E-Procurement for Improving Governance Session 5: Integrity Protection of eProcurement systems A World Bank live e-learning event addressing the design and implementation of e-procurement infrastructure E-Procurement for Improving Governance

E-Procurement for Improving Governance Integrity Protection of e-Procurement Systems In this session, you will review: Security Issues in an eProcurement platform; Risk Management - Confidentiality Integrity and Availability (CIA); Integrity Protection – must have Security Mechanisms; Integrity Protection – must have Security Controls; Lessons learned from operating the Italian eProcurement System Topics

E-Procurement for Improving Governance An e-procurement system shares the same security issues of any electronic system eProcurement Systems from a Security Perspective

E-Procurement for Improving Governance In a eProcurement system, the higher the value or confidentiality of the transaction through the system, the higher the security level. The security level will affect a number of security decisions: User identification - verification of use by unique user identification; Authentication - validation that the users identification belong to the user; Access control – managing who has access to the computer system; Integrity - verification that data does not change in any point of the process; Non-repudiation – ensuring that messages are sent and received by untended parties; Confidentiality - information is only accessible to those with authorized access. eProcurement Systems Present a Multi-Faceted Security Problem

E-Procurement for Improving Governance The level of security for a computer system is based on a number of different elements, from physical components to procedures and business processes. Some components are technical (encryption) and some are non-technical (security policies). The required level of security required will differ for each type of the system, based on the specific combination of business and security goals and requirements. How to Choose the Right Security Level Tool Security

E-Procurement for Improving Governance All security controls, mechanisms, and safeguards are intended to address one or more of these principles, and All risks, threats, and vulnerabilities are measured for their potential capability to compromise one or all of these AIC principles. AIC Triads – Security Principles Availability - The reliability and accessibility of data and resources to the authorized individuals in a timely manner Integrity - ensuring that information and systems are not modified maliciously or accidentally Confidentiality – ensuring that information is not disclosed to unauthorized subjects

E-Procurement for Improving Governance Risk Management and Analysis Risk Management is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. There is no 100 percent secure environment. Every environment has vulnerabilities and threats to a certain degree. Step 1 Asset and information value assignment Step 1 Asset and information value assignment Step 3 Risk analysis and assessment Step 3 Risk analysis and assessment Step 4 Countermeasure selection and implementation Step 4 Countermeasure selection and implementation Step 2 Identify vulnerabilities and threats Step 2 Identify vulnerabilities and threats

E-Procurement for Improving Governance A vulnerability is a software, hardware, or procedural weakness that may provide an attacker an unauthorized access to resources within the environment. A threat is any potential danger to information or systems. A threat agent is the entity that takes advantage of a vulnerability. A risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. An exposure is an instance of being exposed to losses from a threat agent. A countermeasure may be a software configuration, a hardware device, or procedure that eliminates a vulnerability. Security Definitions

E-Procurement for Improving Governance Physical Controls: Facility protection, security guards, locks, monitoring, environmental controls, intrusion detection Physical Controls: Facility protection, security guards, locks, monitoring, environmental controls, intrusion detection Technical Controls: Logical access controls, encryption, security devices, identification and authentication Technical Controls: Logical access controls, encryption, security devices, identification and authentication Administrative Controls: Policies, standards, procedures, guidelines, screening personnel, and security-awareness training Administrative, technical, and physical controls should work in a synergistic manner to protect the assets of eProcurement system Top-Down Approach to Security Company data and assets

E-Procurement for Improving Governance CedeNameDescriptionC.I.A M01Configuration Data of environmental devices Configuration data of (electric powre control, chilling equipment, smoke sensors, CCTV etc.) M02Configuration dataServer Configuration Data (S.O. middleware, applications network devices etc.) M03Access CredentialServer Credential (user-id e password) 400 M04Asset DataAsset Data regarding devices (server, network devices, etc.) M05Backup dataConfiguration adn production data backup 400 M07E-procurement data Data regarding orders, users, Transaction, bid, tender etc. 400 Initial Risk Value = 6558 (before countermeasures) Residual Risk Value = 924 (after countermeasures) Target Risk Value = 723 Risk Analysis – A Real Case

E-Procurement for Improving Governance Digital Signature Integrity Protection: Must Have Security Mechanisms Encryption

E-Procurement for Improving Governance Encryption is the capability of hiding data in such way that its true form is not revealed unless the user has special information. Usually in computing terms, this means that a key is provided to encrypt (hide) data or to decrypt (reveal) data. Encryption Symmetric encryption where K=K1=K2 Asymmetric encryption where K1K2 Many encryption systems deal with two types of encryption:

E-Procurement for Improving Governance Symmetric Decrypt Symmetric Encryption The same symmetric key is used by the receiver to decrypt the message. The sender generates a random symmetric key and encrypts the message using it. Advantage - Symmetric encryption is extremely fast Disadvantage - How to securely transfer the secret key at the receivers site and keep it secure?

E-Procurement for Improving Governance Asymmetric encryption provides the ability to hide some information and then allow someone else access to the information but not allow that person to hide information using the same key Asymmetric Encryption (Public Key Cryptography) Disadvantage - Asymmetric encryption is slow. It involves a very computationally intense sequence of operations Advantage - With an asymmetric algorithm, the secret key (private key) is never to be transmitted; it always remains securely kept by its owner.

E-Procurement for Improving Governance When a legal document is signed, all parties to the transaction act on certain basic assumptions regarding the signature: –The signer intended to sign. –The signer is who he or she claims to be and is authorized to sign. –The signature is that of the signer and is unique to the signer. –The signature binds the signer to whatever the electronic document states. –The document will not be changed once the parties have signed it. –A signature on one document will not be transferred fraudulently to another document. –The signer cannot later deny or repudiate the signature in an attempt to invalidate his or her relationship to the document Carrying these assurances in respect to e-signatures can be difficult. Electronic Signatures for Electronic Documents

E-Procurement for Improving Governance Digital Signature Process

E-Procurement for Improving Governance Public Key Infrastructure Certificate Authorities are Trusted Third Parties charged with the responsibility to generate trusted certificates for requesting individuals and organizations. Certificates contain the requestors public key and are digitally signed by the CA Before the certificate is issued, CA must verify the identity of the requestor. These certificates can then facilitate automatic authentication of two parties involved without the need for out-of-band communication. Public Key Infrastructure (PKI) is an arrangement that binds public keys with respective user identified by means of a Certificate Authority (CA). The user identity must be unique for each CA For each user, the users identity, the public key, their binding, validity conditions and other attributes are made impossible to forge in public key certificates issued by the CA.

E-Procurement for Improving Governance Public Key Infrastructure

E-Procurement for Improving Governance Integrity Protection – Must have Security Control Authentication and Access control Separation of duties Transaction Assurance Logging Integrity Protection

E-Procurement for Improving Governance The precondition for access control is to make sure that the person or program requesting access is identified without doubt. Authentication and Authorization Something you know: Login procedures: user ID and user secret (password) Susceptible to Password leaks Commonly used passwords Explicitly told Voluntarily Trojan horse Trial and error Something you know: Login procedures: user ID and user secret (password) Susceptible to Password leaks Commonly used passwords Explicitly told Voluntarily Trojan horse Trial and error Something you have: Several subcategories, for example Cryptographic smart cards: Store users digital certificate and/or private key Used to prevent private keys from being hacked from users computer Something you have: Several subcategories, for example Cryptographic smart cards: Store users digital certificate and/or private key Used to prevent private keys from being hacked from users computer It is something that you are: Biometrics (finger prints, iris scanning etc.) It is something that you are: Biometrics (finger prints, iris scanning etc.) Common authentication mechanisms are based on:

E-Procurement for Improving Governance Authorization Authorization is based on authentication. What needs protection? How to protect? A Role is a set of permissions for individual protected resources. Role Assignment is the set of permissions granted to a specific user that allows the user to execute a specific sensitive operation or to access a protect resource Protected Resources Sensitive Operations and Transactions

E-Procurement for Improving Governance Access control models are governed by the following principles: Default is No Access to ensure that no security holes go unnoticed. Need to know individuals should be given access only to the information that they absolutely require in order to perform their job duties –Discretionary access control (DAC) –Mandatory access control (MAC) –Role-based access control Logging - Whatever access controls are in place, all access (successful or failed) to sensitive data must be logged. Access Control Model

E-Procurement for Improving Governance Separation of duties refers to a type of administrative control that prevents a single individual from initiating and approving a material eProcurement transaction. Ideally, digital systems would be engineered to provide a higher level of control than is possible with manual processes, but in practice, the opposite usually happens. Today's best-practice model is to use role-based access control (RBAC), an operational model for the implementation of privileges in a complex environment. Separation of duties is essential for control over e- procurement processes and transactions. Separation of Duties – What and Why

E-Procurement for Improving Governance Separation of Duties – How Five major steps are necessary to create and manage a robust and auditable responsibility control infrastructure that can ensure that users have the necessary access to data elements, without having too much access: Process mapping Risk assessment of processes Role and rule definition User authentication Ongoing role maintenance

E-Procurement for Improving Governance Transaction Assurance Transaction Authentication uses an electronic signature to provide transaction verification. Transaction Verification Data integrity Protecting against unauthorized changes to the transaction by ensuring that changes to data are detectable. Data origin authentication Verifying that the identity of the user submitting the transaction is as claimed. Hence, data origin authentication implicitly authenticates the user. Digital Signature based on a public-key cryptography Message Authentication Code (MAC) based on secret-key cryptography Transaction assurance refers to a process that helps ensure the reduction of fraud and mitigates a risk of unauthorized access by using a variety of data integrity and non-repudiation technologies.

E-Procurement for Improving Governance This can help to: Increase enterprise incident response capabilities by providing situational awareness; Provide security information management for long-term trending, analysis and regulatory compliance. Logging To ensure the confidentiality, integrity and availability of eProcurement data, a log management tool must be adopted to: Automate the collection and consolidation of log data Automate event log data analysis and report generation Perform basic event management Monitor login attempts and report discrepancies Identify and respond to privacy and security incidents

E-Procurement for Improving Governance Secure by design – each component is designed keeping in mind the potential weaknesses and deploying the necessary safeguards. Identity proofing of users is based on a registration process (online and out-of-band control) by which the system uniquely identifies a person before provisioning an identity. Processes (e.g. framework agreement) are designed according to theseparation of duties principle. Planned vulnerability and security assessments (every six months). Each major change (in both application layer and technical layer) is evaluated against the AIC triads, and residual risks are documented. Logs are analyzed monthly for unexpected behaviours and activities (e.g. nightly access peaks from other countries). Applicability of Security Alerts from CERT are evaluated on a monthly basis and security patches are applied if suitable. Security of an eProcurement Platform