Presentation is loading. Please wait.

Presentation is loading. Please wait.

The new EDAMIS and its security

Published byΧθόνιος Μελετόπουλος Modified over 4 years ago

Similar presentations

Presentation on theme: "The new EDAMIS and its security"— Presentation transcript:

1 The new EDAMIS and its security
ESDEN The new EDAMIS and its security ESDEN Steering Group meeting Javier MANSO DEL VALLE Directorate B - Methodology; corporate statistical and IT services Eurostat October 11th, 2017

2 Agenda Introduction Encryption in EDAMIS 4 Authentication
EDAMIS main components Architecture: flows and protocols used Encryption in EDAMIS 4 Authentication Network topology Availability

3 Introduction

4 EDAMIS main components
EDAMIS Web Portal Includes Web Forms New portal, HTML5-based Stadium Routing back-end Replaced by ESDEN Inventory Contains definition of domains, datasets, users, rights, etc. EWP3 EWP4 STADIUM ESDEN Inventory v3 Inventory v4

5 How to send files? NSI Standard protocols Non standard protocols AS4
EDAMIS 4 AS4 AS4 access point Application ESDEN Web services ESDEN Client Automatic data exchange Application What else do we want to add to this timetable? sFTP sFTP server Web Application Manual data exchange EDAMIS 4 Web Portal NSI

6 Encryption in EDAMIS 4

7 Encryption: already in EDAMIS 3
Files encrypted with PGP Asymmetric encryption Key pair generated by Eurostat Private key kept by Eurostat Public key provided to data providers Encryption only from the NSI TO Eurostat EDAMIS maintains a list of public keys One key pair per domain What else do we want to add to this timetable?

8 Encryption: improved in EDAMIS 4
Encryption supported TO and FROM Eurostat Key management One encryption key for each dataset + receiving organisation EDAMIS keeps a list of all public keys Organisations can generate their own keys, and upload public keys in EDAMIS 4 What else do we want to add to this timetable?

9 Two-way encryption in EDAMIS 4
From Member States to Eurostat Encryption with the public key of the corresponding domain Public keys of all domains are available in the EDAMIS portal From Eurostat to Member State Organisations update their public key in the EDAMIS portal EDAMIS uses that public key to encrypt data sent to that organisation NSI What else do we want to add to this timetable? NSI

10 Encryption in EDAMIS 4 Web Portal
Encryption of files Maintains PGP used in EDAMIS 3 Encryption of communication NSI-Eurostat-NSI HTTPS (not available in CCN yet) Additional encryption when using TESTA or CCN Encryption of communication Eurostat-Eurostat sFTP HTTP through reverse proxies What else do we want to add to this timetable?

11 Example: EDAMIS 4 Web Portal
ESDEN EDAMIS 4 Web Portal What else do we want to add to this timetable? Application NSI

12 Example: EDAMIS 4 Web Portal
User attaches the file, which is encrypted in the browser PGP encryption Public key of the domain EDAMIS 4 ESDEN EDAMIS 4 Web Portal User submits the encrypted file HTTPS Internet / TESTA ESDEN delivers the file ESDEN keeps an encrypted copy of the file for a defined retention period User accesses EDAMIS HTTPS Internet / TESTA What else do we want to add to this timetable? Application NSI

13 Retention period in EDAMIS
Feature intended for compliance… Domain managers can define a retention period for their datasets ESDEN keeps an encrypted copy of all files for the defined period When the retention period is reached, EDAMIS deletes the file Expiration period can be 0, EDAMIS will delete the file immediately after delivery What else do we want to add to this timetable?

14 Retention period in EDAMIS
… also has other uses Copy of official submissions to Eurostat available Copy of files received from Eurostat available Verify the version of the file that was submitted Recover files that were lost or modified What else do we want to add to this timetable?

15 Consolidated logging EDAMIS centralises all information on actions performed on every file All actions done (e.g. file received, chunks joined, signature checked, file available, file delivered) All files are hashed, possible to tell whether a file was ever received What else do we want to add to this timetable?

16

17 Authentication in EDAMIS 4

18 Authentication in EDAMIS 4
AS4 access point Application ESDEN ESDEN Client Automatic data exchange Application What else do we want to add to this timetable? sFTP server Application Manual data exchange EDAMIS 4 Web Portal NSI

19 Authentication in Web Portal
EDAMIS 4 AS4 access point Application ESDEN ESDEN Client Automatic data exchange Application What else do we want to add to this timetable? sFTP server Application Manual data exchange EDAMIS 4 Web Portal NSI

20 Authentication in Web Portal
Access through Internet and TESTA: EU Login Access through CCN: CCN-specific LDAP Authorisation: role-based access All actions in EDAMIS need permissions Permissions are grouped into roles EDAMIS administrators grant roles to users What else do we want to add to this timetable?

21 Authentication in sFTP
EDAMIS 4 AS4 access point Application ESDEN ESDEN Client Automatic data exchange Application What else do we want to add to this timetable? sFTP server Application Manual data exchange EDAMIS 4 Web Portal NSI

22 Authentication in sFTP
Authentication of the sFTP server sFTP servers provide their key in every connection The key can be checked in the portal Authentication of the sFTP client DIGIT provides accounts (user and password) for each organisation and for Eurostat All files sent must be signed using PGP Authorisation The sFTP client is linked to an organisation ESDEN checks that the organisation has the right to send files for the corresponding dataset What else do we want to add to this timetable?

23 Authentication AS4 and ESDEN client
EDAMIS 4 AS4 access point Application ESDEN ESDEN Client Automatic data exchange Application What else do we want to add to this timetable? sFTP server Application Manual data exchange EDAMIS 4 Web Portal NSI

24 Configuration of an ESDEN client
The organisation Installs the ESDEN client in their premises Generate a PGP key pair for the ESDEN client Provide the public key to Eurostat Eurostat Adds the public key to EDAMIS Links the public key to the corresponding organisation Creates an eTrustEx user for the ESDEN client What else do we want to add to this timetable?

25 Authentication using ESDEN client
Authentication of the ESDEN client The ESDEN client is authenticated by eTrustEx using user/password (over HTTPS) The ESDEN client signs all files with PGP Authorisation The ESDEN client is linked to an organisation, and the corresponding rights are present in the EDAMIS databas The same mechanisms are used for AS4 What else do we want to add to this timetable?

26 Authentication inside EDAMIS
AS4 access point Application ESDEN ESDEN Client Automatic data exchange Application What else do we want to add to this timetable? sFTP server Application Manual data exchange EDAMIS 4 Web Portal NSI

27 Authentication using ESDEN client
Authentication of Web Portal and ESDEN When exchanging information, the Web Portal and the ESDEN server do client-side authentication X.509 certificates Direct trust of the certificate, no CA involved Connectivity HTTP for transfer of big files HTTPS also possible through reverse proxies Allows filtering by network equipment What else do we want to add to this timetable?

28 Authentication for delivery
EDAMIS 4 AS4 access point Application ESDEN ESDEN Client Automatic data exchange Application What else do we want to add to this timetable? sFTP server Application Manual data exchange EDAMIS 4 Web Portal NSI

29 Authentication for delivery - push
Delivery through sFTP Authentication sFTP client: user and password provided by destination application sFTP server: key provided in every connection Authorisation The destination application has to be defined in EDAMIS and linked to an organisation with the right to receive What else do we want to add to this timetable?

30 Authentication for delivery - pull
Client application must identify itself using a certificate (X.509) Direct trust of the certificate, no CA involved Authorisation The public key needs to be configured in EDAMIS The destination application has to be defined in EDAMIS and linked to an organisation with the right to receive What else do we want to add to this timetable?

31 Availability

32 New architecture Java applets replaced completely
New architecture based on Java 2 Enterprise Edition Javascript Availability offered by DIGIT hosting services Reverse proxies (Internet, TESTA) Load balancers Oracle WebLogic Prepared for scalability What else do we want to add to this timetable?

33 WebLogic architecture
Linux VM1 WebLogic Cluster Managed server 1 Reverse proxy Load balancer Session replication Reverse proxy Load balancer What else do we want to add to this timetable? Linux VM2 Managed server 2

34 Vulnerability testing
Plan to introduce vulnerability testing Using services offered by DIGIT Cycle: test -> identify -> fix -> test What else do we want to add to this timetable?

35

Download ppt "The new EDAMIS and its security"

Similar presentations

InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)

InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team (Nanjing)
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Eurostat Unit B3 – Statistical Information Technologies Data transmission tools and services 15/05/2008 1 eDAMIS The standard solution for transmitting.

Eurostat Unit B3 – Statistical Information Technologies Data transmission tools and services 15/05/ eDAMIS The standard solution for transmitting.
Masud Hasan 03-60-475 SecueEmail VS Hushmail Project 2.

Masud Hasan Secue VS Hushmail Project 2.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
ArcGIS Server and Portal for ArcGIS An Introduction to Security

ArcGIS Server and Portal for ArcGIS An Introduction to Security
BASIC FUNCTIONALITY. Page 2 Agenda Main topics Policy Manager Communication Understanding communication Information flow Communication modules F-Secure.

BASIC FUNCTIONALITY. Page 2 Agenda Main topics Policy Manager Communication Understanding communication Information flow Communication modules F-Secure.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Similar presentations

Ads by Google