Aurion ATO Gateway Service

Technical Overview

© Aurion Corporation Pty Ltd 2018 V 1.0 Last Updated: 26/02/2018 Commercial in Confidence

i

Version Control

Version Version Description Date

1.0 Initial Version 26/02/2018

© Aurion Corporation Pty Ltd 2018 V 1.0 Last Updated: 26/02/2018 Commercial in Confidence

ii

Contents

Introduction ............................................................................................................................................. 1

ATO Gateway Service Overview .......................................................................................................... 1

Solution Components .............................................................................................................................. 2

InHouse ............................................................................................................................................... 2

Security Considerations .................................................................................................................. 3

Aurion Core and API Gateway ............................................................................................................. 3

Prerequisites ................................................................................................................................... 4

Security Considerations .................................................................................................................. 4

AWS (Amazon Web Service) ............................................................................................................... 5

Security Considerations: ................................................................................................................. 6

CloudFormation .................................................................................................................................. 7

Security Considerations .................................................................................................................. 8

Lambda Function ................................................................................................................................. 8

Security Considerations .................................................................................................................. 8

References ............................................................................................................................................... 9

© Aurion Corporation Pty Ltd 2018 V 1.0 Last Updated: 26/02/2018 Commercial in Confidence 1

Introduction

This Aurion ATO Gateway Service design document outlines the components which comprise the

ATO Gateway service offered by Aurion to its customers. The document will also outline the

process both Aurion as the service provider, and customers, will be expected to follow to achieve

the successful transmission of tax withheld data, payroll data and superannuation data on a pay

event basis to the Australian Taxation Office (ATO). Considering the sensitive nature of the data

transmitted, security considerations throughout the design are also discussed.

ATO Gateway Service Overview

It is expected that the ATO Gateway will receive a considerable number of transmissions from

Aurion systems across the country for submission to the ATO. As it is necessary for the service to

reliably, securely and successfully ensure these transmissions, and ensure that Aurion’s reputation

as a cost-effective payroll provider is not compromised, Amazon Web Services (AWS) Cloud

Platform will be used to host this gateway. “Serverless” architecture, coupled with auto scaling

services make this platform entirely fit for purpose.

© Aurion Corporation Pty Ltd 2018 V 1.0 Last Updated: 26/02/2018 Commercial in Confidence 2

Solution Components

The following is a brief overview of each of the components of Aurion’s ATO Gateway Service,

from the generation of AWS user keys and SEKs through to the Aurion software interacting with

the ATO.

InHouse

This section describes the process of the Aurion Licencing team interacting with Aurion’s

proprietary InHouse application to create unique Organisation Software ID’s, and AWS IAM users,

for each licensed customer/organisation, and generating the customer SEK.

InHouse is used by the Aurion Licencing team to create unique Organisation Software ID’s, and

AWS IAM users, for each licensed customer/organisation, and generating the customer SEK.

Each Aurion customer will be listed in InHouse with the following details:

Organisation Code

Organisation Name

Software Id - the STP Software Id is a unique code within the Aurion customer base. When

organisation STP details are registered with the ATO, the ATO use this code in conjunction

with Aurion’s unique device AUSkey for distinguishing between organisation

SEK Created - has an SEK been generated using the latest Software ID and AWS Access

Key?

In order for customers to securely transmit data to the ATO via the Aurion ATO Gateway, they will

require their own unique AWS user account, which will access Aurion’s ATO gateway via an AWS

Access Key.

© Aurion Corporation Pty Ltd 2018 V 1.0 Last Updated: 26/02/2018 Commercial in Confidence 3

Security Considerations

Only Aurion staff members with the appropriate granted authority will be able to access the

STP Software Ids menu option in the InHouse application.

The data relating to STP Credential generation is stored, encrypted at rest using Aurion’s

proprietary encryption algorithm in the InHouse database.

The “Create AWS User” process will only be executed by the Aurion licencing team via

authorised workstations, as approved by the Aurion Security team. User-specific AWS access

keys will be used to ensure only delegated (approved) users generate and manage customer

AWS user accounts. This key will be rotated on a 6-monthly basis.

Authentication to the AWS Organisation IAM user accounts can also be managed individually,

so keys can be rotated if required. It is important to note that AWS access keys cannot be

exported either via the console, nor programmatically once InHouse has programmatically

generated them.

SSL encryption in transit is observed.

No AWS console access will be granted to these users

The AWS Access Key information is stored encrypted in the SEK file using Aurion Corporation’s

proprietary encryption algorithm. This can only be decoded by the Aurion application.

The SEK file will be distributed to customers via the Aurion Support Centre

(support.aurion.com). Through this means of communication, 2048 bit SSL (HTTPS) encryption

of the file in transit will be ensured.

N.B. The contents of the SEK file will not be transmitted in clear text via the support centre.

The data relating to STP Access ID details is stored, encrypted at rest using Aurion’s

proprietary encryption algorithm in the Aurion database.

Aurion Core and API Gateway

Customer payroll administrators will execute their payrun process as they have done in pay

periods prior to FY 2019. Additionally, Aurion will instigate the process of transmitting ATO-

required data via the ATO gateway. As the ATO requires these STP details to be lodged securely

(e.g. with encryption and AUSkey token), Aurion Core will pass the STP payload to Aurion’s ATO

gateway to perform this action on its behalf. The ATO have provided businesses with an

instruction for notifying them of their hosted SBR service provider:

https://www.ato.gov.au/General/Online-services/In-detail/Using-Access-Manager/Using-Access-

Manager/?page=5

© Aurion Corporation Pty Ltd 2018 V 1.0 Last Updated: 26/02/2018 Commercial in Confidence 4

Prerequisites

A version of Aurion Core with the STP software, i.e. 11.42+

Two new Aurion.asn file [LOGICALS] are required for configuring the STP Gateway URLs for

both sending and receiving to and from the ATO

STP_URL_IN (stpgateway.aurion.com) – AWS Route53 entry

STP_URL_OUT (stpgateway.aurion.com)

The customer delegate (a user with delegated authority) will login to myGov and register their

company's ABN and grant access to Aurion's pre-generated AUSkey to liaise with the ATO on

their behalf.

Customers do not require their own unique AUSkey. Aurion ATO Gateway users will grant the

Aurion Corporation (as their gateway provider) authority to liaise on its behalf (i.e. use Aurion's

AUSkey).

The customer delegate will also notify the ATO of their Software ID (which will differentiate

them from other Aurion STP Gateway users) to authorise Aurion to submit STP data on their

behalf.

Security Considerations

Access to Aurion Core is managed using Aurion application security controls (Aurion security users

are administered by payroll administrators) and application access (ability to execute the

Aurion.exe program) is managed by local IT resources for On-Premise Aurion customers and

Aurion Technical Support for hosted customers (using Citrix and LDAP security groups).

© Aurion Corporation Pty Ltd 2018 V 1.0 Last Updated: 26/02/2018 Commercial in Confidence 5

The payload containing sensitive information will be compressed, and BASE64-encoded prior to

being transmitted to Aurion’s ATO gateway.

Amazon API Gateway provides tools to authorise access to its contained APIs and control service

operation access. To secure and authorise access to these APIs, Aurion leverages AWS Identity

and Access Management (IAM). Amazon API Gateway then verifies signed API calls on the

customers behalf using the same methodology AWS uses for its own APIs. This is done via

Signature Version 4 (SigV4), which works in the following way:

1. A canonical request is created.

2. The canonical request is used with other information to create a string to sign.

3. The customer’s specific AWS secret access key is used to derive a signing key. Using that

signing key and the data to be signed, it creates a signature.

4. This resulting signature is added to the HTTPS request in a header.

When AWS receives the request, it performs the same aforementioned steps to calculate

the signature. AWS then compares the calculated signature to the one that was sent with

the request. If the signatures match, the request is processed. If the signatures don't

match, the request is denied.

In the case that Aurion receives an unexpected response from the ATO, then an appropriate error

message and associated log entry will be captured. The customer can use this information to

troubleshoot, or notify the Aurion Support desk if required.

This web communication is encrypted in transit using 2048 bit RSA-256 SSL (HTTPS) encryption.

AWS (Amazon Web Service)

In order to ensure the security and integrity of the solution, all STP-related infrastructure will be

deployed within its own AWS account, in complete isolation from other services that Aurion host

on the AWS cloud platform.

© Aurion Corporation Pty Ltd 2018 V 1.0 Last Updated: 26/02/2018 Commercial in Confidence 6

Security Considerations:

Access to the STP Production and STP Test accounts will only be granted to authorised Aurion

Technical administrators and be subject to similar security controls surrounding the impending

Aurion Cloud Platform.

Accounts reside under different organisation units (OU) so that service control policies (SCP) can

be attached to these OUs to enforce the services being used on the accounts associated with the

OU. For example, an SCP policy will be attached to the Production_STP to only allow the AWS

services that are required for the platform to function. From a security perspective this will help

to ensure compliance and ensure that new services can't be deployed in specific accounts without

the appropriate change management.

© Aurion Corporation Pty Ltd 2018 V 1.0 Last Updated: 26/02/2018 Commercial in Confidence 7

CloudFormation

CloudFormation provides a common language (YAML) that Aurion has used to describe and

provision all the infrastructure resources for the ATO gateway component on the Amazon Web

Services (AWS) platform. Using CloudFormation, a simple text file is used to model and provision,

in an automated manner, all the resources needed for the Aurion ATO Gateway in the Sydney

region for both Production and Test environments. This code is source controlled by the Aurion

Software Development team, and serves as the single source of truth for the solution.

© Aurion Corporation Pty Ltd 2018 V 1.0 Last Updated: 26/02/2018 Commercial in Confidence 8

Security Considerations

In order to ensure the ease and integrity of the deployment, there will be no components

deployed originally from within the CloudFormation template that will not be maintained by the

CloudFormation template in a future state, i.e. all updates to Aurion’s ATO Gateway will be

codified using CloudFormation.

Additionally, only authorised Aurion Technical staff will have access to the AWS account in which

the Aurion ATO Gateway services are deployed.

Lambda Function

AWS Lambda lets Aurion run code without provisioning or managing servers. With Lambda, code

can be run for virtually any type of application or backend service - all with very little

administration. It is Lambda functions deployed via CloudFormation that form the business logic

component of the transmission from Aurion to the ATO.

The ATO provides Java SDKs for AUSkeys and the VANguard Security Token Service, and Java has

good support for the web service standards required to implement ebMS 3.0 AS4 messaging. This

is why Lambda functions were developed using Java (8).

Security Considerations

When the Lambda code is uploaded, it is stored in an S3 bucket within the account. Account

permissions ensure that access is restricted to an IAM role dedicated to the Lambda function

and Administrative AWS console users.

All objects (including the code base) stored within this bucket are encrypted at rest using

Amazon’s AES-256 server side encryption policies.

© Aurion Corporation Pty Ltd 2018 V 1.0 Last Updated: 26/02/2018 Commercial in Confidence 9

Included in this payload is the encoded AWS Access ID used to identify the user invoking the

API on Aurion’s ATO gateway. This ensures the payload has originated from a valid source (i.e.

an Aurion Core instance with a valid SEK).

The IAM role creating script for the Lambda function will be run by the InHouse user creation

process. A security policy is associated with role in order to allow a secure decryption of the

AUSkey password tokens. The role also includes an IAM policy to allow the Lambda function

to access the KMS key used to decrypt the AUSkey keystore passwords.

References

Amazon Lambda Service: https://aws.amazon.com/cloudformation/

Amazon Route 53 DNS Service: https://aws.amazon.com/route53/

Amazon CloudFormation Service: https://aws.amazon.com/cloudformation/

Amazon S3 Service: https://aws.amazon.com/s3/

Amazon API Gateway Service: https://aws.amazon.com/apigateway/

Amazon CloudWatch Service: https://aws.amazon.com/cloudwatch/

Amazon Key Management Service: https://aws.amazon.com/kms/

Amazon CloudTrail Service: https://aws.amazon.com/cloudtrail/

ATO Standard Business Reporting Web Services Implementation Guide (WIG):

http://www.sbr.gov.au/__data/assets/file/0019/45118/SBR-ebMS3-Web-Services-

Implementation-Guide.docx

ATO Cloud Software Authentication & Authorisation:

https://softwaredevelopers.ato.gov.au/sites/default/files/resource-

attachments/CAA_SWD_info_kit.pdf