Session 5: Integrity Protection of eProcurement systems

<Back |Next> <Back |Next>

E-Procurement for Improving Governance E-Procurement for Improving Governance

Session 5:Session 5: Integrity Protection of Integrity Protection of

eProcurement systemseProcurement systems

A World Bank live e-learning event A World Bank live e-learning event addressing the design and addressing the design and

implementation of e-procurement implementation of e-procurement infrastructure infrastructure

E-Procurement for Improving GovernanceE-Procurement for Improving Governance


E-Procurement for Improving Governance E-Procurement for Improving Governance E-Procurement for Improving Governance E-Procurement for Improving Governance

Integrity Protection of e-Procurement Systems

In this session, you will review:

Security Issues in an eProcurement platform;

Risk Management - Confidentiality Integrity and Availability (CIA);

Integrity Protection – “must have” Security Mechanisms;

Integrity Protection – “must have” Security Controls;

Lessons learned from operating the Italian eProcurement System

Topics



An e-procurement system shares the same security issues of any electronic system

eProcurement Systems from a Security Perspective



In a eProcurement system, the higher the value or confidentiality of the transaction through the system, the higher the security level.

The security level will affect a number of security decisions:

• User identification - verification of use by unique user identification;

• Authentication - validation that the user’s identification belong to the user;

• Access control – managing who has access to the computer system;

• Integrity - verification that data does not change in any point of the process;

• Non-repudiation – ensuring that messages are sent and received by untended parties;

• Confidentiality - information is only accessible to those with authorized access.

eProcurement Systems Present a Multi-Faceted Security Problem



The level of security for a computer system is based on a number of different elements, from physical components to procedures and business processes.

Some components are technical (encryption) and some are non-technical (security policies).

The required level of security required will differ for each type of the system, based on the specific combination of business and security goals and requirements.

How to Choose the Right Security Level

Tool Security



All security controls, mechanisms, and safeguards are intended to address one or more of these principles, and

All risks, threats, and vulnerabilities are measured for their potential capability to compromise one or all of these AIC principles.

AIC Triads – Security Principles

Availability - The reliability and accessibility of data and resources to the authorized individuals in a timely manner

Integrity - ensuring that information and systems are not modified maliciously or accidentally

Confidentiality – ensuring that information is not disclosed to unauthorized subjects



Risk Management and Analysis

Risk Management is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level.

There is no 100 percent secure environment. Every environment has vulnerabilities and threats to a certain degree.

Step 1Asset and

information value assignment

Step 3Risk analysis

and assessment

Step 4Countermeasure

selection and implementation

Step 2Identify

vulnerabilities and threats



• A vulnerability is a software, hardware, or procedural weakness that may provide an attacker an unauthorized access to resources within the environment.

• A threat is any potential danger to information or systems.

• A threat agent is the entity that takes advantage of a vulnerability.

• A risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact.

• An exposure is an instance of being exposed to losses from a threat agent.

• A countermeasure may be a software configuration, a hardware device, or procedure that eliminates a vulnerability.

Security Definitions



Physical Controls: Facility protection, security guards, locks, monitoring, environmental controls, intrusion detection

Technical Controls: Logical access controls, encryption, security devices, identification and authentication

Administrative Controls: Policies, standards, procedures, guidelines, screening personnel,

and security-awareness training

Administrative, technical, and physical controls should work in a synergistic manner to protect the assets of eProcurement system

Top-Down Approach to Security

Company data and assets



Cede Name Description C. I. AM01 Configuration Data

of environmental devices

Configuration data of (electric powre control, chilling equipment, smoke sensors, CCTV etc.) 50 200 400

M02 Configuration data Server Configuration Data (S.O. middleware, applications network devices etc.) 50 400 400

M03 Access Credential Server Credential (user-id e password) 400 400 400

M04 Asset Data Asset Data regarding devices (server, network devices, etc.). 50 400 400

M05 Backup data Configuration adn production data backup 400 400 400

M07 E-procurement data

Data regarding orders, users, Transaction, bid, tender etc. 400 400 400

Initial Risk Value = 6558 (before countermeasures)

Residual Risk Value = 924 (after countermeasures)

Target Risk Value = 723

Risk Analysis – A Real Case



Digital Signature

Integrity Protection: “Must Have” Security Mechanisms

Encryption



Encryption is the capability of hiding data in such way that its true form is not revealed unless the user has special information.

Usually in computing terms, this means that a “key” is provided to encrypt (hide) data or to decrypt (reveal) data.

Encryption

Symmetric encryption where K=K1=K2

Asymmetric encryption where K1≠K2

Many encryption systems deal with two types of encryption:



Symmetric Decrypt

Symmetric Encryption

The same symmetric key is used by the receiver to decrypt the message.

The sender generates a random symmetric key and encrypts the message using it.

Advantage - Symmetric encryption is extremely fast

Disadvantage - How to securely transfer the secret key at the receiver’s site and keep it secure?



Asymmetric encryption provides the ability to hide some information and then allow someone else access to the information but not allow that person to hide information using the same key

Asymmetric Encryption (Public Key Cryptography)

Disadvantage - Asymmetric encryption is slow. It involves a very computationally intense sequence of operations

Advantage - With an asymmetric algorithm, the secret key (private key) is never to be transmitted; it always remains securely kept by its owner.



When a legal document is signed, all parties to the transaction act on certain basic assumptions regarding the signature:

– The signer intended to sign.– The signer is who he or she claims to be and is authorized to sign.– The signature is that of the signer and is unique to the signer.– The signature binds the signer to whatever the electronic

document states.– The document will not be changed once the parties have signed

it.– A signature on one document will not be transferred fraudulently

to another document.– The signer cannot later deny or repudiate the signature in an

attempt to invalidate his or her relationship to the document

Carrying these assurances in respect to e-signatures can be difficult.

Electronic Signatures for Electronic Documents



Digital Signature Process



Public Key Infrastructure

Certificate Authorities are Trusted Third Parties charged with the responsibility to generate trusted certificates for requesting individuals and organizations.

Certificates contain the requestors public key and are digitally signed by the CA

Before the certificate is issued, CA must verify the identity of the requestor. These certificates can then facilitate automatic authentication of two parties involved without the need for out-of-band communication.

Public Key Infrastructure (PKI) is an arrangement that binds public keys with respective user identified by means of a Certificate Authority (CA).

The user identity must be unique for each CA

For each user, the user’s identity, the public key, their binding, validity conditions and other attributes are made impossible to forge in public key certificates issued by the CA.



Public Key Infrastructure



Integrity Protection – “Must have” Security Control

Authentication and Access control

Separation of duties

Transaction Assurance

Logging

Integrity Protection



The precondition for access control is to make sure that the person or program requesting access is identified without doubt.

Authentication and Authorization

Something you know: Login procedures: user ID and

user secret (password)Susceptible to Password leaks • Commonly used

passwords• Explicitly told • Voluntarily • Trojan horse• Trial and error

Something you have: Several subcategories, for

example Cryptographic smart cards:

• Store user’s digital certificate and/or private key

• Used to prevent private keys from being “hacked” from user’s computer

It is something that you are:

Biometrics (finger prints, iris scanning etc.)

Common authentication mechanisms are based on:



Authorization

Authorization is based on authentication.

What needs protection?

How to protect?

A Role is a set of permissions for individual protected resources.

Role Assignment is the set of permissions granted to a specific user that allows the user to execute a specific sensitive operation or to access a protect resource

Protected Resources

Sensitive Operations and Transactions



Access control models are governed by the following principles:

•Default is No Access to ensure that no security holes go unnoticed.

•Need to know individuals should be given access only to the information that they absolutely require in order to perform their job duties

– Discretionary access control (DAC) – Mandatory access control (MAC) – Role-based access control

•Logging - Whatever access controls are in place, all access (successful or failed) to sensitive data must be logged.

Access Control Model



Separation of duties refers to a type of administrative control that prevents a single individual from initiating and approving a material eProcurement transaction.

Ideally, digital systems would be engineered to provide a higher level of control than is possible with manual processes, but in practice, the opposite usually happens.

Today's best-practice model is to use role-based access control (RBAC), an operational model for the implementation of privileges in a complex environment.

Separation of duties is essential for control over e-procurement processes and transactions.

Separation of Duties – What and Why



Separation of Duties – How

Five major steps are necessary to create and manage a robust and auditable responsibility

control infrastructure that can ensure that users have the necessary access to data

elements, without having too much access:

Process mapping

Risk assessment of processes

Role and rule definition

User authentication

Ongoing role maintenance



Transaction Assurance

Transaction Authentication

uses an electronic signature to provide transaction

verification.

Transaction Verification

Data integrity — Protecting against unauthorized changes to the transaction by ensuring that changes to data are detectable.

Data origin authentication — Verifying that the identity of the user submitting the transaction is as claimed. Hence, data origin authentication implicitly authenticates the user.

Digital Signature — based on a public-key cryptography

Message Authentication Code (MAC) — based on secret-key cryptography

Transaction assurance refers to a process that helps ensure the reduction of fraud and mitigates a risk of unauthorized access by using a variety of data integrity and non-repudiation technologies.



This can help to:• Increase enterprise incident response

capabilities by providing situational awareness;

• Provide security information management for long-term trending, analysis and regulatory compliance.

Logging

To ensure the confidentiality, integrity and availability of

eProcurement data, a log management tool must be

adopted to:

Automate the collection and consolidation of log data

Automate event log data analysis and report generation

Perform basic event management

Monitor login attempts and report discrepancies

Identify and respond to privacy and security incidents



• Secure by design – each component is designed keeping in mind the potential weaknesses and deploying the necessary safeguards.

• Identity proofing of users is based on a registration process (online and out-of-band control) by which the system uniquely identifies a person before “provisioning an identity”.

• Processes (e.g. framework agreement) are designed according to the “separation of duties” principle.

• Planned vulnerability and security assessments (every six months).

• Each major change (in both application layer and technical layer) is evaluated against the AIC triads, and residual risks are documented.

• Logs are analyzed monthly for unexpected behaviours and activities (e.g. nightly access peaks from other countries).

• Applicability of Security Alerts from CERT are evaluated on a monthly basis and security patches are applied if suitable.

Security of an eProcurement Platform

Session 5: Integrity Protection of eProcurement systems

Documents

Transcript of Session 5: Integrity Protection of eProcurement systems