slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Prof. K. Subramanian DDG(NIC) & IT Adviser to CAG of India PowerPoint Presentation
Download Presentation
Prof. K. Subramanian DDG(NIC) & IT Adviser to CAG of India

Loading in 2 Seconds...

play fullscreen
1 / 56

Prof. K. Subramanian DDG(NIC) & IT Adviser to CAG of India - PowerPoint PPT Presentation


  • 115 Views
  • Uploaded on

Creating Digital Trust For G- e P Beyond PKI & Digital Signatures ID Management, Standards & Certification and Assurance. Prof. K. Subramanian DDG(NIC) & IT Adviser to CAG of India.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Prof. K. Subramanian DDG(NIC) & IT Adviser to CAG of India' - vaughan-best


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Creating Digital Trust For G-ePBeyond PKI & Digital SignaturesID Management, Standards & Certification and Assurance

Prof. K. Subramanian

DDG(NIC) & IT Adviser to CAG of India

WB & ADBe-Procurement conference 19th May 2006

slide2

Cyberspace is Dynamic, Undefined and Exponential Technology Management & Management of Technologies in general and security in particular are critical Issues of eGP Governance.Countries’ need dynamic laws, keeping pace with the technological advancements

.

WB & ADBe-Procurement conference 19th May 2006

e procurement essentials enablers
e-Procurement—EssentialsEnablers
  • The spread of fast, reliable broadband internet connectivity is a key factor in fuelling e-procurement /e-commerce initiatives
  • Internet has shrunk the cost of going into business– good for SME sector
  • A good reliable authenticated website is an essentiality—to reach customers worldwide
  • Empowerment of both consumers & entrepreneurs
  • With reliable, accurate and authentic information on products and services
  • Push and Pull technology working in a collaborative mode with multimodal delivery is a reality and a enabler

WB & ADBe-Procurement conference 19th May 2006

e procurement essentials security and trust view point
e-Procurement—EssentialsSecurity and Trust View Point
  • Safety and Security is the highest priority
  • Creating trust and confidence is important- Third party Certification and PKI/Digital signature may be one of the SOLUTION
  • Integration into enterprises workflow, ERP, EAI with proper identification, authorization and authentication within VPN/enterprise network or open Internet (Identity Infrastructure, Network Identity Infrastructure are utmost essential). User Permission based approach may be explored
  • Security has implications on Centralized & De-centralized implementations

WB & ADBe-Procurement conference 19th May 2006

e procurement success technology integration to work process
e-Procurement—SuccessTechnology Integration to Work Process
  • The most successful e-procurement projects are those where the e-procurement function becomes totally embedded in the business process and where the system is sufficiently flexible to accommodate the rapid changes in technology which are inevitable.

WB & ADBe-Procurement conference 19th May 2006

security concerns and desired controls framework
Can we find out who is trying to reach us?Security concerns and desired controls framework

Identification

Can we ensure that the users are the same, who they pretend to be?

Authentication

Can we limit/control their actions?

Authorisation

Can we ensure that the privacy of sensitive information is maintained?

Confidentiality

Can we ensure that the data has not been manipulated during or after the transmission?

Integrity

Can we ensure that the sender and receiver are accountable/ responsible for their actions?

Non-repudiation

Auditability

Can we ensure the traceability of actions?

Can we detect any unauthorised access attempts?

Intrusion Detection

Can we correct the errors as soon as they are detected?

Error Correction

WB & ADBe-Procurement conference 19th May 2006

slide7

Main Concerns

PRIVACY

SAFETY

SECURITY

&

Creating And Maintaining Trust

WB & ADBe-Procurement conference 19th May 2006

e procurement new avenues
e-Procurement- New Avenues
  • Internet e-procurement has huge scalability and, subject to implementation and security details, opens up a huge global market for procurement - including procurement from completely new suppliers.

WB & ADBe-Procurement conference 19th May 2006

secure e procurement tco and roi
Secure e-Procurement—TCO and ROI
  • As a business process, implementing secure electronic purchasing can be a highly effective way of reducing transaction costs and improving process efficiency. And with the savings and cost benefits going straight to the bottom line, e-procurement can deliver a significant return on investment, although analysts are divided over how long this can take.

Secure eGP systems are applicable to high cost or high volume Purchases to become cost effective-the inference is it is not applicable to all Purchases unless centralization is possible.

WB & ADBe-Procurement conference 19th May 2006

typical network identity infrastructure today
Typical Network Identity Infrastructure Today
  • Figure 3. Typical Network Identity Infrastructure Today

WB & ADBe-Procurement conference 19th May 2006

basic network identity services functions
Basic Network Identity Services Functions

WB & ADBe-Procurement conference 19th May 2006

network id management infrastructure control authentication of appliances
Network ID Management Infrastructure & Control Authentication of Appliances
  • An intuitive GUI is accessible from web browsers. It provides a global management view of the network identity infrastructure from any location, based on that particular user’s access permissions.
  • There are no general user-logins. For security reasons, only an administrator can configure an appliance using a web browser, communicating with the appliance over an encrypted session.

WB & ADBe-Procurement conference 19th May 2006

network id management infrastructure control authentication of appliances1
Network ID Management Infrastructure & Control Authentication of Appliances
  • To populate the data store with each enterprise’s user and policy information, tools are available to export data from existing servers and import it into specified authorized appliances.
  • Network identity appliances come equipped with a rich set of standards-based reporting, logging, and advanced configuration and management features. Among them are SNMP support and web-based reporting functions.

WB & ADBe-Procurement conference 19th May 2006

first line of defense issues firewall voip incompatibility
First line of defense-IssuesFirewall & VOIP Incompatibility
  • To stop someone dumping a virus on your machine or defacing your homepage, it's essential to have some form of dedicated web server protection. But the use of firewalls, generally seen as the first line of defense in protecting data, has been interfering with the transmission of Voice over Internet Protocol (VoIP) calls.
  • The key problem is an incompatibility between aspects of VoIP and firewall technology.

WB & ADBe-Procurement conference 19th May 2006

securing managing interdependencies
Securing & Managing Interdependencies
  • Infrastructure characteristics (Organizational, operational, temporal, spatial)
  • Environment (economic, legal regulatory, technical, social/political)
  • Coupling and response behavior (adaptive, inflexible, loose/tight, linear/complex)
  • Type of failure (common cause, cascading, escalating)
  • Types of interdependencies

(Physical, cyber, logical, geographic)

  • State of operations

(normal, stressed /disrupted, repair/restoration)

.

WB & ADBe-Procurement conference 19th May 2006

identity management

Identity Management

WB & ADBe-Procurement conference 19th May 2006

in a virtual space netizens exist citizens don t

In a Virtual Space, Netizens Exist, Citizens Don’t!

WB & ADBe-Procurement conference 19th May 2006

identity management1
Identity Management
  • Identity management is not new, but has evolved from the days of a single password entry onto the network to a comprehensive set of processes and systems that make it easier for all users to access information in real time and in a much more secure manner
  • ID management tend to center on the technical improvements in system security, the more important benefits are the opportunities gained by collaborating with vendors, suppliers, and customers across the supply chain.
  • A real value of an [ID management] solution enables ultimately this wide range of business enterprise.

WB & ADBe-Procurement conference 19th May 2006

id metrics requirements
ID: Metrics Requirements
  • UNIVERSALITY: Each person should have the characteristics
  • Distinctiveness: Any two persons should be different in terms of the characteristic.
  • Permanence: The characteristic should be sufficiently in-variant (w.r.to the matching criterion) over a period of time.
  • Collectibility: The characteristic should be quantatively measurable.

WB & ADBe-Procurement conference 19th May 2006

four ways to become an automated identity focused enterprise
FOUR WAYS TO BECOME AN AUTOMATED IDENTITY-FOCUSED ENTERPRISE

1. Change Current Identity Concepts

2. Perform Automated User Provisioning Wisely

3. Integrate Automated Identity Management and User Provisioning

4. Control Identity Operations

WB & ADBe-Procurement conference 19th May 2006

1 change current identity concepts
1. Change Current Identity Concepts.
  • Many business and IT leaders correlate identity with users; this is only part of the equation. The concept of identity must be expanded to include systems, servers, applications, data, and even transactions and events.
  • As auditors analyze business processes, they’ll see that all organizational components can be assigned identities that link corporate activities within the current IT infrastructure.
  • With the use of an all-encompassing identity, the road to continuous access management and compliance to regulations becomes more attainable.
  • Furthermore, with automated identity management tools, an organization is able to assign a permanent identity to every user, computer, server, and application, thus, monitoring what employees can and can't access.

WB & ADBe-Procurement conference 19th May 2006

2 perform automated user provisioning wisely
2. Perform Automated User Provisioning Wisely

 User provisioning, the process of assigning system resources and privileges to users, automates and streamlines the creation of user accounts and the assignment of user privileges and provides account permission data. Incorporating automated user provisioning can not only help organizations comply with Sarbanes-Oxley, but also enhance their audit processes and monitoring of IT activities

WB & ADBe-Procurement conference 19th May 2006

3 integrate automated identity management and user provisioning
3. Integrate Automated Identity Management and User Provisioning.
  • The ultimate goal of automation is to inject identity in every session a machine initiates, track its activities and transactions across an enterprise, and integrate this ability into the existing IT infrastructure.
  • To integrate automated identity management and user provisioning successfully, organizations must first determine all users, assets, and applications in an identity-centric and consistent manner. This ensures user provisioning solutions are not compromised by unknown activity and are aligned with the broader IT environment.
  • Only properly provisioned users and applications, based on corporate policy, should have the ability to communicate.
  • Nevertheless, organizations must be able to control these interactions fully and provide a complete audit trail of these activities.
  • The organization must also confirm that nonauthorized users, such as employees who are no longer working for the organization, do not have access to IT resources, thus reducing the risk of invalid user actions.

WB & ADBe-Procurement conference 19th May 2006

4 control identity operations
4. Control Identity Operations
  • To help meet Sarbanes-Oxley regulations, many organizations have given a higher priority to producing log files and report data. The reality is that many organizations don’t have the resources to process data logs, nor do they have the means to correlate information from disparate sources. Although newer security event management systems have improved, the fundamental problem of managing the data and automating its compilation still exists.

WB & ADBe-Procurement conference 19th May 2006

identification
Identification
  • Why?
  • For Whom?
  • When?
  • How?

WB & ADBe-Procurement conference 19th May 2006

identification measures and parametric of personal identity
By Name

Association with Father’s/Mothers Name

Association with Family Name

Association with sir Name

By Given details

Date of birth

Place of birth

Country of Birth

Country of Naturalization

Identification Measures and Parametric of Personal Identity

WB & ADBe-Procurement conference 19th May 2006

biometric system operates on
Biometric System Operates on
  • Verification
  • Identification

WB & ADBe-Procurement conference 19th May 2006

biometrics
Biometrics

Biometrics

WB & ADBe-Procurement conference 19th May 2006

bio metric unique identifier
Bio-Metric Unique Identifier

WB & ADBe-Procurement conference 19th May 2006

building and sustaining trust
Building and Sustaining Trust
  • building a trusted relationship with suppliers is critical before dealing with them over the Internet.
  • Consumer comfort-while 60 per cent said they preferred to deal with bricks-and-mortar companies rather than Internet-only traders.
  • Concerns about security are paramount, even among those with significant experience of trading online with suppliers. Of the advanced users interviewed for the report, nine per cent said they had experienced security problems through e-procurement

PriceWaterhouseCoopers' Survey report

WB & ADBe-Procurement conference 19th May 2006

security trust
Security & Trust
  • security and trust are inseparable. "Across the supply chain, people are demanding more and more exchange of current, pertinent information and they want to have confidence in their trading partners."

WB & ADBe-Procurement conference 19th May 2006

definition of e trust
Definition of e-trust

Development of mutual confidence within complex electronic environments through each player’s willingness to continuously demonstrate to the other player’s satisfaction that the game is honest, open, following the rules properly controlled

WB & ADBe-Procurement conference 19th May 2006

conventional information security e trust
Conventional Information Security & e-trust
  • Conventional security practices do not reveal the nature or extent of our security capabilities. To do so, is considered as an act of compromise.
  • The network economy requires a series of external representations that will meet the expectations and support the confidence of all players.
  • Demonstrability

WB & ADBe-Procurement conference 19th May 2006

trust and security
Trust and Security
  • Reciprocity-appropriate protection for all
  • Responsibility and liability
  • Standardization of processes, interfaces and technologies

WB & ADBe-Procurement conference 19th May 2006

e trust business partners network economy
e-trustBusiness partners & Network Economy
  • Can I trust the entities and infrastructures on which I depend?
  • Can the organizations involved trust me?
  • Together, can we trust our common infrastructure and processes?

WB & ADBe-Procurement conference 19th May 2006

major challenges and issues
Major Challenges and Issues
  • authentication of identity is the main issue. "People need to be satisfied about who they're dealing with.
  • They need to know that their messages have not been intercepted or corrupted on the way,
  • and, most importantly, that they are legally non-repudiable - meaning that the other party can't walk away from it in a court of law."

WB & ADBe-Procurement conference 19th May 2006

security fears are well founded
Security fears are well-founded
  • with the study showing that remarkably few companies had implemented the latest technology to secure business transactions.
  • Nearly two-thirds of companies said they rely solely on password protection when dealing with suppliers over the Internet.

PriceWaterhouseCoopers' report

WB & ADBe-Procurement conference 19th May 2006

security standards certification

Security Standards & Certification

WB & ADBe-Procurement conference 19th May 2006

slide39

National CRYPTOGRAPHY POLICY

  • Complex area with :
      • Scientific,
      • Technical,
      • Political,
      • Social,
      • Business
      • Economic Dimensions

WB & ADBe-Procurement conference 19th May 2006

slide40

Mission

Business Objectives

Business Risks

Applicable Risks

Internal Controls

Review

Importance of Group Standards -no one standard meets all requirementsISO 27001/BS7799 Vs COBIT Vs CMM Vs ITIL

WB & ADBe-Procurement conference 19th May 2006

compliance to security standards and good practices indian international standards
IS 14356-1996 guide for Protection of Information Resources

IS 14357-1996 guide for Practice for Information Security

ISO-17799-1:2000 Code of practice of ISM and will replace IS 14356-1996

ISO/IEC 15483 STANDARDS FOR TCSEC(IS14990:1 2001

ISO/IEC 15408 STANDARDS FOR TCSEC(IS14990:1 2001)

New Integrated Harmonized Indian standard on ISMS IS 15150Nov 2002

ISO/IEC 21827 - Information Technology - Systems Security Engineering - Capability Maturity Model (SSE-CMM )

Information Technology-systems security engineering—Capability Maturity Model with PCMM—July 2006

BS 7799-1:1999 Code of Practice for Information Security Management

BS 7799-2:1999 Specification for Information Security Management Systems

BS 7799-1:2000 revised standard (Code of Practice for Information Security Management)

BS 7799-2:2002 Sep 2002

ISO 27001-Oct 2005

Compliance to Security Standards and Good Practices Indian & International Standards

WB & ADBe-Procurement conference 19th May 2006

business assurance and certification
Business Assurance and Certification

WB & ADBe-Procurement conference 19th May 2006

9 rules of risk management
There is no return without risk

Rewards to go to those who take risks.

Be Transparent

Risk is measured, and managed by people, not mathematical models.

Know what you Don’t know

Question the assumptions you make

Communicate

Risk should be discussed openly

Diversify

Multiple risk will produce more consistent rewards

Sow Discipline

A consistent and rigorous approach will beat a constantly changing strategy

Use common sense

It is better to be approximately right, than to be precisely wrong.

Return is only half the question

Decisions to be made only by considering the risk and return of the possibilities.

RiskMetrics Group

9 Rules of Risk Management

WB & ADBe-Procurement conference 19th May 2006

slide44
Risk
  • The lack of a trusted third party to guarantee online transactions is a key factor in companies' limited security.
  • Unlike the stock exchange, which underwrites transactions between traders, most online marketplaces merely facilitate the transaction between two parties. They simply warn businesses that they trade at their own risk.

WB & ADBe-Procurement conference 19th May 2006

pki trusted third party certificate
PKI & Trusted Third Party Certificate
  • Many believe that confidence in online transactions would be dramatically increased by the use of public key infrastructure and encryption technologies to encrypt and seal messages.
  • But while the use of digital certificate technology would certainly increase confidence, the problem is finding a trusted third party to issue such a certificate.
  • who would be suitable to guarantee the security of e-business transactions, most public survey said they would rather rely on an accounting or telecoms firm than the Government?

WB & ADBe-Procurement conference 19th May 2006

enhancement to certification
Enhancement to certification
  • Certification alone cannot absolutely guarantee the trustworthiness of certificate holders or the organizations they represent.
  • Creating a family of certificates to enhance the confidence level.
  • Recognition of certification is not only based on knowledge, but also one’s identity.

WB & ADBe-Procurement conference 19th May 2006

certification and cost
Certification and Cost
  • IT certifications "are a commendable thing to do for a variety of reasons." However, they "require a considerable investment, and the benefit must be weighed against other needs and priorities for scarce resources“.

WB & ADBe-Procurement conference 19th May 2006

slide48

Product

Cost

Privacy

of Data

Security

of Data

Business

Policies

Transaction

Processing

Integrity

Comparison of Seals

WEB Certification

BBB Online

Low

No

No

Lightly

Covered

No

TRUSTe

Low

Yes

No

No

No

Veri-Sign

Low to

Medium

No

Yes: Data

Transmittal

No: Data Storage

No

No

ICSA

High

Yes

Yes

Somewhat

Covered

Lightly

Covered

WebTrust

High

Yes

Yes

Yes

Yes

WB & ADBe-Procurement conference 19th May 2006

the need and to do
The need and to do
  • Strong, demonstrable security and assurance process and the best practitioners to design, build and manage them.
  • Ensuring all the time the practices, products and personnel can pass the closest scrutiny.
  • Anticipate and keep pace with the security needs of the information market place
  • Protective measures, architecture, philosophy and best practices are as dynamic as the information process they support.
  • Ensure not just the currency of knowledge, but must anticipate new requirements and environments

WB & ADBe-Procurement conference 19th May 2006

the need and to do1
The need and to do
  • Ready to respond with new certification offerings, updates examinations, expanded knowledge bases, publications, training and communications
  • Generate global trust without compromise to trustworthiness.

WB & ADBe-Procurement conference 19th May 2006

reliability of national global critical infrastructure
Reliability of national/Global critical infrastructure
  • Measuring system risk and resiliency
  • Understanding and managing interdependencies
  • Overcoming barrier to technological change
  • Selecting appropriate forms of infrastructure governance
  • Developing efficient incentive structures
  • Adopting an integrated systems perspective

WB & ADBe-Procurement conference 19th May 2006

risk and resiliency
Risk and Resiliency
  • Economic consequences
  • Non-economic consequences
  • Environmental risk assessments
  • Socio-community and individual risk perceptions

WB & ADBe-Procurement conference 19th May 2006

slide53
The interface between technology and human behavior is an important subject for investigation.
  • The use of detection/prevention technologies
  • The ways in which deployment of technologies can complement or conflict with the values of privacy and civil liberty
  • The factors influence the trustworthiness of individuals in a position to compromise or thwart security

WB & ADBe-Procurement conference 19th May 2006

conclusion
Conclusion
  • Technology alone is not going to guarantee cyber and critical infrastructure reliability and security
  • Policies and approaches that recognize that critical national/global infrastructure are complex adaptive systems, with behaviors and responses that may not be well understood.
  • A better grasp on how to measure infrastructure risk, and how better to create the governance and incentive systems—including the human factors—to improve reliability.

WB & ADBe-Procurement conference 19th May 2006

e procurement cyber security final message
E-Procurement & Cyber Security - Final Message

“In security matters

Past is no guarantee; Present is imperfect and Future is uncertain“

“Failure is not when we fall down, but when we fail to get up”

WB & ADBe-Procurement conference 19th May 2006

thank you

Thank You

THANK YOUFor Interaction:

Prof. K. Subramanian

ksdir@nic.in

ksmanian48@gmail.com

ksmanian20032004@yahoo.com

Tele: 23239560

WB & ADBe-Procurement conference 19th May 2006