GovernmentOnline Gatekeeper The Government s Public Key Infrastructure

Similar documents
PAA PKI Mutual Recognition Framework. Copyright PAA, All Rights Reserved 1

CHAPTER 13 ELECTRONIC COMMERCE

ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability. Session 2: Conformity Assessment Principles

Séminaire sur la Certification Electronique

Electronic Signature Policy

Singapore s National Digital Identity (NDI):

Development of smart authentication and identification in Asia

FiXs - Federated and Secure Identity Management in Operation

RESPONSE TO 2016 DEFENCE WHITE PAPER APRIL 2016

Getting to Grips with Public Key Infrastructure (PKI)

The nature of the PAC MLA and its Benefits to Business

ASD CERTIFICATION REPORT

esign - Evolving Opportunities and Applications C E N T R E F O R D E V ELOPMENT O F A D VANCED C O MPUTING N O V E M B E R 1 5,

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

CERTIFICATE POLICY CIGNA PKI Certificates

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Security Secure Information Sharing

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

An Overview of ISO/IEC family of Information Security Management System Standards

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

M&A Cyber Security Due Diligence

Frequently Asked Questions

Outreach and Partnerships for Promoting and Facilitating Private Sector Emergency Preparedness

NDSU Lunchbytes. "Are They Really Who They Say They Are?" Digital or Electronic Signature Information. Rick Johnson, Theresa Semmens, Lorna Olsen

eid Applications Cross Border Authentication

Conformity Assessment Schemes and Interoperability Testing (1) Keith Mainwaring ITU Telecommunication Standardization Bureau (TSB) Consultant

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Elders Estates Privacy Notice

Enabling a World-Class National ICT Sector

Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016

Recommendations for Small and Medium Enterprises. Event Date Location

Information Security Data Classification Procedure

Security Management Models And Practices Feb 5, 2008

Gatekeeper Public Key Infrastructure Framework. Information Security Registered Assessors Program Guide

FIS Global Partners with Asigra To Provide Financial Services Clients with Enhanced Secure Data Protection that Meets Compliance Mandates

US Federal PKI Bridge. Ram Banerjee VP Vertical Markets

An Introduction to the ISO Security Standards

U.S. Japan Internet Economy Industry Forum Joint Statement October 2013 Keidanren The American Chamber of Commerce in Japan

e-sign and TimeStamping

Development Authority of the North Country Governance Policies

NWQ Capital Management Pty Ltd. Privacy Policy. March 2017 v2

Digital Health Cyber Security Centre

Information Security Policy

The Role of SANAS in Support of South African Regulatory Objectives. Mr. Mpho Phaloane South African National Accreditation System

ELTA GROUP ASIA PACIFIC (EGAP) COMPANIES

Security and Architecture SUZANNE GRAHAM

THE TRUSTED NETWORK POWERING GLOBAL SUPPLY CHAINS AND THEIR COMMUNITIES APPROVED EDUCATION PROVIDER INFORMATION PACK

SAC PA Security Frameworks - FISMA and NIST

how to manage risks in those rare cases where existing mitigation mechanisms are insufficient or impractical.

Information Security Strategy

CHAPTER 19 DIGITAL TRADE. a covered investment as defined in 1.4 (General Definitions);

SAINT PETERSBURG DECLARATION Building Confidence and Security in the Use of ICT to Promote Economic Growth and Prosperity

Information Bulletin

DECISION OF THE EUROPEAN CENTRAL BANK

Building an Assurance Foundation for 21 st Century Information Systems and Networks

The International Laboratory Accreditation Cooperation (ILAC) & The International Accreditation Forum (IAF)

TEL2813/IS2820 Security Management

Protecting your data. EY s approach to data privacy and information security

Electronic and digital signatures in Adobe Sign for government.

Helping Meet the OMB Directive

Choosing a Secure Cloud Service Provider

APPROVED BY: Next Review Date: 31 March QCTO CERT 002/18 QCTO Certification Policy Page 2 of 14

Defining IT Security Requirements for Federal Systems and Networks

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

20/09/2013. Global Privacy and Data Protection: Practical Risk Assessment and Governance. Topics

QCTO CERT 002/15 QCTO Certification Policy Page 2 of 14

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Understanding how MRA works and realizing the benefits for both Customs and Trade

TERMS OF USE FOR THE NATIONAL LIVESTOCK IDENTIFICATION SYSTEM DATABASE

This qualification has been reviewed. The last date to meet the requirements is 31 December 2018.

Telecommunications Equipment Certification Scheme FEBRUARY 2017

E-Business. Level 6 L Module Descriptor

Stakeholder feedback form

Security Takes Center Stage

KIN GROUP PTY LTD PRIVACY POLICY

Trust Services for Electronic Transactions

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

FPKIPA CPWG Antecedent, In-Person Task Group

Securing Europe's Information Society

H2020-LEIT-ICT WP European Data Infrastructure ICT-13 Supporting the emergence of data markets and the data economy

NZQA registered unit standard 8086 version 7 Page 1 of 5. Demonstrate knowledge required for quality auditing

5. The technology risk evaluation need only be updated when significant changes or upgrades to systems are implemented.

GDPR is coming in less than 2 months Are you ready?

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

in a National Service Delivery Model 3 rd Annual Privacy, Access and Security Congress October 4, 2012

SOC 3 for Security and Availability

Issues in Assessing Commercial Certification Service Trust

2017/SOM3/DIA/007 Digital Trade Building Blocks

IDENTITY ASSURANCE PRINCIPLES

International Accreditation Forum, Inc. User Advisory Committee UAC

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

The Role of DEST: Opportunities and Responsibilities for Research Data

Disclosure text - PDS (PKI Disclosure Statement) for electronic signature and authentication certificates

Policy & Procedure Privacy Policy

21 CFR PART 11 FREQUENTLY ASKED QUESTIONS (FAQS)

KISH REMARKS APEC CBPR NOV 1 CYBER CONFERENCE KEIO Page 1 of 5 Revised 11/10/2016

Registration and Authentication

Data Security Standards

EU data security and privacy trends

VdTÜV Statement on the Communication from the EU Commission A Digital Single Market Strategy for Europe

Transcription:

Gatekeeper The Government s Public Key Infrastructure Peter Anderson General Manager GPKI Branch Office for Government Online 30 June 2000

Why? Consumer and business demand Over 6 million users (Nov 99) 1.8 million households connected to the Internet 800,000 users purchased or ordered goods over the Internet Business connections 87% of large sized firms 82% of medium sized firms 48% of small sized firms 2

Strategic priorities Agencies to take full advantage of the opportunities the Internet provides Ensure the enablers are in place Authentication, privacy and security are recognised enablers Enhance services in regional Australia Enhance IT&T industry development impact of initiatives 3

Strategic priorities (cont.) Government business operations to go online Monitor best practice and progress Facilitate cross-agency services Customer focused channels Communicate with stakeholders 4

What s the role of the Office for Government Online To consult and work with Commonwealth agencies To support and assist agencies deliver To facilitate responses to inhibitors and impediments To facilitate partnerships for solutions 5

Where does Gatekeeper fit in? Authentication, privacy and security are among the set of enablers that need to be in place to support Public Key Infrastructure (PKI) technology is a robust solution for authentication, privacy and security for online communications and transactions Gatekeeper is the Commonwealth government s PKI strategy 6

What is PKI Public Key Infrastructure (PKI) is a set of applicable laws, policies, standards, systems and security services that enable the use of public key cryptography and digital certificates across a distributed network (such as the Internet or intranets) The use of a PKI enables organisations and individuals to authenticate and protect their electronic communications and business transactions 7

Public Key Cryptography Public key cryptography uses two electronic keys: a public key and a private key. The public key can be known by anyone while the private key is kept secret by its owner. As long as there is strong binding between the owner and the owner s public key, the identity of the origin of a message or transaction can be traced to the owner of the private key. 8

Digital certificates Digital certificates are electronic tokens that are used to bind the user s identification with the user s public key in a trusted bond These certificates contain information such as the user s name and the associated public key and the identity of the certification authority (CA) that issued the certificate The certification authority certifies the user s identity and association with the user s public key 9

Digital signatures What is a digital signature? A process which can be used to attach to an electronic message a digital code that is unique to the "signer" of the message. A digital signature results from the use of a "Private Key" to "sign" a message. The recipient of the electronic message can use the signer's "Public Key" to verify whether or not the digital signature is valid, and whether the message has been altered since it was signed. -------BEGIN SIGNATURE------ IQB1AwUBMVSiA5QYCuMfgN YjAQFAKgL/ZkBfbeNEsbthba4 BlrcnjaqbcKgNv+ a5kr4537y8rcd+rhm75yyh5x xa1ojelwnhhb7cltrp2v7llona elws4s87ux80c LBtBcN6AACf11qymC2h+Rb2j 5SU+rmXWru+=QFMx ------END SIGNATURE------ 10

PKI - the business case The Internet is an inherently open system. Its strengths are built around this openness, cheapness and ease of access. This openness is also a source of major threat to users of the Internet. The open nature of the system makes it relatively easy for web sites and Internet communications to be compromised. This leads to reduced user confidence and minimise the benefits that could be obtained from the use of the Internet. PKI can play an important role in providing needed security services including authentication, nonrepudiation, confidentiality and integrity. 11

Background 1989 Commonwealth Privacy Act, 1998 1992 Australia adopts OECD Guidelines for the security of information systems 1996 Standards Australia SAA MP75 Report Strategies for the Implementation of a Public Key Authentication Framework (PKAF) in Australia 1997 Investing for Growth, the Government s online agenda 1997 OGIT initiates Project Gatekeeper 12

Gatekeeper - A Strategy for public key technology use in Government - May 1998 Aims of the strategy To establish a rational voluntary mechanism for the implementation of PKT by government agencies To facilitate interoperability and allow users to choose from a panel of service providers whose products and methods of delivery have been evaluated and accredited to meet prescribed government standards for integrity and trust To provide an operational mechanism to manage the Commonwealth s activities and interests in the area of PKT 13

Gatekeeper policy development GPKI Branch Manage the Gatekeeper Strategy and accreditation process Advise Government agencies on the use of PKT Research into legal, operational and technical issues and consult with stakeholders GPKA The authority established to advise on policy and standards and to over-sight the accreditation of service providers 14

GPKA composition Members Office for Government Online (Chair) Attorney-General s ATO Australian Procurement and Construction Council Business Entry Point Centrelink DSD HIC NOIE Observers Australian Information Industries Association Australian Electrical and Electronics Manufacturers Association Privacy advocate 15

GPKA functions Develops policy for GPKI Issues and revokes accreditation Monitors and adjusts standards as required Monitors standards compliance Point of contact for GPKI 16

Gatekeeper policy framework September 1998 Dept Prime Minister and Cabinet mandated: Commonwealth agencies acquiring new encryption capability can purchase only from the DSD Evaluated Products List (EPL) July 1999 Cabinet decided: Any future authentication certificates issued by Commonwealth agencies to business and individuals must be Gatekeeper compliant 17

Gatekeeper privacy and security Commonwealth Privacy Act 1988 Eleven Information Privacy Principles Protective Security Manual Government policy on information and physical security and risk assessment ACSI-33 Security guidelines for Government IT systems ACSI-37 Security requirements for Government IT systems at the Highly protected classification 18

Gatekeeper accreditation A rigorous accreditation process ensures that transactions using digital certificate and public key technology from Gatekeeper accredited Certification and Registration Authorities provides a high level of trust to both agencies and users Accreditation by the GPKA confers a recognised trusted status to companies supplying CA services to the Commonwealth 19

Gatekeeper accreditation Privacy considerations Legal and liability position of the Commonwealth Security policy and planning Physical security Technology evaluation Certification Authority administration Certification Authority policy Personnel vetting Contracts Preferred supplier GPKA Head agreement 20

Gatekeeper accreditation Australian Taxation Office Granted full Gatekeeper accreditation on 16 June 2000 Certificates Australia Pty Ltd (CAPL) A division of Baltimore Granted entry-level accreditation on 24 May 1999 esign Australian partner of VeriSign Granted entry-level accreditation on 31 March 2000 Note: Entry level accreditation allows organisations to issue Gatekeeper Type 1 Grade 1 certificates that are for use in circumstances involving non-sensitive information and no financial risk 21

Gatekeeper accreditations in progress or planned SecureGate Secure Network Solutions KPMG KeyPost Globesmart Adacel Telstra etax CPA Australian Health network KNX (Asia Pacific) Pty Ltd Health Insurance Commission Maddock, Lonie and Chisholm 22

Agencies implementing PKI Australian Taxation Office A New Tax System (GST) 200,000 plus certificates to businesses Health Insurance Commission Location certificate Health Care Provider certificate Australian Customs Secure e-mail Customs clearance online Austrade Export Market Development Grants Scheme Electronic Lodgment of Grant Claims (e-lodge) 23

Gatekeeper futures Gatekeeper 2 A review of the original Gatekeeper report to encompass developments in standards, policies and practices since its release Based on wide consultation Gatekeeper Accreditation Certificate To be issued to Gatekeeper accredited CA s Will facilitate interoperability and cross recognition CA s will maintain unique certificate policies To be recognised internationally 24

Gatekeeper futures Cross-recognition Singapore Hong Kong USA Canada APEC initiative Gatekeeper - a Commonwealth, State and Territories PKI strategy A working party is being established to look at potential for a national approach to PKI 25

ABN-DSC An ABN based digital signature certificate A mechanism to foster B2G and B2B e- Commerce A common digital certificate profile and core certificate policy To be issued by any Gatekeeper accredited CA To be used by Commonwealth agencies to identify businesses online 26

Gatekeeper and the ABN-DSC GATEKEEPER compliant certificates issued by Government agencies GATEKEEPER compliant certificates Issued by private sector CA s ABN-DSC Certificates ATO Certificates 27

Online resources http://www.govonline.gov.au http://www.gatekeeper.gov.au Gatekeeper: a strategy for public key technology use in the Government Accreditation criteria Background and FAQs 28

Gatekeeper contacts Accreditation Doug Conn Phone: (02) 6271-1531 E-mail: doug.conn@ogo.gov.au Strategy and Planning Glen Nicolson Phone: (02) 6271-1530 E-mail: glenton.nicolson@ogo.gov.au Legal and Regulatory Ian Booth Phone: (02) 6271-1230 E-mail: ian.booth@ogo.gov.au Implementation Udo Rockmann Phone: (02) 6271-1519 E-mail: udo.rockmann@ogo.gov.au 29

Questions 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback