Intra-ASEAN Secure Transactions Framework. Pitinan Kooarmornpatana Director of IT Infrastructure Office of ETDA Jun 2015

Transcription

1 Intra-ASEAN Secure Transactions Framework Pitinan Kooarmornpatana Director of IT Infrastructure Office of ETDA Jun 2015

2 Background What is Intra-ASEAN Secure Transactions Framework? Funded Project by ASEAN ICT Part of the ASEAN ICT Masterplan 2015 Initiative 2.4 Building Trust and promote secure transaction within ASEAN Objective 1. Provide guideline, technology-neutral framework, and legal consistency in secure transaction approaches across ASEAN member states 2. Increase trust and promote secure and efficient electronic transactions through proper selection of e-authentication mechanism 3. Initiate sharing of online identity and authentication across crossborder systems

3 1. Guideline for technical-neutral framework Legal Framework for secure transaction is almost ready A Little reminder: Legal is the supporting framework, but Business Framework or Existing Flow is the main actor.

4 2. Increase trust by proper e-authentication Methodology for selecting the proper e-authentication mechanism 1. Assurance Levels and Risk Assessments ISO/IEC 29115:2013 OMB M NeAF 2. Identity Proofing and Verification ISO/IEC 29115: Authentication Mechanism NIST Special Publication

5 2.1 Level of Assurance and Mechanisms 1. Assurance Levels and Risk Assessments Source: ISO/IEC 29115: Identity Proofing and Verification 3.Authentication Mechanism

6 3. Initiating Shared Online Identity National Contact Information System User Mapping Level of Assurance User can Register And Upgrade Info Level of DP Assurance by providing more information (Authoritative User can of manage who Corroborative(service ) provider) to share what information with Out In Control Accessibilit y Based on LoA Smart form will distribute data to related agency Communication via to separate security domain GOV.A GOV.B GOV.C Response from sending back to requester s Inbox

7 3. Initiating Shared Online Identity Mapping with the Framework NCIS Key Feature: Perform online identity regular ch

8 Pilot Project B2G e-filing for exporter AS IS Request for business registration certificate Req. Ministry of Commerce Cert. Business registration certificate Submit to NSW Exporter Request Form1 Cert. Government Agency1 staff E Permit1 Review Request and the corroborative document NSW e Custom

9 Pilot Project B2G e-filing for exporter To be Request for business registration certificate Exporter NCIS (Authen.) Req. Request Form1 Cert. Cert. Ministry of Commerce Business registration certificate Government Agency1 staff E Permit1 Review Request and the corroborative document Response form in data schema format - Signed by PKI certificate of authorized government staff (Secured Message) - Sharing Information Submit to NSWover https (Secured Channel) NSW e Custom

10 Finding: We also care the function of that identity It s not only I know to know he is Mr. John But we also wants to know what Mr. John can do Request for business registration certificate Req. Cert. Ministry of Commerce School - Signed by PKI certificate of authorized government staff (Secured Message) - Sharing Information over https (Secured Channel) Exporter NCIS (Authen.) Financial Institute Professional Association

11 How PKI can help complete the jigsaw Maintain the liability chain Keep integrity of data Non repudiation Not only human to server but also server to server

12 Recommendations ASEAN should adopts the risk-based approach to define the Level of Assurance requied for each application ASEAN should define identity proofing and verification for each LoA based on ISO29115:2013 Credential management should include the corroborative information and Authoritative information

13 Key Points Legal is there to support the business process Authentication Framework should consider the functional information from other entities PKI plays the big role to make the trusted ecosystem in Thailand