1 / 31

UN/CEFACT

>>. UN/CEFACT. Confidential

sybil
Download Presentation

UN/CEFACT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. >> UN/CEFACT Confidential This document is the property of NexTenders (India) Private Limited, who owns the copyright thereof. The information in this document is given in confidence. This document (wholly or partly) may not be transmitted in any form (copied, reprinted, reproduced), without the written consent of NexTenders. The contents of this document or any methods or techniques available there from, may not be disclosed to any third party whatsoever without the written consent of NexTenders. e-Procurement The Next Steps: Security and ebXML Presented by NexTenders (India) Pvt. Ltd. 4th October 2006, New Delhi, India

  2. UN/CEFACT Maturity of usage of ETS LvL 1: Electronic Notification of Tenders on the Internet (3%) LvL 2: Posting of Tender Documents on the Internet (7%) LvL 3: Electronic Bid Submission & ePayments (25%) LvL 4: Online Tender Preparation & Bid Preparation (50%) LvL 5: Online Evaluation of Bids, Award of Tenders & PO (70%) LvL 6: Online Pre-tender & Post Award Negotiation Enabling (80%) LvL 7: Online Contract Tracking & Fulfilment (100%+) LvL 8: Enterprise-wide Integration of Procurement Process (100%++) Maturity LvL Security LvL

  3. UN/CEFACT • In numbers : • Over 50% of India is using one form of E- tendering • Version 1 of NexTenders was at Level 4. Version 2.1 was at lvl 5 • First lvl 6 (Version 2.3) implementation happening this month in 2 of India’s top 10 PSUs • Total Amount of tenders Processed by NexTenders (ie all lvl 4+ installations) has been in excess of 2.8 Billion USD or 2.5 Billion Euro (above Rs. 12,500 Cr.) from only 4 of 26 states * conversions done with approx moving average figures for Dollar and Euro) • These figures are for the last 36 months alone out of which last 12 months account for almost 60% of the load. 2 5 2 2 4 2 2 1 2 5 2 5 2 2 3 1 3 2 1

  4. UN/CEFACT Implementation Experience (Government/ PSU – India) Government of Assam Departments such as Roads, NH Works, Building, RIDF & ARIASP Departments are handling schemes like PMGSY, MPNA, State Plan, NABARD, CRF, NHAI, NLCPR, World Bank & Asian Development Bank Funding Management Challenges Benefits Approach • Solution to handle multiple procedure/ policies. • Catering to World Bank norms, CVC Guidelines. • Enhance user base/ access to tenders • Reduce the cycle time and cost involved in the tendering process • Seamless submission of bids • Reduction in unfair practices • User awareness • Customization & Implementation of Solution. • Deployment of team for administrative & support functions. • User friendly application for faster adaptation. • Facilitation and consultancy in adoption to electronic tendering. • Impart training and administrative support. • Uninterrupted services. • Procurement worth INR 3000+ crore processed • Enhanced transparency • Processing of 103 tenders in a period of 30 days by 8 resources. • Better and more responsive contractors • Reduced tender cycle time (90 days to 30 days) • Minimal human error and misuse • Reduced contractors collusion • Reduction in unfair practices • Maturity LvL in a period of less than a year

  5. UN/CEFACT Implementation Experience (Government/ PSU – India) Government of Chhatisgarh Departments such as PWD, Water Resources, RRDA, SIDC, Housing Board, Ispat Bhoomi Ltd, PR. Departments are handling various schemes catering to various policies. Management Challenges Approach Benefits • Customization of department specific Solution. • Deployment of team for administrative & support functions. • Extensive training for adaptation to eProcurement Solution. • Awareness workshops and facilitations. • Solution to handle multiple procedure/ policies. • Multiple department interface • Low LvL of IT awareness • Reduce the cycle time and cost involved in the tendering process • Increased participation of contractors/ suppliers • Reduction in unfair practices • Processing of $ 500 million worth of procurement spread over 1500 tenders by a single department • Access to new contractors • Reduced tender cycle time • Cost competitiveness • Enhanced participation of contractors/ suppliers • Transparency

  6. UN/CEFACT Implementation Experience (Government/ PSU – India) Municipal Corporation Delhi Departments such as Education, Conservancy, Sanitation, Engineering, Health and Horticulture Common procedures but differential workflow Management Challenges Benefits Approach • Install and implement an Electronic Procurement System. • Adherence to CVC Guidelines and IT Act 2000. • Reduce underhand practices and introduce transparency • Reduce the cycle time and cost involved in the tendering process • Introduce efficient procurement to pay process • User Awareness • Electronic tendering • Payment gateways • Digital signature • Anti collusion security system • Change Management • Implementation and integration of the IT network • System administration of the Electronic Procurement System • Integration with Public key infrastructure (PKI) and Payment Gateway. • Provision of digital certificates for the users and vendors. • Impart training to corporation staff and vendors (300 users, 5000 contractors) • Availability of a Service Help Desk. • Processing of over 8000 Tenders in a span of 12 months • Greater transparency • Overall cost saving • Access to new contractors • Reduced tender cycle time (90 days to 30 days) • Reduced human error and misuse • Reduced contractors collusion • Reduction in unfair practices • Capacity enhancement • Presently – Over 1600 Tenders Live

  7. UN/CEFACT Implementation Experience (Government/ PSU - India National Thermal Power Corporation One of the “nine jewels” of the Government of India, catering to power sector and a profit making CPU. High standard of work. Over 29 Plants and Other Offices spread across India Management Challenges Benefits Approach • Solution to handle multiple location and user defined procedure. • Providing one stop solution for multiple interface. • Consulting and process re-engineering to adopt best practices. • Reduction in cycle time involved and setting up a benchmark • Efficient and secured handling of procurement process • Adherence to CVC Guidelines and other relevant norms. • IT Culture in the organization • Process analysis and implementation of solution. • Demo portal and for training and hands-on session. • Pilot events for user adoption and analysis of gaps • Remote administration and on-line support on need basis. • Formulation of On-line Procurement Policy Document for the organization. • Consulting in gap analysis and process re-engineering. • Reduction in process time. • Formulation of electronic procurement policy. • Enhanced transparency • 1 stop solution for procurement • Reduction in errors and misuse • Reduced contractors collusion • Reduction in unfair practices • Roll out plan initiated for complete coverage. • Analysis Mechanism and Spend Analysis

  8. UN/CEFACT Interesting Observations: At lvl 5 the average saving done by the tendering authority as cost saving was estimated (by themselves) as “above 20%” 20% savings imply 25% more development/expenditure surplus for these organisations It has been estimated that the present lvl 4+ setups are affecting the lives of over 100 million people directly These observations led to the overall policy of the Govt changing which has issued a circular to this effect by which all Govt tenders above a value of .... need to be necessarily tendered ONLY via e-tendering

  9. UN/CEFACT India E-Procurement top 10 – Facing the music of Enlarged needs for new Features “E Procurement is working fine - i want all my employees to take part in it and have access to it” “We have an internal workflow and we now want the system to support that – each one’s responsibility should be noted” “I want JIT inventory – give me the facility to issue direct PO from existing Rate Contracts” “We need to share our tender forms with other organisations and they need to float a similiar tender – why cant I simply email them the template” “Dont expect me to buy keys for all my employees - use our existing infra structure and give me a solution – but dont dare compromise on security” “Non repudation my foot – that guy simply said he was not aware that the translation is wrong – the translator is not responsible in your system” “We need to have the tender automatically approved with the budgets in our accounts system realtime” “Integrate to my ERP – we have SAP – it should be a simple thing” “I dont care for standards – my vendors dont need to fill these fields – take them off” “Whatever you do – dont ask me to buy out Dell!!!!”

  10. UN/CEFACT Translation... Need to integrate and interchange data (inlcuding masters) with 3P software easily Need to export data out in an easy portable fashion Need to use standards which allow flexibility to extend the scope Need to make it platform independent Need to have end user programmibility Need to build is dynamically allocable power structures (for escalation), power charts (for budget sanctions) and organgrams Need to conform to International Standards

  11. UN/CEFACT The Solution was actually a non brainer USE XML FROM START TO END and only keep indexing and authentication information in database It implies using XML for UI for datastoring for data comparing for input / output for messaging for conformation to standards (UN/CEFACT & ebXML standards) for input and output Eureka! We have a solution But what about security??

  12. UN/CEFACT Need for XML Security Securing Connection vs. Securing content 1 .Direct connection between client and server must be established which means Multiple intermediaries require multiple HTTPS connections piped together • Opens potential security holes at connecting nodes, but also creates a public key certificate management nightmare • Can not provide granular content security • Scenarios such as multi-level approval require parts of information to • Connection-based security are insufficient • Verify the authenticity of approval signatures • Unnecessarily encrypting all content also introduces more processing overhead

  13. UN/CEFACT Overall View Case Study Payment Center Verify the approval Signature; decrypt account number; Attach a payment status signature; remove the account number Factory Verify the payment status signature; Verify agent address, send product Field Agent Sign and send an order. The order contains an encrypted account number Manager Verify the order Signature; attach an approval signature

  14. UN/CEFACT XML Security Means 1. Availability 2. Integrity 3. Confidentiality 4. Authentication 5. Accountability

  15. UN/CEFACT 1. Availability • Availability assures that the information and essential services will be available for the authorised users at the required moment, including the efforts required to regain lost information.

  16. UN/CEFACT 2 . Integrity • Integrity guarantees the correctness and completeness of the information. Cryptography (such as hashes or check-sum mechanisms) is a perfect means to assure the information integrity. Both are used to detect changes to the original information, however hashes are more focussed on malicious changes whilst check-sums are applied to detect coincidentally changes. • As such, we consider the integrity issue as a requirement to be addressed by sXML.

  17. UN/CEFACT 3. Confidentiality • Confidentiality protects sensitive information against disqualified examination by unauthorised individuals, entities or processes. Clearly, cryptography provides excellent means to support confidentiality by applying symmetric or asymmetric encryption mechanisms.

  18. UN/CEFACT 4. Authentication • Authentication assures that the identity of the source indeed is identical to what it is claimed to be and can be applicable to persons, processes, systems or information. Cryptography, and more specific the use of asymmetric encryption, provide means to assure the authentication, also known as non-repudiation.

  19. UN/CEFACT 5. Accountability • Accountability records the responsibility of the individuals belonging to the organisation for which a policy regarding information security has been established. This aspect thus relates to organisations and responsibilities.

  20. UN/CEFACT Solutions Overview 1. XML Encryption 2. XML Digital Signature 3. Includes XML Canonicalization 4. XML Key Management System 5. Security Assertion, Access Control Markup 6. WS-Security

  21. UN/CEFACT XML Encryption • Proper encryption is crucial for XML data security, particularly sensitive data that's passed across unprotected networks such as the Internet. Enter XML Encryption. • It's easy to think of encryption as a "blanket" operation-data is encrypted on one end, then decrypted on the other. But more information is required to perform this operation successfully. In an XML instance, there are four basic types of information:

  22. UN/CEFACT Encryption Description 1. Encrypted content, which contains the actual encrypted data or a reference to the location of this data. There is virtually unlimited flexibility in both the types of data that can be included and methods for logical data collection for encryption. 2. Unencrypted content, which contains other information that is pertinent to the context of the interaction but isn't encrypted for some reason, perhaps due to performance concerns or because it wasn't deemed private or sensitive enough to warrant encryption. Continued…

  23. UN/CEFACT 3 .Key information, which contains information or pointers to information about the keys that perform the encryption, and, therefore the keys that perform the decryption. The key information can be maintained elsewhere and replaced by a URL in the XML instance. 4. Recipient information, which contains information about one or more intended recipients of the encrypted data. This information is optional, thus allowing situations where the applicable recipient information is known or provided out of band, such as with business partners that have a preexisting contractual relationship.

  24. UN/CEFACT Encrypting XML data follows the traditional encryption steps for public key cryptography. First, the data is encrypted, typically using a randomly created secret key. Then the secret key is encrypted using the intended recipient's public key. This information is packaged to ensure that only the intended recipient can retrieve the key and decrypt the data. Decryption involves applying the private key to decrypt the secret key, then decrypting the data with the secret key. There are a number of options being evaluated for encrypting XML portions, as well as multiple ways of embedding these encryption elements within an XML instance.

  25. UN/CEFACT XML Signature • Digest of data, protected with encryption • Creating digital signature (roughly): • Digest the data • Encrypt the digest (with private or shared key) • The encrypted result is the signature

  26. UN/CEFACT XML Signature Verification • Verifying digital signature (roughly): • Digest the data • Decrypt the signature (with known public key of signer or with shared key) • The digest must match the decrypted signature • Signature verifies data is same as was signed • With public-key cryptography, signature also gives non-repudiation

  27. UN/CEFACT XML Canonicalization • For signature, data is digested • Digest algorithms work with octet streams • Equivalent XML may have different octet stream representations: <element att="val"/> <element att = 'val' /> • Canonicalization (C14N) prescribes the one serialization • Serious issues with namespaces, other inherited values (xml:base, xml:lang etc.) • Must be inherited to be verified by signature • Same applies to encrypting only parts of XML documents

  28. UN/CEFACT XML Key Management, XACML, SAML • XKMS – XML Key Management Specification • Distributing and registering public keys • Minimizing complexity of using XML Signature • XACML – eXtensible Access Control Markup Language • Authorization policies • SAML – Security Assertion Markup Language • Authentication, transfer of authentication and authorization decisions

  29. UN/CEFACT Web Application based on XML Document Security Browser [Web 2.0 client using Ajax] HTTP Get Web Server Presentation Processor HTML/JavaScript/ XML HTTP Put Security Processor PAM & REM Key Store Key Store Key Store

  30. UN/CEFACT Conclusion • XML is poised to redefine the way we use the Internet by providing real-time, interactive capabilities for sharing data among entities-so start planning now. • Encryption and signature standards for XML documents will permit the maximum use of XML capabilities in conducting business transactions over the Internet. • These standards will strengthen the security mechanisms surrounding XML processes while harnessing XML's power.

  31. Thank You If you have questions, please feel free to contact sujeet@nextenders.com This document is a confidential document of NexTenders (India) Pvt. Ltd. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, whether electronic, mechanical, photocopying, recording or otherwise, without the written permission of NexTenders.

More Related