Upload
dangduong
View
221
Download
0
Embed Size (px)
Citation preview
Aurion ATO Gateway Service
Technical Overview
© Aurion Corporation Pty Ltd 2018 V 1.0 Last Updated: 26/02/2018 Commercial in Confidence
i
Version Control
Version Version Description Date
1.0 Initial Version 26/02/2018
© Aurion Corporation Pty Ltd 2018 V 1.0 Last Updated: 26/02/2018 Commercial in Confidence
ii
Contents
Introduction ............................................................................................................................................. 1
ATO Gateway Service Overview .......................................................................................................... 1
Solution Components .............................................................................................................................. 2
InHouse ............................................................................................................................................... 2
Security Considerations .................................................................................................................. 3
Aurion Core and API Gateway ............................................................................................................. 3
Prerequisites ................................................................................................................................... 4
Security Considerations .................................................................................................................. 4
AWS (Amazon Web Service) ............................................................................................................... 5
Security Considerations: ................................................................................................................. 6
CloudFormation .................................................................................................................................. 7
Security Considerations .................................................................................................................. 8
Lambda Function ................................................................................................................................. 8
Security Considerations .................................................................................................................. 8
References ............................................................................................................................................... 9
© Aurion Corporation Pty Ltd 2018 V 1.0 Last Updated: 26/02/2018 Commercial in Confidence 1
Introduction
This Aurion ATO Gateway Service design document outlines the components which comprise the
ATO Gateway service offered by Aurion to its customers. The document will also outline the
process both Aurion as the service provider, and customers, will be expected to follow to achieve
the successful transmission of tax withheld data, payroll data and superannuation data on a pay
event basis to the Australian Taxation Office (ATO). Considering the sensitive nature of the data
transmitted, security considerations throughout the design are also discussed.
ATO Gateway Service Overview
It is expected that the ATO Gateway will receive a considerable number of transmissions from
Aurion systems across the country for submission to the ATO. As it is necessary for the service to
reliably, securely and successfully ensure these transmissions, and ensure that Aurion’s reputation
as a cost-effective payroll provider is not compromised, Amazon Web Services (AWS) Cloud
Platform will be used to host this gateway. “Serverless” architecture, coupled with auto scaling
services make this platform entirely fit for purpose.
© Aurion Corporation Pty Ltd 2018 V 1.0 Last Updated: 26/02/2018 Commercial in Confidence 2
Solution Components
The following is a brief overview of each of the components of Aurion’s ATO Gateway Service,
from the generation of AWS user keys and SEKs through to the Aurion software interacting with
the ATO.
InHouse
This section describes the process of the Aurion Licencing team interacting with Aurion’s
proprietary InHouse application to create unique Organisation Software ID’s, and AWS IAM users,
for each licensed customer/organisation, and generating the customer SEK.
InHouse is used by the Aurion Licencing team to create unique Organisation Software ID’s, and
AWS IAM users, for each licensed customer/organisation, and generating the customer SEK.
Each Aurion customer will be listed in InHouse with the following details:
Organisation Code
Organisation Name
Software Id - the STP Software Id is a unique code within the Aurion customer base. When
organisation STP details are registered with the ATO, the ATO use this code in conjunction
with Aurion’s unique device AUSkey for distinguishing between organisation
SEK Created - has an SEK been generated using the latest Software ID and AWS Access
Key?
In order for customers to securely transmit data to the ATO via the Aurion ATO Gateway, they will
require their own unique AWS user account, which will access Aurion’s ATO gateway via an AWS
Access Key.
© Aurion Corporation Pty Ltd 2018 V 1.0 Last Updated: 26/02/2018 Commercial in Confidence 3
Security Considerations
Only Aurion staff members with the appropriate granted authority will be able to access the
STP Software Ids menu option in the InHouse application.
The data relating to STP Credential generation is stored, encrypted at rest using Aurion’s
proprietary encryption algorithm in the InHouse database.
The “Create AWS User” process will only be executed by the Aurion licencing team via
authorised workstations, as approved by the Aurion Security team. User-specific AWS access
keys will be used to ensure only delegated (approved) users generate and manage customer
AWS user accounts. This key will be rotated on a 6-monthly basis.
Authentication to the AWS Organisation IAM user accounts can also be managed individually,
so keys can be rotated if required. It is important to note that AWS access keys cannot be
exported either via the console, nor programmatically once InHouse has programmatically
generated them.
SSL encryption in transit is observed.
No AWS console access will be granted to these users
The AWS Access Key information is stored encrypted in the SEK file using Aurion Corporation’s
proprietary encryption algorithm. This can only be decoded by the Aurion application.
The SEK file will be distributed to customers via the Aurion Support Centre
(support.aurion.com). Through this means of communication, 2048 bit SSL (HTTPS) encryption
of the file in transit will be ensured.
N.B. The contents of the SEK file will not be transmitted in clear text via the support centre.
The data relating to STP Access ID details is stored, encrypted at rest using Aurion’s
proprietary encryption algorithm in the Aurion database.
Aurion Core and API Gateway
Customer payroll administrators will execute their payrun process as they have done in pay
periods prior to FY 2019. Additionally, Aurion will instigate the process of transmitting ATO-
required data via the ATO gateway. As the ATO requires these STP details to be lodged securely
(e.g. with encryption and AUSkey token), Aurion Core will pass the STP payload to Aurion’s ATO
gateway to perform this action on its behalf. The ATO have provided businesses with an
instruction for notifying them of their hosted SBR service provider:
https://www.ato.gov.au/General/Online-services/In-detail/Using-Access-Manager/Using-Access-
Manager/?page=5
© Aurion Corporation Pty Ltd 2018 V 1.0 Last Updated: 26/02/2018 Commercial in Confidence 4
Prerequisites
A version of Aurion Core with the STP software, i.e. 11.42+
Two new Aurion.asn file [LOGICALS] are required for configuring the STP Gateway URLs for
both sending and receiving to and from the ATO
STP_URL_IN (stpgateway.aurion.com) – AWS Route53 entry
STP_URL_OUT (stpgateway.aurion.com)
The customer delegate (a user with delegated authority) will login to myGov and register their
company's ABN and grant access to Aurion's pre-generated AUSkey to liaise with the ATO on
their behalf.
Customers do not require their own unique AUSkey. Aurion ATO Gateway users will grant the
Aurion Corporation (as their gateway provider) authority to liaise on its behalf (i.e. use Aurion's
AUSkey).
The customer delegate will also notify the ATO of their Software ID (which will differentiate
them from other Aurion STP Gateway users) to authorise Aurion to submit STP data on their
behalf.
Security Considerations
Access to Aurion Core is managed using Aurion application security controls (Aurion security users
are administered by payroll administrators) and application access (ability to execute the
Aurion.exe program) is managed by local IT resources for On-Premise Aurion customers and
Aurion Technical Support for hosted customers (using Citrix and LDAP security groups).
© Aurion Corporation Pty Ltd 2018 V 1.0 Last Updated: 26/02/2018 Commercial in Confidence 5
The payload containing sensitive information will be compressed, and BASE64-encoded prior to
being transmitted to Aurion’s ATO gateway.
Amazon API Gateway provides tools to authorise access to its contained APIs and control service
operation access. To secure and authorise access to these APIs, Aurion leverages AWS Identity
and Access Management (IAM). Amazon API Gateway then verifies signed API calls on the
customers behalf using the same methodology AWS uses for its own APIs. This is done via
Signature Version 4 (SigV4), which works in the following way:
1. A canonical request is created.
2. The canonical request is used with other information to create a string to sign.
3. The customer’s specific AWS secret access key is used to derive a signing key. Using that
signing key and the data to be signed, it creates a signature.
4. This resulting signature is added to the HTTPS request in a header.
When AWS receives the request, it performs the same aforementioned steps to calculate
the signature. AWS then compares the calculated signature to the one that was sent with
the request. If the signatures match, the request is processed. If the signatures don't
match, the request is denied.
In the case that Aurion receives an unexpected response from the ATO, then an appropriate error
message and associated log entry will be captured. The customer can use this information to
troubleshoot, or notify the Aurion Support desk if required.
This web communication is encrypted in transit using 2048 bit RSA-256 SSL (HTTPS) encryption.
AWS (Amazon Web Service)
In order to ensure the security and integrity of the solution, all STP-related infrastructure will be
deployed within its own AWS account, in complete isolation from other services that Aurion host
on the AWS cloud platform.
© Aurion Corporation Pty Ltd 2018 V 1.0 Last Updated: 26/02/2018 Commercial in Confidence 6
Security Considerations:
Access to the STP Production and STP Test accounts will only be granted to authorised Aurion
Technical administrators and be subject to similar security controls surrounding the impending
Aurion Cloud Platform.
Accounts reside under different organisation units (OU) so that service control policies (SCP) can
be attached to these OUs to enforce the services being used on the accounts associated with the
OU. For example, an SCP policy will be attached to the Production_STP to only allow the AWS
services that are required for the platform to function. From a security perspective this will help
to ensure compliance and ensure that new services can't be deployed in specific accounts without
the appropriate change management.
© Aurion Corporation Pty Ltd 2018 V 1.0 Last Updated: 26/02/2018 Commercial in Confidence 7
CloudFormation
CloudFormation provides a common language (YAML) that Aurion has used to describe and
provision all the infrastructure resources for the ATO gateway component on the Amazon Web
Services (AWS) platform. Using CloudFormation, a simple text file is used to model and provision,
in an automated manner, all the resources needed for the Aurion ATO Gateway in the Sydney
region for both Production and Test environments. This code is source controlled by the Aurion
Software Development team, and serves as the single source of truth for the solution.
© Aurion Corporation Pty Ltd 2018 V 1.0 Last Updated: 26/02/2018 Commercial in Confidence 8
Security Considerations
In order to ensure the ease and integrity of the deployment, there will be no components
deployed originally from within the CloudFormation template that will not be maintained by the
CloudFormation template in a future state, i.e. all updates to Aurion’s ATO Gateway will be
codified using CloudFormation.
Additionally, only authorised Aurion Technical staff will have access to the AWS account in which
the Aurion ATO Gateway services are deployed.
Lambda Function
AWS Lambda lets Aurion run code without provisioning or managing servers. With Lambda, code
can be run for virtually any type of application or backend service - all with very little
administration. It is Lambda functions deployed via CloudFormation that form the business logic
component of the transmission from Aurion to the ATO.
The ATO provides Java SDKs for AUSkeys and the VANguard Security Token Service, and Java has
good support for the web service standards required to implement ebMS 3.0 AS4 messaging. This
is why Lambda functions were developed using Java (8).
Security Considerations
When the Lambda code is uploaded, it is stored in an S3 bucket within the account. Account
permissions ensure that access is restricted to an IAM role dedicated to the Lambda function
and Administrative AWS console users.
All objects (including the code base) stored within this bucket are encrypted at rest using
Amazon’s AES-256 server side encryption policies.
© Aurion Corporation Pty Ltd 2018 V 1.0 Last Updated: 26/02/2018 Commercial in Confidence 9
Included in this payload is the encoded AWS Access ID used to identify the user invoking the
API on Aurion’s ATO gateway. This ensures the payload has originated from a valid source (i.e.
an Aurion Core instance with a valid SEK).
The IAM role creating script for the Lambda function will be run by the InHouse user creation
process. A security policy is associated with role in order to allow a secure decryption of the
AUSkey password tokens. The role also includes an IAM policy to allow the Lambda function
to access the KMS key used to decrypt the AUSkey keystore passwords.
References
Amazon Lambda Service: https://aws.amazon.com/cloudformation/
Amazon Route 53 DNS Service: https://aws.amazon.com/route53/
Amazon CloudFormation Service: https://aws.amazon.com/cloudformation/
Amazon S3 Service: https://aws.amazon.com/s3/
Amazon API Gateway Service: https://aws.amazon.com/apigateway/
Amazon CloudWatch Service: https://aws.amazon.com/cloudwatch/
Amazon Key Management Service: https://aws.amazon.com/kms/
Amazon CloudTrail Service: https://aws.amazon.com/cloudtrail/
ATO Standard Business Reporting Web Services Implementation Guide (WIG):
http://www.sbr.gov.au/__data/assets/file/0019/45118/SBR-ebMS3-Web-Services-
Implementation-Guide.docx
ATO Cloud Software Authentication & Authorisation:
https://softwaredevelopers.ato.gov.au/sites/default/files/resource-
attachments/CAA_SWD_info_kit.pdf