X-Road – Estonian Interoperability Platform

Slides:

Advertisements

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Advertisements

Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.

Utilization of Basic Register Information from the PSI Perspective Aki Siponen, Counsellor, Ministry of Finance Business with Public Information National.

Reliability on Web Services Presented by Pat Chan 17/10/2005.

Submitted by- Mr. Avinash Sadaphule 20 November 2009 Management Trainee, MKCL.

©Centre for Development of Advanced Computing 1 State e-governance Service Delivery Gateway (SSDG)‏ A Messaging Middleware for.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

E-region Gabrovo Document interchange between regional administration, municipalities within the region and de-concentrated state administrations for administrative.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

PAWN: A Novel Ingestion Workflow Technology for Digital Preservation Mike Smorul, Joseph JaJa, Yang Wang, and Fritz McCall.

Tervisepank ® e-solution for primary care Madis Tiik, MD CEO, Estonian Society of Family Doctors

Picmet'03 System Integration Process of Government Information Systems Ahto Kalja Department of State Information Systems/ Tallinn Technical University.

United Nations Development Program India Coordination & Decision Support System (CDSS) on External Assistance Department of Economic Affairs Ministry of.

Service Broker Lesson 11. Skills Matrix Service Broker Service Broker, provides a solution to common problems with message delivery and consistency that.

Pay As You Go – Associating Costs with Jini Leases By: Peer Hasselmeyer and Markus Schumacher Presented By: Nathan Balon.

Understanding Active Directory

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

The proof of your digital documents. Copyright Lex Persona – All rights reserved 2 Our approach to paper reduction The current approach –The.

Enterprise Resource Planning

JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.

X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

Clinic Security and Policy Enforcement in Windows Server 2008.

Dao Dinh Kha National Centre of Digital Signature Authentication - Agency of Information Technology Application A vision on a national Electronic Authentication.

ResCom AUTH Research Committee - 1 Secretariat of Research Committee Aristotle University of Thessaloniki IT Department Project Management and Monitoring.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Security requirements for e-government services: a methodological approach for developing a common PKI-based security policy Authors: C. Lambrinoudakis,

M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.

Web Services Igor Wasinski Olumide Asojo Scott Hannan.

What is Service Oriented Architecture ? CS409 Application Services Even Semester 2007.

Introduction to IT Governance Support System (ITGSS)

Ideas for Today and Tomorrow Riho Oks

Electronic Records Management: A Checklist for Success Jesse Wilkins April 15, 2009.

1 Introduction to Middleware. 2 Outline What is middleware? Purpose and origin Why use it? What Middleware does? Technical details Middleware services.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

The Grid System Design Liu Xiangrui Beijing Institute of Technology.

Middleware for FIs Apeego House 4B, Tardeo Rd. Mumbai Tel: Fax:

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

ACM 511 Introduction to Computer Networks. Computer Networks.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.

9 Systems Analysis and Design in a Changing World, Fourth Edition.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

Windows Role-Based Access Control Longhorn Update

Distribution and components. 2 What is the problem? Enterprise computing is Large scale & complex: It supports large scale and complex organisations Spanning.

Database Administration

Standardisation and regulation on information security Margus Püüa Head of Department Department of State Information Systems Ministry of Economic Affairs.

INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.

16/11/ Semantic Web Services Language Requirements Presenter: Emilia Cimpian

National Information Communication Technologies Strategy Vasif Khalafov “National strategy” working group - Web -

1 Web Services Policy Management Greg Pavlik Web Services Architect Oracle Corporation May 11, 2005.

Implementing Microsoft Exchange Online with Microsoft Office 365

Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

E-Science Security Roadmap Grid Security Task Force From original presentation by Howard Chivers, University of York Brief content:  Seek feedback on.

Basics of SOA Testing Assurance Services Unit 24 February 2016.

Chang, Wen-Hsi Division Director National Archives Administration, 2011/3/18/16:15-17: TELDAP International Conference.

Estonian information system - X-road and X-GIS Hannes Lehemets Tartu.

Amazon Web Services. Amazon Web Services (AWS) - robust, scalable and affordable infrastructure for cloud computing. This session is about:

Training for developers of X-Road interfaces

Paperless & Cashless Poland Program overview

Enterprise Service Bus (ESB) (Chapter 9)

Introduction to Databases Transparencies

e-Invoicing – e-Ordering 20/11/2008

PLANNING A SECURE BASELINE INSTALLATION

HLN Consulting, LLC® November 8, 2006

Project Certification Planning Phase August 27, 2014

Presentation transcript:

X-Road – Estonian Interoperability Platform Arne Ansper, arne@cyber.ee Cybernetica, www.cyber.ee

Introduction: Problem In the beginning of the decade, Estonian governmental IT systems suffered from poor interconnectivity Establishing new connections between governmental databases and systems was time-consuming and expensive Department of State Information Systems decided to improve the situation and solve the interconnectivity problems

Introduction: Solution Proposed solution Creation of the national middleware that would provide unified access to all governmental databases Using web services as underlying technology Governmental X-Road program was launched to fulfil this vision and to create and run the system Cybernetica was contracted to design and build the system

Introduction: Cybernetica Estonian R&D company, active in the field of information security Data communication security Digital signature and time-stamping technology e-Voting (first parliamentary elections over Internet in the world) Development of security critical distributed systems Consulting, auditing

Goal To build an infrastructure that would allow effortless access to the data in state registries without compromising the security of the data and with minimal impact to the existing systems.

Background Many registries, all very different, managed and developed by different organizations and financed separately Many users, most of them are very small organizations without security knowledge and with a very small IT budget High security requirements. Registries contain personal data that is in some cases used to make high value decisions and in some cases needed in real time

Unification Requirements Unified legal framework Unified security measures – the initial cost of implementing the security measures will be amortized across all the state registry connections Unified API – all applications must be able to access all state registries in a similar way Unified installation and management – all installations should look like same The "effortless" part needs some explanation. There are legal obligations that must be met when processing personal data. Having a unified legal framework makes things a lot easier for smaller organizations. There are security measures (technical, physical and organizational) that must be in place in order to process personal data. Having a unified framework for security measures ensures that every organization has just one set of measures to apply in order to be allowed to use all state registries. The initial cost of implementing the security measures will be amortized across all the state registry connections. All applications must be able to access all state registries in a similar way. The installation and management of the technical security measures must be doable by the ordinary IT administrator without special security training and knowledge. Impact to the existing systems should be minimal.

Security Requirements Required security properties by priority Evidentiary value, authenticity, integrity Availability Confidentiality

Security Requirements All applications required authenticity, integrity and assurance that it is possible to proof to the third party the origin of some data, received over X-Road In addition, it was envisioned that X-Road would be used by time-critical applications, like for performing the checks on the border. So, availability was next in the list of priorities And finally, the confidentiality was required in most, but not all cases

Approach to Solution Develop system for highest security requirements That could be used by smallest organizations Encapsulate the complexity Provide functionality

Components of the Solution X-Road is Organization Legislation Infrastructure Technology

Central Agency X-Road has central agency that ensures its operation Ensures the legal status of the X-Road and the information exchanged via it, by enforcing the stated policies Responsible for steering the further development of the X-Road and ensuring its consistency and integrity

Central Services Certification authority Directory service Time-stamping service Monitoring service - detecting security breaches, collecting the statistics Web-based portal for citizens and smaller organizations - access to services in a simple and centralized way

Infrastructure Based on web services - well supported, easy-to-use, vendor and platform neutral message exchange protocol SOAP and XMLRPC, with two-way transliteration Synchronous and asynchronous operation SOAP attachments X-Road servers can process messages with unlimited size

Infrastructure Meta-services that can be used to find out the structure and properties of the system List of other organizations List of services Formal description of the services for automatic generation of the user interfaces

Infrastructure

Infrastructure

Infrastructure

Technology: Deployment Self-contained standardized monofunctional server: Common PC hardware Free software GNU/Debian Linux based Automated installer for Linux and X-Road Minimal GUI Built-in patching system Cheap and easy to install and run At the same time - secure

Technology: Evidentiary Value All outgoing messages are signed All incoming messages are logged and time-stamped Message receiver can later prove with the help of the X-Road central agency when and by whom was the message sent.

Technology: Availability Distributed system, with minimal number of central services Secure DNS (DNS-SEC) provides robust, scalable directory service with built-in caching and redundancy Protocol supports redundant servers and load sharing Mechanisms against DoS attacks

Technology: Access Control X-Road core deals only with inter-organizational access control, where access is granted to organization as whole Organization must ensure that only right people can use this service, by using whatever technical means it sees appropriate This obligation is enforced by service provisioning contract between the organizations

Two Level Access Control Balanced use of technical and organizational security measures The impact to the existing systems was minimized Biggest success factor of the X-Road

Current Status In production from 2002 65 service providers 398 service consumers 30 million transactions on 2006

Future: International Usage? Independent deployment in other country or domain Interoperability between countries / domains

Deployment in Other Country Creation of the Central Agency Establishing the legal status Setting up the technical system Creation of the services Creation of the consumers

Interoperability Amendments needed to legal and technical systems Bilateral agreements between countries Solutions for certification and directory infrastructure - future research and development needed

Thank you!