X-Road – Estonian Interoperability Platform
-
Upload
kitra-trujillo -
Category
Documents
-
view
27 -
download
1
description
Transcript of X-Road – Estonian Interoperability Platform
X-Road – Estonian Interoperability Platform
Arne Ansper, [email protected]
Cybernetica, www.cyber.ee
Introduction: Problem
In the beginning of the decade, Estonian governmental IT systems suffered from poor interconnectivity
Establishing new connections between governmental databases and systems was time-consuming and expensive
Department of State Information Systems decided to improve the situation and solve the interconnectivity problems
Introduction: Solution
Proposed solution• Creation of the national middleware that would
provide unified access to all governmental databases
• Using web services as underlying technology
Governmental X-Road program was launched to fulfil this vision and to create and run the systemCybernetica was contracted to design and build the system
Introduction: Cybernetica
Estonian R&D company, active in the field of information security• Data communication security• Digital signature and time-stamping technology• e-Voting (first parliamentary elections over Internet
in the world)• Development of security critical distributed
systems• Consulting, auditing
Goal
To build an infrastructure that would • allow effortless access to the data in state
registries • without compromising the security of the data and • with minimal impact to the existing systems.
Background
Many registries, all very different, managed and developed by different organizations and financed separatelyMany users, most of them are very small organizations without security knowledge and with a very small IT budgetHigh security requirements. Registries contain personal data that is in some cases used to make high value decisions and in some cases needed in real time
Unification Requirements
Unified legal framework
Unified security measures – the initial cost of implementing the security measures will be amortized across all the state registry connections
Unified API – all applications must be able to access all state registries in a similar way
Unified installation and management – all installations should look like same
Security Requirements
Required security properties by priority• Evidentiary value, authenticity, integrity • Availability• Confidentiality
Security Requirements
All applications required authenticity, integrity and assurance that it is possible to proof to the third party the origin of some data, received over X-RoadIn addition, it was envisioned that X-Road would be used by time-critical applications, like for performing the checks on the border. So, availability was next in the list of prioritiesAnd finally, the confidentiality was required in most, but not all cases
Approach to Solution
Develop system for highest security requirements
That could be used by smallest organizations
Encapsulate the complexity
Provide functionality
Components of the Solution
X-Road is• Organization• Legislation• Infrastructure• Technology
Central Agency
X-Road has central agency that ensures its operation
Ensures the legal status of the X-Road and the information exchanged via it, by enforcing the stated policies
Responsible for steering the further development of the X-Road and ensuring its consistency and integrity
Central Services
Certification authority
Directory service
Time-stamping service
Monitoring service - detecting security breaches, collecting the statistics
Web-based portal for citizens and smaller organizations - access to services in a simple and centralized way
Infrastructure
Based on web services - well supported, easy-to-use, vendor and platform neutral message exchange protocol
SOAP and XMLRPC, with two-way transliteration
Synchronous and asynchronous operation
SOAP attachments
X-Road servers can process messages with unlimited size
Infrastructure
Meta-services that can be used to find out the structure and properties of the system• List of other organizations• List of services• Formal description of the services for automatic
generation of the user interfaces
Infrastructure
Infrastructure
Infrastructure
Technology: Deployment
Self-contained standardized monofunctional server:• Common PC hardware• Free software• GNU/Debian Linux based• Automated installer for Linux and X-Road• Minimal GUI• Built-in patching system
Cheap and easy to install and runAt the same time - secure
Technology: Evidentiary Value
All outgoing messages are signed
All incoming messages are logged and time-stamped
Message receiver can later prove with the help of the X-Road central agency when and by whom was the message sent.
Technology: Availability
Distributed system, with minimal number of central services
Secure DNS (DNS-SEC) provides robust, scalable directory service with built-in caching and redundancy
Protocol supports redundant servers and load sharing
Mechanisms against DoS attacks
Technology: Access Control
X-Road core deals only with inter-organizational access control, where access is granted to organization as whole
Organization must ensure that only right people can use this service, by using whatever technical means it sees appropriate
This obligation is enforced by service provisioning contract between the organizations
Two Level Access Control
Balanced use of technical and organizational security measures
The impact to the existing systems was minimized
Biggest success factor of the X-Road
Current Status
In production from 2002
65 service providers
398 service consumers
30 million transactions on 2006
Future: International Usage?
Independent deployment in other country or domain
Interoperability between countries / domains
Deployment in Other Country
Creation of the Central Agency• Establishing the legal status• Setting up the technical system
Creation of the services
Creation of the consumers
Interoperability
Amendments needed to legal and technical systems
Bilateral agreements between countries
Solutions for certification and directory infrastructure - future research and development needed
Thank you!