• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Security in e governance 1  ruchin kumar
 

Security in e governance 1 ruchin kumar

on

  • 759 views

 

Statistics

Views

Total Views
759
Views on SlideShare
711
Embed Views
48

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 48

http://secureit.eletsonline.com 48

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Three main issues Access control (user auth/ accountability) – Data at rest - database / files / media / tapes / (digital assets) – at rest Data in transit - mail – c/s comm – fileserver access … Risks outside / inside (trust – law empowered preventive measures – post matter trail) - Preventive measures Example (house etc – risk management) Physical world Analogue Digital world Alternative to perimeter security approaches – final / ultimate line of defense (encryption by law) Encrypt – access control – audit trail / monitoring Why - => Manage risk - Security levels – cost – productivity – user friendliness Different possibilities - Disk encryption – file encryption – Chinese walls - Privacy enhancing technology –

Security in e governance 1  ruchin kumar Security in e governance 1 ruchin kumar Presentation Transcript

  • Security in eGovernance Ruchin Kumar Principal Solution Architect SafeNet Inc. [email_address]
  • Governance to eGovernance
    • Efficiency
    • > Visibility
      • From scattered information on files TO a consolidated dashboard that can be accessed from anywhere
    • > Analytics
      • From missing information to delays in getting the information TO real time analytics
      • From manual work processes with lost bandwidth in finding the files as well as status of a particular work item TO a central system that allows for tracking of work status of a particular item without having to ask anyone
  • Made Possible through implementation of IT for Workflow Automation
  • Governance – Security by Design
    • What can’t be found can’t stolen or manipulated
      • Employees not sure where the file is
      • Strong rooms full of files that no one knows how to search the information for
    > What can’t be accessed can’t be under threat > What can’t be found can’t be under threat
      • You can ask for your own file only
      • Even getting access to your own file is difficult enough let alone having to get access to someone else’ file
      • Making a general query (like give me the list of all properties sold in last 10-days) is quite a challenge in a manual environment
  • Governance – Security in the hands of Individuals and not by Process
    • The very obstacles that lead to inherent security of various documents also equip them to completely or selectively erase the data/information
    > No Audit Trail on who might have seen a particular piece of information
  • eGovernance – Security Needs to be Designed
    • The very benefit of bringing the data and information closer to one’s finger tips means that the information can be accessed
    • Something that is inter-connected will always be open to threats from internal as well as external sources
  • Use Case - Crime and Criminal Tracking Network And System
  • Vision
    • “ To transform the police force into a knowledge-based force and improve the delivery of citizen centric services through enhancing the efficiency and effectiveness of the police stations by creating a platform for sharing crime and criminal information across the police stations in the
    • country”
    • The overall objective of the MMP is based on enhancing the operational efficiency and effectiveness of the police force in delivering the services.
  • Objectives
    • Empowerment of Police Officers at all level.
    • Improve Service Delivery to the Public
    • Provide Enhanced Tools for Law & Order Maintenance, Investigation, Crime Prevention, & Traffic Management
    • Increase Operational Efficiency
    • Create a platform for sharing crime & criminal information across the country
    • Eliminating Drudgery from Police System
  • Data Elements Stored in the CCTNS system
    • Criminal Details
    • Lost or unauthorized property details
    • Passport Verification details
    • Ongoing cases details
    • Pictures, Biometric prints etc
    • Citizen information
    • Arms possession details
  • Integrated Financial Management System (IFMS) and Integrated Workflow and Document Management System (IWDMS) ……… .The Treasury Projects
  • Data Elements Stored in the Treasury System
    • Financial Data in terms of
      • Debt Management
      • Loan Management
      • Treasury Data
    • Pension Details (confidential for an individual)
    • Budgeting Details
    • Accounting Details
    • State Revenue Details
    • Revenue Disbursement Details
  • How should we protect sensitive Information ?? Access Control Database Files (Hard Disk USB drive Tape) Data at Rest Data in Transit Mail (+ attachment) FTP Other transfer (Internet Phone network Leased lines Other networks) Login name Password PIN Digital Certificate Biometrics
  • Inspector General of Registration and Superintendent of Stamps (IGRS) Property Administration System (PAS) – An Example
  • Data Elements Stored in the IGRS system
    • Property Details
    • Scanned Copy of Registry
    • Buyer Details
    • Seller Details
    • Fingerprints
    • Picture
    • Signatures
  • Likely Misuse Scenario - 1
    • Query the system to show the Top 10 transactions by value in last 10-days
    > Does the information published on a Website or any other public media lead to uncomfortable situation for the parties involved? Once done, does it facilitate someone with criminal mindset to make demands on the parties involved? >
  • Likely Misuse Scenario - 2
    • Query the system to show list of people with highest number of properties
    Once done, does it facilitate someone with criminal mindset to misuse the information. Does the information published on a Website or any other public media lead to uncomfortable situation for the parties involved? > >
  • Likely Misuse Scenario - 3
    • Query the system for properties in the name of Senior Citizens
    • Once done, does it facilitate someone with criminal mindset to misuse the info?
  • Likely misuse scenario - 4
    • Downloading copy of Registry document along with Photograph and owner details
    • Will that allow someone to try selling it by faking the documents?
  • Are those illegitimate Scenarios?
    • Far from being illegitimate, those are the very queries that the authorities will need to make
    • However, the same queries in the hands of an authorized person may lead to sensitive information in the wrong hands
  • IT Act of India
    • Section 43A
      • Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person to affected
    • So What?
      • Financial Penalties to the Organization
      • Loss of Reputation for the Department
  • What Can be Done?
    • Understand the Security Aspects
      • Integrity of Data (No One shall be able to modify it)
      • Non-repudiation of Transaction (No one shall be able to deny the transaction)
      • Encryption of Data (Data shall be visible to only the ones who are authorized)
    • Identify the Sensitive Data Elements and corresponding Security Needs
      • Not every data elements need same level of protection
      • Control the access to Data. Not every piece of data is needed by everyone
      • Control the Type of Queries that can be run by a particular role
      • Control the amount of information that can be fetched
    • Add the Security Aspects to bring “adequate” level of Security for the identified Data Elements
    • Add the Audit Trail
  • Investigation Module – retrieve information of the crime, criminals, cases, witnesses etc. and help in getting the required analysis done Unclaimed/Abondon property – enable the police personal to record and maintain unclaimed/abandoned property and match unclaimed/ abandoned property with property in lost/stolen records User Manager Module - User accounts are created for various officers who are authorized to operate the system. Permissions for various user accounts created are also defined which may be changed from time to time. Central Data Center DR Data Center Synchronization Module - enables transmission of the data to and from DR Offices Servers & also the Central Database Server . Data Encryption, Granular Access, Audit/reporting and digital signing for data integrity Data Encryption, Granular Access, Audit/reporting and digital signing for data intigrity Data Encryption, Granular Access, Audit/reporting and digital signing for data integrity State Data Center
  • Thank You