ARM 7: Securing e-Government of Thailand in Action
1. Securing E- Gov of
Thailand in action
Kitisak Jirawannakool
E-Government Agency (Public Organization)
kitisak.jirawannakool@ega.or.th
1
2. About EGA
❖ First established in 1997 as Government Information
Technology Services (GITS)
❖ ~ 200 staffs
❖ Services
❖ Government Information Network (GIN)
❖ Government Cloud Services (G-Cloud)
❖ MailgoThai service
❖ Government Computer Emergency and Readiness Team
(G-CERT)
❖ More details : http://www.ega.or.th
2
3. Smart Thailand 2014-2015
3
Smart
Network
Smart
Cloud
Cyber
Security
TH e-GIF
ICT
Academy
GIN
G-Cloud
- G-SaaS
- Mobile Application
- e-CMS2.0
- Saraban as
a Service
- มาตรฐาน
สารบรรณ
Smart Citizen Info.
- Gov. API
- Smart Box
Gov. Access Channel
- e-Portal
- Gov.App.Center
- data.go.th
Government
Secure
Monitoring
ICT Training
- e-GCEO
- e-GEP
- Technical
Training
Data Center
Consolidation
(77 Provinces )
e-Service
for e-Gov :
• MOI
• MOE
• MOPH
• MOAG
5. E-Government services
5
24x7 Helpdesk and Contact Center
EGA Contact Center
Other Government’s services
Services
Cloud
Provider
Cloud
Provider
Cloud
Provider
Inter Cloud SaaS
PaaS
IaaS
Government AgencyGIN
Government Agency
Government Computer
Emergency and Readiness
Team (G-CERT)
Risk Assessment
Incident Monitoring
Information Analysis
Response Team
Awareness Raising
6. Government Information Network (GIN)
❖ Government Information Network
6
Gov.
Orgs
User Network
NSW
GFMIS
0GSMS
CABNET
ทะเบียนราษฎร
Common0Service
Gov.
Orgs
GIN
User Network
Standard
- GDX
Security
- Encryption
- CA
NSW
GFMIS
GSMS
CABNET
ทะเบียนราษฎร
Common0Service
Before! A<er!
7. GIN
❖ More than 2,000 links (subscribers)
❖ For government only
❖ Intranet for all government organizations
❖ Added-on services
❖ Intranet system
❖ GIN Conferences
❖ Other services integration
❖ DNSSEC implementation
❖ IPV6 implementation
7
9. Government Cloud Service (G-Cloud)
❖ Focus on IaaS (initial phrase)
❖ 214 Systems are running on G-Cloud
❖ Serve Government, Collaborate with Partners,
and Work with Communities
❖ Next move for G-Cloud
❖ Back office system - “e-Saraban” (PaaS/SaaS)
❖ Government Application Center (SaaS)
9
11. Security on G-Cloud
❖ Firewall (Hi-speed firewall/Application firewall)
❖ SSL-VPN for Cloud Management
❖ Two factors Authentication
❖ Vulnerability Assessment and Penetration Testing
❖ ISO/IEC 27001:2005 implementation
❖ Security monitoring
❖ Security training courses for customers
11
12. G-CERT’s Roadmap
12
Education (Training and Awareness Raising)
Policy and Standard
Start in 2014 Start in 2015 Start in 2016
Media Relations (PR and Contents producer)
G-CERT
13. G-CERT ’s constituencies
❖ EGA Internal
❖ EGA ’s customers
❖ G-Cloud
❖ GIN
❖ other services
❖ Critical Infrastructures
❖ Other Government
13
14. Services
❖ Incident Response
❖ Government Security Monitoring
❖ IT Security Awareness Raising
❖ Quarterly Training
❖ Anual Conference
❖ Incident Drill
❖ Risk and Vulnerability Assessment
❖ IT Security Consultants
14
15. Our Concept
❖ Public - help the government
❖ Private - by working with vendors
❖ Partnership - collaborate with other IT communities
15
16. Other IT security related activities
❖ Cloud Security Alliance Thailand Chapter - CSA
❖ Open Web Application Security Project Thailand
Chapter - OWASP
16
17. Cloud Security Activities in Thailand
❖ Cloud Security Alliance (CSA) Thailand Chapter
❖ Cloud Security Audit for providers
❖ Cloud Security Experts building (Certified of Cloud Security
Knowledge - CCSK)
❖ ASEAN CSA and OWASP Summit
❖ Many areas (Security, Providers, Education, Governance, Audit,
Licensing, crisis and etc)
❖ Cloud R&D
❖ Cloud Control Matrix (for security auditing)
❖ Cloud Security Guideline for operators
❖ Cloud Interoperation (Integrating Cloud Infrastructure)
❖ Securing Cloud infrastructure and Application
17
20. OWASP Thailand’s working concepts
❖ PPP - Public, Private, and Partnership
❖ Public
❖ Contribute how to secure web app for
Government organizations
❖ Private
❖ Collaborate with SIPA and SW Park
❖ Guide the software houses to do secure coding
❖ Partnership
❖ Working with other IT and Security
communities in Thailand
20
21. OWASP Thailand Chapter
❖ Arrange monthly meetings
❖ Prepare many courses for web app security
❖ Web Application Security
❖ Web application testing
❖ Secure coding
❖ Translate some documents into Thai
❖ OWASP Top 10 2013
❖ Organize annual event : 2014 OWASP ASIA TOUR
21
22. Conclusion
❖ Even we contribute a lot of security, however it ‘s
still not enough
❖ Lacking of experts is one of the biggest problems
❖ Collaboration is the key factor
❖ Looking for new collaborations
22
Source : http://www.openpages.com/blog/index.php/2010-grc-wish-list-collaborate