Security in e governance 2 ruchin kumar


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security in e governance 2 ruchin kumar

  1. 1. Security in eGovernanceRuchin KumarPrincipal Solution ArchitectSafeNet © SafeNet Confidential and Proprietary
  2. 2. Governance to eGovernance > Visibility From scattered information on files TO a consolidated dashboard that can be accessed from anywhere > Efficiency From manual work processes with lost bandwidth in finding the files as well as status of a particular work item TO a central system that allows for tracking of work status of a particular item without having to ask anyone > Analytics From missing information to delays in getting the information TO real time analytics© SafeNet Confidential and Proprietary 2
  3. 3. Made Possible through implementation of IT for Workflow Automation© SafeNet Confidential and Proprietary 3
  4. 4. Governance – Security by Design What can’t be found can’t stolen or manipulated Employees not sure where the file is Strong rooms full of files that no one knows how to search the information for> What can’t be accessed can’t be under threat You can ask for your own file only Even getting access to your own file is difficult enough let alone having to get access to someone else’ file > What can’t be found can’t be under threat Making a general query (like give me the list of all properties sold in last 10-days) is quite a challenge in a manual environment© SafeNet Confidential and Proprietary 4
  5. 5. Governance – Security in the hands of Individuals and not by Process The very obstacles that lead to inherent security of various documents also equip them to completely or selectively erase the data/information > No Audit Trail on who might have seen a particular piece of information© SafeNet Confidential and Proprietary 5
  6. 6. eGovernance – Security Needs to be Designed The very benefit of bringing the data and information closer to one’s finger tips means that the information can be accessed Something that is inter-connected will always be open to threats from internal as well as external sources© SafeNet Confidential and Proprietary 6
  7. 7. Use Case - Crime and Criminal Tracking Network And System© SafeNet Confidential and Proprietary 7
  8. 8. Vision “To transform the police force into a knowledge-based force and improve the delivery of citizen centric services through enhancing the efficiency and effectiveness of the police stations by creating a platform for sharing crime and criminal information across the police stations in the country” The overall objective of the MMP is based on enhancing the operational efficiency and effectiveness of the police force in delivering the services.© SafeNet Confidential and Proprietary 8
  9. 9. Objectives  Empowerment of Police Officers at all level.  Improve Service Delivery to the Public  Provide Enhanced Tools for Law & Order Maintenance, Investigation, Crime Prevention, & Traffic Management  Increase Operational Efficiency  Create a platform for sharing crime & criminal information across the country  Eliminating Drudgery from Police System© SafeNet Confidential and Proprietary 9
  10. 10. Data Elements Stored in the CCTNS system Criminal Details Lost or unauthorized property details Passport Verification details Ongoing cases details Pictures, Biometric prints etc Citizen information Arms possession details© SafeNet Confidential and Proprietary 10
  11. 11. User Manager Module - User accounts are created for various officers who are authorized to operate the system. Permissions for various user accounts createdData are also defined which may beEncryption, Granular changed from time to time.Access, Audit/reporting and digital signing Investigation Module –for data intigrity retrieve information of the crime, criminals, cases, witnesses etc. and help in getting the required Central Data analysis done Center State Data Center Unclaimed/Abondon property – enable the police personal to record and maintain unclaimed/abandoned property and Synchronization Module - match unclaimed/ abandoned enables transmission of the data property with property in lost/stolen to and from DR Offices records Servers & also the Central Database Server. Data Encryption, Granular Access, Audit/reporti DR Data Encryption, ng and digital signing Granular Access, for data integrity Data Center Audit/reporting and digital signing for data integrity © SafeNet Confidential and Proprietary 11
  12. 12. Integrated Financial Management System (IFMS) and Integrated Workflow and Document Management System (IWDMS) ……….The Treasury Projects© SafeNet Confidential and Proprietary 12
  13. 13. Data Elements Stored in the Treasury System Financial Data in terms of Debt Management Loan Management Treasury Data Pension Details (confidential for an individual) Budgeting Details Accounting Details State Revenue Details Revenue Disbursement Details© SafeNet Confidential and Proprietary 13
  14. 14. How should we protect sensitive Information ?? Access Control Login name Password PIN Digital Certificate Biometrics Data in Transit Mail (+ attachment)Data at Rest FTPDatabase Other transferFiles (Internet(Hard Disk Phone networkUSB drive Leased linesTape) Other networks) © SafeNet Confidential and Proprietary 14
  15. 15. Inspector General of Registration and Superintendent of Stamps (IGRS) Property Administration System (PAS) – An Example© SafeNet Confidential and Proprietary 15
  16. 16. Data Elements Stored in the IGRS system Property Details Scanned Copy of Registry Buyer Details Seller Details Fingerprints Picture Signatures© SafeNet Confidential and Proprietary 16
  17. 17. Likely Misuse Scenario - 1 Query the system to show the Top 10 transactions by value in last 10-days > Once done, does it facilitate someone with criminal mindset to make demands on the parties involved? > Does the information published on a Website or any other public media lead to uncomfortable situation for the parties involved?© SafeNet Confidential and Proprietary 17
  18. 18. Likely Misuse Scenario - 2 Query the system to show list of people with highest number of properties > Once done, does it facilitate someone with criminal mindset to misuse the information. > Does the information published on a Website or any other public media lead to uncomfortable situation for the parties involved?© SafeNet Confidential and Proprietary 18
  19. 19. Likely Misuse Scenario - 3 Query the system for properties in the name of Senior Citizens Once done, does it facilitate someone with criminal mindset to misuse the info?© SafeNet Confidential and Proprietary 19
  20. 20. Likely misuse scenario - 4 Downloading copy of Registry document along with Photograph and owner details Will that allow someone to try selling it by faking the documents?© SafeNet Confidential and Proprietary 20
  21. 21. Are those illegitimate Scenarios? Far from being illegitimate, those are the very queries that the authorities will need to make However, the same queries in the hands of an authorized person may lead to sensitive information in the wrong hands© SafeNet Confidential and Proprietary 21
  22. 22. IT Act of India Section 43A Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person to affected So What? Financial Penalties to the Organization Loss of Reputation for the Department© SafeNet Confidential and Proprietary 22
  23. 23. What Can be Done? Understand the Security Aspects Integrity of Data (No One shall be able to modify it) Non-repudiation of Transaction (No one shall be able to deny the transaction) Encryption of Data (Data shall be visible to only the ones who are authorized) Identify the Sensitive Data Elements and corresponding Security Needs Not every data elements need same level of protection Control the access to Data. Not every piece of data is needed by everyone Control the Type of Queries that can be run by a particular role Control the amount of information that can be fetched Add the Security Aspects to bring “adequate” level of Security for the identified Data Elements Add the Audit Trail© SafeNet Confidential and Proprietary 23
  24. 24. Thank You© SafeNet Confidential and Proprietary 24