Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Creating Digital Trust For G- e P Beyond PKI & Digital Signatures

Special Security Issues Prof. KS @2006

WB & ADBe-Procurement conference 19th May 2006

Creating Digital Trust Creating Digital Trust For G-For G-eePP

Beyond PKI & Digital Beyond PKI & Digital SignaturesSignatures

ID Management, Standards & ID Management, Standards & Certification and AssuranceCertification and Assurance

Prof. K. SubramanianProf. K. Subramanian

DDG(NIC) & IT Adviser to DDG(NIC) & IT Adviser to CAG of IndiaCAG of India



Cyberspace is Dynamic, Cyberspace is Dynamic, Undefined and ExponentialUndefined and Exponential Technology Management & Technology Management &

Management of Technologies Management of Technologies in general and security in in general and security in

particular are critical Issues particular are critical Issues of eGP Governance.of eGP Governance.

Countries’ need dynamic Countries’ need dynamic laws, keeping pace with the laws, keeping pace with the technological advancementstechnological advancements

..



e-Procurement—Essentialse-Procurement—EssentialsEnablersEnablers

• The spread of fast, reliable broadband internet The spread of fast, reliable broadband internet connectivity is a key factor in fuelling e-connectivity is a key factor in fuelling e-procurement /e-commerce initiativesprocurement /e-commerce initiatives

• Internet has shrunk the cost of going into Internet has shrunk the cost of going into business– good for SME sectorbusiness– good for SME sector

• A good reliable A good reliable authenticatedauthenticated website is an website is an essentiality—to reach customers worldwideessentiality—to reach customers worldwide

• Empowerment of both consumers & Empowerment of both consumers & entrepreneursentrepreneurs

• With With reliable, accurate and authenticreliable, accurate and authentic information on products and servicesinformation on products and services

• Push and Pull technologyPush and Pull technology working in a working in a collaborative mode with multimodal delivery is a collaborative mode with multimodal delivery is a reality and a enablerreality and a enabler



e-Procurement—Essentialse-Procurement—EssentialsSecurity and Trust View Security and Trust View

PointPoint• Safety and Security is the highest prioritySafety and Security is the highest priority• Creating trust and confidence is important- Creating trust and confidence is important-

Third party Certification and PKI/Digital Third party Certification and PKI/Digital signature may be one of the SOLUTIONsignature may be one of the SOLUTION

• Integration into enterprises workflow, ERP, Integration into enterprises workflow, ERP, EAI with proper identification, authorization EAI with proper identification, authorization and authentication within VPN/enterprise and authentication within VPN/enterprise network or open Internet (Identity network or open Internet (Identity Infrastructure, Network Identity Infrastructure, Network Identity Infrastructure are utmost essential). User Infrastructure are utmost essential). User Permission based approach may be exploredPermission based approach may be explored

• Security has implications on Centralized & Security has implications on Centralized & De-centralized implementationsDe-centralized implementations



e-Procurement—Successe-Procurement—SuccessTechnology Integration to Technology Integration to

Work ProcessWork Process• The most successful e-procurement The most successful e-procurement

projects are those where the projects are those where the e-e-procurement function becomes procurement function becomes totally embedded in the business totally embedded in the business process and where the system is process and where the system is sufficiently flexible to sufficiently flexible to accommodate the rapid changes in accommodate the rapid changes in technology which are inevitable.technology which are inevitable.



Security concerns and Security concerns and desired controls frameworkdesired controls framework

Can we find out who is trying to reach us?Can we find out who is trying to reach us?Identification

Authentication

Authorisation

Confidentiality

Integrity

Auditability

Non-repudiation

Error Correction

Intrusion Detection

Can we ensure that the users are the same, who they pretend to be?

Can we limit/control their actions?

Can we ensure that the privacy of sensitive information is maintained?Can we ensure that the data has not been manipulated during or after the transmission?Can we ensure that the sender and receiver are accountable/ responsible for their actions?Can we ensure the traceability of actions?

Can we detect any unauthorised access attempts?

Can we correct the errors as soon as they are detected?



Main Concerns

•

PRIVACY SAFETY

SECURITY&

Creating And Maintaining Trust



e-Procurement- New e-Procurement- New AvenuesAvenues

• Internet e-procurement has huge Internet e-procurement has huge scalability and, subject to scalability and, subject to implementation and security details, implementation and security details, opens up a huge global market for opens up a huge global market for procurement - including procurement - including procurement from completely new procurement from completely new suppliers.suppliers.



Secure e-Procurement—Secure e-Procurement—TCO and ROITCO and ROI

• As a business process, implementing secure As a business process, implementing secure electronic purchasing can be a highly effective electronic purchasing can be a highly effective way of reducing transaction costs and way of reducing transaction costs and improving process efficiency. And with the improving process efficiency. And with the savings and cost benefits going straight to the savings and cost benefits going straight to the bottom line, e-procurement can deliver a bottom line, e-procurement can deliver a significant return on investment, although significant return on investment, although analysts are divided over how long this can analysts are divided over how long this can take. take.

Secure eGP systems are applicable to high Secure eGP systems are applicable to high cost or high volume Purchases to become cost or high volume Purchases to become cost effective-the inference is it is not cost effective-the inference is it is not applicable to all Purchases unless applicable to all Purchases unless centralization is possible.centralization is possible.



Typical Network Identity Typical Network Identity Infrastructure Today Infrastructure Today

• Figure 3. Typical Network Identity Figure 3. Typical Network Identity Infrastructure TodayInfrastructure Today

•



Basic Network Identity Basic Network Identity Services FunctionsServices Functions

•



Network ID Management Network ID Management Infrastructure & Control Infrastructure & Control

Authentication of AppliancesAuthentication of Appliances• An intuitive GUI is accessible from An intuitive GUI is accessible from

web browsers. It provides a global web browsers. It provides a global management view of the network management view of the network identity infrastructure from any identity infrastructure from any location, based on that particular location, based on that particular user’s access permissions.user’s access permissions.

• There are no general user-logins. For There are no general user-logins. For security reasons, only an security reasons, only an administrator can configure an administrator can configure an appliance using a web browser, appliance using a web browser, communicating with the communicating with the appliance over an encrypted appliance over an encrypted sessionsession..



Network ID Management Network ID Management Infrastructure & Control Infrastructure & Control

Authentication of AppliancesAuthentication of Appliances• To populate the data store with each To populate the data store with each

enterprise’s user and policy information, enterprise’s user and policy information, tools are available to export data from tools are available to export data from existing servers and import it into specified existing servers and import it into specified authorized appliances.authorized appliances.

• Network identity appliances come Network identity appliances come equipped with a rich set of standards-based equipped with a rich set of standards-based reporting, logging, and advanced reporting, logging, and advanced configuration and management features. configuration and management features. Among them are SNMP support and web-Among them are SNMP support and web-based reporting functionsbased reporting functions..



First line of defense-IssuesFirst line of defense-IssuesFirewall & VOIP Firewall & VOIP IncompatibilityIncompatibility

• To stop someone dumping a virus on your To stop someone dumping a virus on your machine or defacing your homepage, it's machine or defacing your homepage, it's essential to have some form of dedicated essential to have some form of dedicated web server protection. But the use of web server protection. But the use of firewalls, generally seen as the first line of firewalls, generally seen as the first line of defense in protecting data, has been defense in protecting data, has been interfering with the transmission of Voice interfering with the transmission of Voice over Internet Protocol (VoIP) calls.over Internet Protocol (VoIP) calls.

• The key problem is an The key problem is an incompatibility between aspects incompatibility between aspects of VoIP and firewall technologyof VoIP and firewall technology..



Securing & Managing Securing & Managing InterdependenciesInterdependencies

• Infrastructure characteristicsInfrastructure characteristics (Organizational, operational, temporal, spatial) (Organizational, operational, temporal, spatial)

• EnvironmentEnvironment (economic, legal regulatory, (economic, legal regulatory, technical, social/political)technical, social/political)

• Coupling and response behaviorCoupling and response behavior (adaptive, inflexible, loose/tight, linear/complex)(adaptive, inflexible, loose/tight, linear/complex)

• Type of failureType of failure (common cause, cascading, (common cause, cascading, escalating)escalating)

• Types of interdependenciesTypes of interdependencies

((Physical, cyber, logical, geographic)Physical, cyber, logical, geographic)• State of operationsState of operations ((normal, stressed /disrupted, repair/restorationnormal, stressed /disrupted, repair/restoration))

..



Identity ManagemeIdentity Managementnt



In a Virtual Space, In a Virtual Space, Netizens Exist, Netizens Exist, Citizens Don’t!Citizens Don’t!



Identity ManagementIdentity Management• Identity management is not new, but has evolved Identity management is not new, but has evolved

from the days of a single password entry onto the from the days of a single password entry onto the network to a comprehensive set of processes and network to a comprehensive set of processes and systems that make it easier for all users to access systems that make it easier for all users to access information in real time and in a much more secure information in real time and in a much more secure manner manner

• ID management tend to center on the technical ID management tend to center on the technical improvements in system security, the more improvements in system security, the more important benefits are the opportunities gained by important benefits are the opportunities gained by collaborating with vendors, suppliers, and collaborating with vendors, suppliers, and customers across the supply chain. customers across the supply chain.

• A real value of an [ID management] solution A real value of an [ID management] solution enables ultimately this wide range of business enables ultimately this wide range of business enterprise. enterprise.



ID: Metrics ID: Metrics RequirementsRequirements

• UNIVERSALITYUNIVERSALITY: Each person should : Each person should have the characteristicshave the characteristics

• DistinctivenessDistinctiveness: Any two persons should : Any two persons should be different in terms of the be different in terms of the characteristic.characteristic.

• PermanencePermanence: The characteristic should : The characteristic should be sufficiently in-variant (w.r.to the be sufficiently in-variant (w.r.to the matching criterion) over a period of time.matching criterion) over a period of time.

• CollectibilityCollectibility: The characteristic should : The characteristic should be quantatively measurable.be quantatively measurable.



FOUR WAYS TO BECOME AN FOUR WAYS TO BECOME AN AUTOMATED IDENTITY-AUTOMATED IDENTITY-FOCUSED ENTERPRISEFOCUSED ENTERPRISE

1. 1. Change Current Identity ConceptsChange Current Identity Concepts

2. 2. Perform Automated User ProvisioninPerform Automated User Provisioning Wiselyg Wisely

3. 3. Integrate Automated Identity ManagIntegrate Automated Identity Management and User Provisioningement and User Provisioning

4. 4. Control Identity OperationsControl Identity Operations



1. Change Current Identity 1. Change Current Identity Concepts.Concepts.

• Many business and IT leaders correlate identity Many business and IT leaders correlate identity with users; this is only part of the equation. The with users; this is only part of the equation. The concept of identity must be expanded to include concept of identity must be expanded to include systems, servers, applications, data, and even systems, servers, applications, data, and even transactions and events.transactions and events.

• As auditors analyze business processes, they’ll see As auditors analyze business processes, they’ll see that all organizational components can be assigned that all organizational components can be assigned identities that link corporate activities within the identities that link corporate activities within the current IT infrastructure. current IT infrastructure.

• With the use of an all-encompassing identity, the With the use of an all-encompassing identity, the road to continuous access management and road to continuous access management and compliance to regulations becomes more attainable. compliance to regulations becomes more attainable.

• Furthermore, with automated identity management Furthermore, with automated identity management tools, an organization is able to assign a permanent tools, an organization is able to assign a permanent identity to every user, computer, server, and identity to every user, computer, server, and application, thus, monitoring what employees can application, thus, monitoring what employees can and can't access.and can't access.



2. Perform Automated User 2. Perform Automated User Provisioning WiselyProvisioning Wisely

User provisioning, the process of User provisioning, the process of assigning system resources and assigning system resources and privileges to users, automates and privileges to users, automates and streamlines the creation of user accounts streamlines the creation of user accounts and the assignment of user privileges and the assignment of user privileges and provides account permission data. and provides account permission data. Incorporating automated user Incorporating automated user provisioning can not only help provisioning can not only help organizations comply with Sarbanes-organizations comply with Sarbanes-Oxley, but also enhance their audit Oxley, but also enhance their audit processes and monitoring of IT activities processes and monitoring of IT activities



3. Integrate Automated 3. Integrate Automated Identity Management and Identity Management and

User Provisioning.User Provisioning.• The ultimate goal of automation is to inject identity in every The ultimate goal of automation is to inject identity in every session a machine initiates, track its activities and transactions session a machine initiates, track its activities and transactions across an enterprise, and integrate this ability into the existing across an enterprise, and integrate this ability into the existing IT infrastructure. IT infrastructure.

• To integrate automated identity management and user To integrate automated identity management and user provisioning successfully, organizations must first determine provisioning successfully, organizations must first determine all users, assets, and applications in an identity-centric and all users, assets, and applications in an identity-centric and consistent manner. This ensures user provisioning solutions consistent manner. This ensures user provisioning solutions are not compromised by unknown activity and are aligned with are not compromised by unknown activity and are aligned with the broader IT environment. the broader IT environment.

• Only properly provisioned users and applications, based on Only properly provisioned users and applications, based on corporate policy, should have the ability to communicate. corporate policy, should have the ability to communicate.

• Nevertheless, organizations must be able to control these Nevertheless, organizations must be able to control these interactions fully and provide a complete audit trail of these interactions fully and provide a complete audit trail of these activities. activities.

• The organization must also confirm that nonauthorized users, The organization must also confirm that nonauthorized users, such as employees who are no longer working for the such as employees who are no longer working for the organization, do not have access to IT resources, thus reducing organization, do not have access to IT resources, thus reducing the risk of invalid user actions.the risk of invalid user actions.



4. Control Identity 4. Control Identity OperationsOperations

• To help meet Sarbanes-Oxley regulations, To help meet Sarbanes-Oxley regulations, many organizations have given a higher many organizations have given a higher priority to producing log files and report priority to producing log files and report data. The reality is that many organizations data. The reality is that many organizations don’t have the resources to process data don’t have the resources to process data logs, nor do they have the means to correlate logs, nor do they have the means to correlate information from disparate sources. information from disparate sources. Although newer security event management Although newer security event management systems have improved, the fundamental systems have improved, the fundamental problem of managing the data and problem of managing the data and automating its compilation still exists. automating its compilation still exists.



IdentificationIdentification•Why?Why?•For Whom?For Whom?•When?When?•How?How?



IdentificationIdentification Measures and Parametric of Measures and Parametric of

Personal IdentityPersonal Identity• By NameBy Name

– Association with Association with Father’s/Mothers Father’s/Mothers NameName

– Association with Association with Family NameFamily Name

– Association with sir Association with sir NameName

• By Given detailsBy Given details– Date of birthDate of birth– Place of birthPlace of birth– Country of BirthCountry of Birth– Country of Country of

NaturalizationNaturalization



Biometric System Biometric System Operates onOperates on

•VerificationVerification•IdentificatioIdentificationn



BiometricsBiometrics

Biometrics



Bio-Metric Bio-Metric Unique Unique IdentifierIdentifier



Building and Sustaining Building and Sustaining TrustTrust

• building a trusted relationship with suppliers building a trusted relationship with suppliers is critical before dealing with them over the is critical before dealing with them over the Internet.Internet.

• Consumer comfort-while 60 per cent said Consumer comfort-while 60 per cent said they preferred to deal with bricks-and-mortar they preferred to deal with bricks-and-mortar companies rather than Internet-only traders. companies rather than Internet-only traders.

• Concerns about security are paramount, even Concerns about security are paramount, even among those with significant experience of among those with significant experience of trading online with suppliers. Of the trading online with suppliers. Of the advanced users interviewed for the report, advanced users interviewed for the report, nine per cent said they had experienced nine per cent said they had experienced security problems through e-procurement security problems through e-procurement

PriceWaterhouseCoopers' Survey report



Security & TrustSecurity & Trust

• security and trust are inseparable. security and trust are inseparable. "Across the supply chain, people are "Across the supply chain, people are demanding more and more exchange demanding more and more exchange of current, pertinent information and of current, pertinent information and they want to have confidence in their they want to have confidence in their trading partners."trading partners."



Definition of e-trustDefinition of e-trust

Development of mutual confidence Development of mutual confidence within complex electronic within complex electronic environments through each player’s environments through each player’s willingness to continuously willingness to continuously demonstrate to the other player’s demonstrate to the other player’s satisfaction that the game is honest, satisfaction that the game is honest, open, following the rules properly open, following the rules properly controlledcontrolled



Conventional Information Conventional Information Security & e-trustSecurity & e-trust

• Conventional security practices do Conventional security practices do not reveal the nature or extent of our not reveal the nature or extent of our security capabilities. To do so, is security capabilities. To do so, is considered as an act of compromise.considered as an act of compromise.

• The network economy requires a The network economy requires a series of external representations series of external representations that will meet the expectations and that will meet the expectations and support the confidence of all players.support the confidence of all players.

• DemonstrabilityDemonstrability



Trust and SecurityTrust and Security

• Reciprocity-appropriate protection Reciprocity-appropriate protection for allfor all

• Responsibility and liabilityResponsibility and liability• Standardization of processes, Standardization of processes,

interfaces and technologiesinterfaces and technologies



e-truste-trustBusiness partners & Business partners & Network EconomyNetwork Economy

• Can I trust the entities and Can I trust the entities and infrastructures on which I depend?infrastructures on which I depend?

• Can the organizations involved trust Can the organizations involved trust me?me?

• Together, can we trust our common Together, can we trust our common infrastructure and processes?infrastructure and processes?



Major Challenges and Major Challenges and IssuesIssues

• authentication of identity is the main authentication of identity is the main issue. "People need to be satisfied about issue. "People need to be satisfied about who they're dealing with. who they're dealing with.

• They need to know that their messages They need to know that their messages have not been intercepted or corrupted on have not been intercepted or corrupted on the way,the way,

• and, most importantly, that they are and, most importantly, that they are legally non-repudiable - meaning that the legally non-repudiable - meaning that the other party can't walk away from it in a other party can't walk away from it in a court of law." court of law."



Security fears are well-Security fears are well-foundedfounded

• with the study showing that remarkably with the study showing that remarkably few companies had implemented the few companies had implemented the latest technology to secure business latest technology to secure business transactions. transactions.

• Nearly two-thirds of companies said they Nearly two-thirds of companies said they rely solely on password protection when rely solely on password protection when dealing with suppliers over the Internet. dealing with suppliers over the Internet.

PriceWaterhouseCoopers' reportPriceWaterhouseCoopers' report



Security Standards & Security Standards & CertificationCertification



National CRYPTOGRAPHY POLICYComplex area with :

• Scientific,• Technical,• Political,• Social, • Business• Economic Dimensions



Importance of Group Standards -no one standard meets all requirementsImportance of Group Standards -no one standard meets all requirementsISO 27001/BS7799 Vs COBIT Vs CMM Vs ITILISO 27001/BS7799 Vs COBIT Vs CMM Vs ITIL

MissionMission

Business ObjectivesBusiness Objectives

Business RisksBusiness Risks

Applicable RisksApplicable Risks

Internal ControlsInternal Controls

ReviewReview



Compliance to Security Compliance to Security Standards and Good Standards and Good

PracticesPractices Indian & International Indian & International

StandardsStandards• IS 14356-1996 guide for IS 14356-1996 guide for

Protection of Information Protection of Information ResourcesResources

• IS 14357-1996 guide for Practice IS 14357-1996 guide for Practice for Information Security for Information Security

• ISO-17799-1:2000 Code of ISO-17799-1:2000 Code of practice of ISM and will replace practice of ISM and will replace IS 14356-1996IS 14356-1996

• ISO/IEC 15483 STANDARDS ISO/IEC 15483 STANDARDS FOR TCSEC(IS14990:1 2001FOR TCSEC(IS14990:1 2001

• ISO/IEC 15408 STANDARDS ISO/IEC 15408 STANDARDS FOR TCSEC(IS14990:1 2001)FOR TCSEC(IS14990:1 2001)

• New Integrated Harmonized New Integrated Harmonized Indian standard on ISMS IS Indian standard on ISMS IS 15150Nov 200215150Nov 2002

• ISO/IEC 21827 - Information ISO/IEC 21827 - Information Technology - Systems Security Technology - Systems Security Engineering - Capability Engineering - Capability Maturity Model (SSE-CMM )Maturity Model (SSE-CMM )

• Information Technology-systems Information Technology-systems security engineering—Capability security engineering—Capability Maturity Model with PCMM—Maturity Model with PCMM—July 2006July 2006

• BS 7799-1:1999 Code of BS 7799-1:1999 Code of Practice for Information Practice for Information Security ManagementSecurity Management

• BS 7799-2:1999 BS 7799-2:1999 Specification for Specification for Information Security Information Security Management SystemsManagement Systems

• BS 7799-1:2000 revised BS 7799-1:2000 revised standard (Code of standard (Code of Practice for Information Practice for Information Security Management)Security Management)

• BS 7799-2:2002 Sep BS 7799-2:2002 Sep 20022002

• ISO 27001-Oct 2005ISO 27001-Oct 2005



Business Assurance and Business Assurance and CertificationCertification



9 Rules of Risk 9 Rules of Risk ManagementManagement

• There is no return without riskThere is no return without risk– Rewards to go to those who take risks.Rewards to go to those who take risks.

• Be TransparentBe Transparent– Risk is measured, and managed by Risk is measured, and managed by

people, not mathematical models.people, not mathematical models.• Know what you Don’t knowKnow what you Don’t know

– Question the assumptions you makeQuestion the assumptions you make• CommunicateCommunicate

– Risk should be discussed openlyRisk should be discussed openly• DiversifyDiversify

– Multiple risk will produce more Multiple risk will produce more consistent rewardsconsistent rewards

• Sow DisciplineSow Discipline– A consistent and rigorous approach will A consistent and rigorous approach will

beat a constantly changing strategybeat a constantly changing strategy• Use common senseUse common sense

– It is better to be approximately right, It is better to be approximately right, than to be precisely wrong.than to be precisely wrong.

• Return is only half the questionReturn is only half the question– Decisions to be made only by Decisions to be made only by

considering the risk and return of the considering the risk and return of the possibilitiespossibilities..

RiskMetrics GroupRiskMetrics Group



RiskRisk

• The lack of a trusted third party to The lack of a trusted third party to guarantee online transactions is a key guarantee online transactions is a key factor in companies' limited security.factor in companies' limited security.

• Unlike the stock exchange, which Unlike the stock exchange, which underwrites transactions between underwrites transactions between traders, most online marketplaces traders, most online marketplaces merely facilitate the transaction merely facilitate the transaction between two parties. They simply between two parties. They simply warn businesses that they trade at warn businesses that they trade at their own risk.their own risk.



PKI & Trusted Third Party PKI & Trusted Third Party CertificateCertificate

• Many believe that confidence in online Many believe that confidence in online transactions would be dramatically increased by transactions would be dramatically increased by the use of public key infrastructure and the use of public key infrastructure and encryption technologies to encrypt and seal encryption technologies to encrypt and seal messages.messages.

• But while the use of digital certificate But while the use of digital certificate technology would certainly increase confidence, technology would certainly increase confidence, the problem is finding a trusted third party to the problem is finding a trusted third party to issue such a certificate. issue such a certificate.

• who would be suitable to guarantee the security who would be suitable to guarantee the security of e-business transactions, most public survey of e-business transactions, most public survey said they would rather rely on an accounting or said they would rather rely on an accounting or telecoms firm than the Government?telecoms firm than the Government?



Enhancement to Enhancement to certificationcertification

• Certification alone cannot absolutely Certification alone cannot absolutely guarantee the trustworthiness of guarantee the trustworthiness of certificate holders or the certificate holders or the organizations they represent.organizations they represent.

• Creating a family of certificates to Creating a family of certificates to enhance the confidence level.enhance the confidence level.

• Recognition of certification is not Recognition of certification is not only based on knowledge, but also only based on knowledge, but also one’s identity.one’s identity.



Certification and CostCertification and Cost

• IT certifications "are a commendable IT certifications "are a commendable thing to do for a variety of reasons." thing to do for a variety of reasons." However, they "require a However, they "require a considerable investment, and the considerable investment, and the benefit must be weighed against benefit must be weighed against other needs and priorities for scarce other needs and priorities for scarce resources“.resources“.



Comparison of SealsComparison of Seals

WEB CertificationWEB Certification

Product CostPrivacy of Data

Securityof Data

Business Policies

TransactionProcessing

Integrity

BBB Online Low No NoLightly

CoveredNo

TRUSTe Low Yes No No No

Veri-SignLow to

MediumNo

Yes: Data Transmittal

No: Data StorageNo No

ICSA High Yes YesSomewhatCovered

LightlyCovered

WebTrust High Yes Yes Yes Yes



The need and to doThe need and to do• Strong, demonstrable security and assurance Strong, demonstrable security and assurance

process and the best practitioners to design, process and the best practitioners to design, build and manage them.build and manage them.

• Ensuring all the time the practices, products and Ensuring all the time the practices, products and personnel can pass the closest scrutiny.personnel can pass the closest scrutiny.

• Anticipate and keep pace with the security needs Anticipate and keep pace with the security needs of the information market placeof the information market place

• Protective measures, architecture, philosophy Protective measures, architecture, philosophy and best practices are as dynamic as the and best practices are as dynamic as the information process they support.information process they support.

• Ensure not just the currency of knowledge, but Ensure not just the currency of knowledge, but must anticipate new requirements and must anticipate new requirements and environmentsenvironments



The need and to doThe need and to do

• Ready to respond with new Ready to respond with new certification offerings, updates certification offerings, updates examinations, expanded knowledge examinations, expanded knowledge bases, publications, training and bases, publications, training and communicationscommunications

• Generate global trust without Generate global trust without compromise to trustworthiness.compromise to trustworthiness.



Reliability of Reliability of national/Global critical national/Global critical

infrastructureinfrastructure• Measuring system risk and resiliencyMeasuring system risk and resiliency• Understanding and managing Understanding and managing

interdependenciesinterdependencies• Overcoming barrier to technological Overcoming barrier to technological

changechange• Selecting appropriate forms of Selecting appropriate forms of

infrastructure governanceinfrastructure governance• Developing efficient incentive structuresDeveloping efficient incentive structures• Adopting an integrated systems Adopting an integrated systems

perspectiveperspective



Risk and ResiliencyRisk and Resiliency

• Economic consequencesEconomic consequences• Non-economic consequencesNon-economic consequences• Environmental risk assessmentsEnvironmental risk assessments• Socio-community and individual risk Socio-community and individual risk

perceptionsperceptions



• The interface between technology and The interface between technology and human behavior is an important subject human behavior is an important subject for investigation.for investigation.

• The use of detection/prevention The use of detection/prevention technologiestechnologies

• The ways in which deployment of The ways in which deployment of technologies can complement or conflict technologies can complement or conflict with the values of privacy and civil libertywith the values of privacy and civil liberty

• The factors influence the trustworthiness The factors influence the trustworthiness of individuals in a position to compromise of individuals in a position to compromise or thwart securityor thwart security



ConclusionConclusion

• Technology alone is not going to guarantee cyber Technology alone is not going to guarantee cyber and critical infrastructure reliability and securityand critical infrastructure reliability and security

• Policies and approaches that recognize that Policies and approaches that recognize that critical national/global infrastructure are critical national/global infrastructure are complex adaptive systems, with behaviors and complex adaptive systems, with behaviors and responses that may not be well understood.responses that may not be well understood.

• A better grasp on how to measure infrastructure A better grasp on how to measure infrastructure risk, and how better to create the governance risk, and how better to create the governance and incentive systems—including the human and incentive systems—including the human factors—to improve reliability.factors—to improve reliability.



E-Procurement & Cyber E-Procurement & Cyber Security - Final MessageSecurity - Final Message

““In security matters In security matters PastPast is no guarantee; is no guarantee; PresentPresent is imperfect is imperfect

and and FutureFuture is uncertain“ is uncertain“

““Failure is not when we fall down, but when Failure is not when we fall down, but when we fail to get up”we fail to get up”



Thank Thank YouYouTHANK YOUTHANK YOU

For Interaction:For Interaction:Prof. K. Prof. K.

[email protected]@nic.in

[email protected]@gmail.comm

[email protected]@yahoo.com

Tele: 23239560Tele: 23239560

Documents

Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Creating Digital Trust For G- e P Beyond PKI & Digital Signatures