1 / 35

Inter oper ability Framework xRoad Demonstration

Inter oper ability Framework xRoad Demonstration. Arne Ansper Aleksander Reitsakas. Topics. Architectural background Explanation of demo setup Demonstration. xRoad Goal. System that... allows effortless access to the data in state registries

dpennebaker
Download Presentation

Inter oper ability Framework xRoad Demonstration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Interoperability Framework xRoad Demonstration Arne Ansper Aleksander Reitsakas

  2. Topics • Architectural background • Explanation of demo setup • Demonstration

  3. xRoad Goal • System that... • allows effortless access to the data in state registries • without compromising the security of the data and • with minimal impact to the existing systems

  4. xRoad Vision • National middleware that would provide unified access to all governmental databases • Using web services as underlying technology • Design is driven by security considerations

  5. Agency X Agency B Public data Private data Agency A Agency C

  6. Security Requirements • All applications require authenticity, integrity and assurance that it is possible to proof to the third party the origin of some data, received over xRoad • xRoad will be used by time-critical applications, like for performing the checks on the border. So, availability is next in the list of priorities • And finally, the confidentiality is required in most cases

  7. Infrastructure

  8. Infrastructure

  9. Infrastructure

  10. xRoad Central Agency Directory Time-stamping Certification Agency A Portal Security Server Agency C Agency B Security Server Adapter Server Registry Information System Security Server

  11. Central Agency • Running the central services • Monitoring the whole system • Enforcing the policies of the xRoad • Appointing the new organizations to the system • Providing support to joined organizations

  12. Central Services • Certification authority • Directory service • Time-stamping service • Monitoring service - detecting security breaches, collecting the statistics • Web-based portal for citizens and smaller organizations - access to services in a simple and centralized way

  13. Technology: Evidentiary Value • All outgoing messages are signed. Signing keys are certified by xRoad central agency • All incoming messages are logged and time-stamped. xRoad central agency provides time-stamping service • Message receiver can later prove with the help of the xRoad central agency when and by whom was the message sent.

  14. Technology: Availability • Distributed system, with minimal number of central services: time-stamping and secure directory • Directory service uses Secure DNS (DNS-SEC). Well-proven DNS protocol and implementation provide robust, scalable directory service with built-in caching and redundancy. Security extensions ensure that the data cannot be tampered • Time-stamping is used in a way that makes it non-time critical

  15. Technology: Availability • Local caching DNS server ensures the availability of directory information during network outage • Protocol supports redundant servers and load sharing • Mechanisms against DoS attacks. Critical resources (i.e. CPU time, file handles) are shared between different clients in a fair manner

  16. Technology: Confidentiality • Exchanged data is often not public or has some special access rules that must be followed • SSL protocol is used against external attackers • Two level access rights control mechanism is used against internal attackers: • Inter-organizational level • Intra-organizational level

  17. Technology: Access Control • xRoad core deals only with inter-organizational access control, where access is granted to organization as whole • Organization must ensure that only right people can use this service, by using whatever technical means it sees appropriate • This obligation is enforced by service provisioning contract between the organizations

  18. Technology: Two Level Access Control • Two level access control isolates the details of organizational authentication and access control mechanisms • The impact to the existing systems was minimized • Balanced use of technical and organizational security measures

  19. Technology: Deployment • Self-contained standardized monofunctional server: • Common PC hardware • Free software • GNU/Debian Linux based • Automated installer for Linux and xRoad • Minimal GUI • Built-in patching system • Cheap and easy to install and run • At the same time - secure

  20. Service Providers • Must implement conforming web-services • Adapter server • Simple shim for existing information systems • Provides web-services by using the existing API • Information system can implement conforming web-services directly

  21. Service Consumers • Ideally xRoad services are consumed by agencies integrated information system • Enforcement of security policies, authentication and access control of the end-users is done by existing information system • Maximum effectiveness - the presence of the xRoad is hidden from the users • xRoad Portal - quick and simple way to start using xRoad

  22. xRoad Officials Portal • Provides access to "raw" xRoad services • Automatic generation of user interfaces based on the service description • User management, role based access control • Supports multiple organizations (ASP mode) • Supports multiple authentication mechanisms (ID-card, banks)

  23. xRoad Citizens Portal • Provides services to all citizens • Services that are applicable to all citizens • Everybody can see the data about themselves • In addition citizens can see who has looked at their personal data in registries. This helps to avoid type of misuse where "curious" officials look at the personal data

  24. Demo setup

  25. Demonstration • During the project different governmental agencies and their data exchanges have been analyzed • As a result a small xRoad based demo is created that simulates the data exchange between different agencies • Emphasis on the user view

  26. Agencies • General Directorate of Customs • General Directorate of Transport Services • Business Registry • Data exchanges • Customs needs to check trader data when new trader lodged the declaration • Before new car is registered the registry check the status of import taxes from Customs

  27. Technical Implementation • Three security servers - one for each agency • One portal for simulating the access to services • Two servers to simulate the data sources (Customs and Business Registry) • Central servers in Estonia • Simulated ID-card for end-user authentication

  28. Customs Businessregistry Portal

  29. Demonstration

  30. Process Lodge document Validate document Accept document

  31. Manual document validation Browser Portal Security server Document Official xRoad Security server Adapter server Registry

  32. Manual document validation Security server Document xRoad Security server Adapter server Registry

  33. Automatic document validation Information system Security server Electronic document xRoad Security server Adapter server Registry

  34. Thank you!

More Related