The signer is who he or she claims to be and is authorized to sign. The signature is that of the signer and is unique to the signer. The signature binds the signer to whatever the electronic document states. The document will not be changed once the parties have signed it. A signature on one document will not be transferred fraudulently to another document. The signer cannot later deny or repudiate the signature in an attempt to invalidate his or her relationship to the document Carrying these assurances in respect to e-signatures can be difficult. Electronic Signatures for Electronic Documents
Public Key Infrastructure The user identity must be unique for each CA Public Key Infrastructure (PKI) is an arrangement that binds public keys with respective user identified by means of a Certificate Authority (CA). For each user, the user’s identity, the public key, their binding, validity conditions and other attributes are made impossible to forge in public key certificates issued by the CA. • Certificates contain the requestors public key and are digitally signed by the CA Certificate Authorities are Trusted Third Parties charged with the responsibility to generate trusted certificates for requesting individuals and organizations. • Before the certificate is issued, CA must verify the identity of the requestor. These certificates can then facilitate automatic authentication of two parties involved without the need for out-of-band communication.
Integrity Protection – “Must have” Security Control Integrity Protection Authentication and Access control Separation of duties Transaction Assurance Logging
The precondition for access control is to make sure that the person or program requesting access is identified without doubt. Authentication and Authorization Common authentication mechanisms are based on: • Something you know: • Login procedures: user IDand user secret (password) • Susceptible to Password leaks • Commonly used passwords • Explicitly told • Voluntarily • Trojan horse • Trial and error • Something you have: • Several subcategories, for example Cryptographic smart cards: • Store user’s digital certificate and/or private key • Used to prevent private keys from being “hacked” from user’s computer It is something that you are: Biometrics (finger prints, iris scanning etc.)
Authorization Authorization is based on authentication. • Sensitive Operations and Transactions What needs protection? • Protected Resources A Role is a set of permissions for individual protected resources. How to protect? Role Assignment is the set of permissions granted to a specific user that allows the user to execute a specific sensitive operation or to access a protect resource
Access controlmodels are governed by the following principles: Default is No Access to ensure that no security holes go unnoticed. Need to know individuals should be given access only to the information that they absolutely require in order to perform their job duties Discretionary access control (DAC) Mandatory access control (MAC) Role-based access control Logging - Whatever access controls are in place, all access (successful or failed) to sensitive data must belogged. Access Control Model
Separation of duties refers to a type of administrative control that prevents a single individual from initiating and approving a material eProcurement transaction. Ideally, digital systems would be engineered to provide a higher level of control than is possible with manual processes, but in practice, the opposite usually happens. Today's best-practice model is to use role-based access control (RBAC), an operational model for the implementation of privileges in a complex environment. Separation of duties is essential for control over e-procurement processes and transactions. Separation of Duties – What and Why
Separation of Duties – How Five major steps are necessary to create and manage a robust and auditable responsibility control infrastructure that can ensure that users have the necessary access to data elements, without having too much access: • Process mapping • Risk assessment of processes • Role and rule definition • User authentication • Ongoing role maintenance
Transaction Assurance Transaction assurance refers to a process that helps ensure the reduction of fraud and mitigates a risk of unauthorized access by using a variety of data integrity and non-repudiation technologies. Data integrity — Protecting against unauthorized changes to the transaction by ensuring that changes to data are detectable. Transaction Verification Data origin authentication — Verifying that the identity of the user submitting the transaction is as claimed. Hence, data origin authentication implicitly authenticates the user. Transaction Authenticationuses an electronic signature to provide transaction verification. Message Authentication Code (MAC) — based on secret-key cryptography Digital Signature — based on a public-key cryptography
This can help to: Increase enterprise incident response capabilities by providing situational awareness; Provide security information management for long-term trending, analysis and regulatory compliance. Logging • Automate the collection and consolidation of log data To ensure the confidentiality, integrity and availability of eProcurement data, a log management tool must be adopted to: • Automate event log data analysis and report generation • Perform basic event management • Monitor login attempts and report discrepancies • Identify and respond to privacy and security incidents
Secure by design – each component is designed keeping in mind the potential weaknesses and deploying the necessary safeguards. Identity proofing of users is based on a registration process (online and out-of-band control) by which the system uniquely identifies a person before “provisioning an identity”. Processes (e.g. framework agreement) are designed according to the “separation of duties” principle. Planned vulnerability and security assessments (every six months). Each major change (in both application layer and technical layer) is evaluated against the AIC triads, and residual risks are documented. Logs are analyzed monthly for unexpected behaviours and activities (e.g. nightly access peaks from other countries). Applicability of Security Alerts from CERT are evaluated on a monthly basis and security patches are applied if suitable. Security of an eProcurement Platform