eProcurement Identification, Access Control, Authentication, eTrust

1
e-ProcurementIdentification, Access Control,
Authentication, e-Trust Certification

• Prof. K. Subramanian
• DDG(NIC) IT ADVISER TO CAG OF INDIA

2
Agenda

• The Importance of reliability of critical
  Infrastructure
• Issues in Identity Management
• Access control and authentication
• Creating trust Confidence
• Assurance

3
e-Procurement- Importance of security

• Internet e-procurement has huge scalability and,
  subject to implementation and security details,
  opens up a huge global market for procurement -
  including procurement from completely new
  suppliers.

4
Reliability of national/Global critical
infrastructure

• Measuring system risk and resiliency
• Understanding and managing interdependencies
• Overcoming barrier to technological change
• Selecting appropriate forms of infrastructure
  governance
• Developing efficient incentive structures
• Adopting an integrated systems perspective

5
Managing Interdependencies

• Infrastructure characteristics (Organizational,
  operational, temporal, spatial)
• Environment (economic, legal regulatory,
  technical, social/political)
• Coupling and Response Behavior (adaptive,
  inflexible, loose/tight, linear/complex)
• Type of Failure (common cause, cascading,
  escalating)
• Types of interdependencies
• (Physical, cyber, logical, geographic)
• State of Operations
• (normal, stressed /disrupted,
  repair/restoration)

6
Key elements in Incentive Structures for Building
Trust

• Market forces
• Regulation
• Tort liability and contracts
• Voluntary standards and best practices
• Insurance
• Public disclosure
• Reputation/Ratings
• Procurement

7
Identification

• Why?
• For Whom?
• When?
• How?

8
Identity Issues India Specific

• Uniform Naming convention-absence
• Birth Death registration-Incomplete
• No social security registration number
• Absence of Identity such as phones, driving
  licenses available with every body
• Electoral ID- Complete set not there but at least
  covers 600 m records
• Absence of PAN other ID number for everybody

9
Identification today

• Predominantly Password-static Dynamic
• Token or smart card
• Biometrics

10
Identification Measures and Parametric of
Personal Identity

• By Name
• Association with Fathers/Mothers Name
• Association with Family Name
• Association with sir Name

• By Given details
• Date of birth
• Place of birth
• Country of Birth
• Country of Naturalization

11
Identification Measures and Parametric of
Identity

• By Possession
• Password
• Static
• Dynamic
• By Association
• PIN/TOKEN
• By Card
• By Biometrics

• By Government
• PAN(TAXATION)
• Passport
• Social Security Number
• Citizenship ID NO.
• Senior Citizen NUMBER

12
Biometric System Operates on

• Verification
• Identification

13
Biometrics
Biometrics
14
Bio-Metric ?Unique Identifier
15
Strong Management and Security

• An intuitive GUI is accessible from web browsers.
  It provides a global management view of the
  network identity infrastructure from any
  location, based on that particular users access
  permissions.
• There are no general user-logins. For security
  reasons, only an administrator can configure an
  appliance using a web browser, communicating with
  the appliance over an encrypted session.
• To populate the data store with each enterprises
  user and policy information, tools are available
  to export data from existing servers and import
  it into specified authorized appliances.
• Network identity appliances come equipped with a
  rich set of standards-based reporting, logging,
  and advanced configuration and management
  features. Among them are SNMP support and
  web-based reporting functions.

16
Summary of Managerial Implications

• Managers need to recognize the opportunities and
  potential provided by sub cultural differences
  during IT/Is implementation (as well as threats)
• Managers can use tools, such as metaphor
  analysis, as a vehicle for both understanding and
  communicating the sub cultural differences which
  exist in a particular context
• Managers need to identify the various stakeholder
  groups and understand the factions within as well
  as across these stakeholder groups
• Managers need to consider creating knowledge
  redundancy, through utilizing the expertise of
  the HR function, as a critical step in reducing
  conflict resulting from misunderstandings between
  and within the stakeholder groups
• Managers needed to continuously evaluate their
  policies for developing and using the reusable
  components to reflect the concerns of different
  stakeholders and the general trend of technology
  development.

17
Network Environments

• Identity Management

18
Network complexity and ID Management

• Network complexity is on the rise today as the
  number of enterprise users, devices, and
  applications proliferate. At the same time, the
  network identity infrastructure that unites
  enterprise business applications with network
  infrastructure has become unwieldy and
  fragmented. Not only does this situation increase
  the cost of enterprise management it also
  introduces security, scalability, and reliability
  risks across the enterprise.
• Companies can regain control over the network
  identity infrastructure by moving the protocols
  already prevalent in their networksDNS, LDAP,
  RADIUS, and othersonto a dedicated platform that
  allows distributed deployment with centralized
  control.
• Distributing appliances enables the
  infrastructure to easily scale and provides
  service redundancy for improved reliability.
  Given the modular nature of the network identity
  appliance approach to management, enterprises can
  migrate these services to a unified platform one
  protocol at a time.
• Ultimately, this distributed database appliance
  architecture will help businesses build networks
  that are more secure, less costly to operate, and
  more scalable as the user base and network
  elements continue to grow.

19
(No Transcript)
20
Typical Network Identity Infrastructure Today

• Figure 3. Typical Network Identity Infrastructure
  Today

21
Basic Network Identity Services Functions

22
Integration Lowers Risk, Cost, Complexity
23
Security Standards

• e-Procurement environments Services

24
No one Standard Covers All
25
BS7799 Vs COBIT Vs CMM Vs ITIL
26
Certification and Assurance
27
Business Assurance and Certification
28
Comparison of Seals WEB Certification
BBB Online
Low
No
No
Lightly Covered
No
TRUSTe
Low
Yes
No
No
No
Veri-Sign
Low to Medium
No
Yes Data Transmittal No Data Storage
No
No
ICSA
High
Yes
Yes
Somewhat Covered
Lightly Covered
WebTrust
High
Yes
Yes
Yes
Yes
29
Enhancement to certification

• Certification alone cannot absolutely guarantee
  the trustworthiness of certificate holders or the
  organizations they represent.
• Creating a family of certificates to enhance the
  confidence level.
• Recognition of certification is not only based on
  knowledge, but also ones identity.

30
Techno-Legal Issues

• Mobile access security
• Internal controls assurance
• Information Management-storage, controlled
  access, archiving and publishing
• Trusted systems security certification criteria
• Image replaced documents
• Transaction retention-period for audit and
  evidence in case of offenses
• DNS certification

31
Techno legal developments--contd

• WiFi Protected Access security standard
• TCG Version 1.2 specs for Trusted Platform-for
  CHIPS. TCG, which consists of hardware and
  software manufacturers such as IBM, Microsoft,
  and Sun Microsystems.
• USA-FEDERAL Information Management ACT 2002?
  computer security controls that U.S. federal
  government agencies will be required to follow by
  2005.

32
New Legal ACTS by Developed Nations

• SAS 70-AICPA-- An auditing standard designed to
  show that a service organization has done an
  in-depth examination of its internal controls
• Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act,
  California's SB 1386 privacy law and
  international data integrity and privacy laws-
• The emphasis will be on issues such as policy
  management and enforcement, benchmarking against
  standards, incident response, forensics and
  monitoring for insider threats.

33
New Legal ACTS by Developed Nations

• Federal SEC guidelines and Oxley ACT-Retention of
  records for 7 years
• Check 21 bill-USA 2003-Image replacement
  documents
• DNS SEC standard2004- The Internet Engineering
  Task Force is completing work on DNS-Sec, a
  standard for authenticating Internet domain name
  system (DNS) data. DNS-Sec will place a digital
  signature on each domain name and Internet
  protocol address stored in a DNS server, which
  will allow browsers to verify that a domain name
  that users type into their browser will take them
  to the correct Internet address( DNS-Sec)

34

• FOR FURTHER INFORMATION PLEASE CONTACT -
• E-MAIL ksdir_at_hub.nic.in
• 91-11-3239560
• Fax91-11-3235446
• Office of the CAG,
• 10, B.Z. Marg,
• New Delhi-110002

Thank you