Conference on Strategy for Electronic Government Procurement Security

1
Conference on Strategy for Electronic Government
ProcurementSecurity Authentication

• 11th March 2005,
• K.Bikshapathi,
• Project manager, eProcurement
• Government of Andhra Pradesh

2
Eprocurement in GoAP

• Overview
• Security and authentication
• Lessons learnt

3
Overview

• GoAP embarks on egovernance initiatives in 2001
• Eprocurement identified as core initiative
• First among governments in India
• High level steering committee constituted
• PwC engaged as consultant
• 5 departments selected for pilot
• GoAP key officials trained as CIOs
• PPP Model selected
• Private Partner to bear all costs upfront
• Recovers costs through hosting and transaction
  charges
• Govt departments to exclusively transact on this
  platform for 3 years

4
Overview(Contd..)

• GoAP decides to build a Govt lead exchange
• Private partner selected on competitive bidding
• U.R.S S.R.S with active involvement of CIOs and
  stakeholders
• Series of workshops with stakeholders to freeze
  To Be process
• Security and authentication issues to the
  forefront in workshops, training sessions
• Pilot launched in Jan 2003 and successfully
  implemented
• Roll out to all departments for procurement value
  above Rs 10 Lakhs or US 2200

5
Present status

• 9 departments with distributed Procurement
  Entities across the state, 5 Public sector units,
  14 Municipalities are using the platform.
• Transaction volumes crossed Rs 15000 Cr / US 3
  billions
• 2500 transactions completed
• 2424 transactions in progress
• Highest single transaction value Rs 855 Cr/US
  190 millions
• Lowest single transaction value Rs 65000/US1450

6
Benefits

• Eprocurement implementation has secured
  demonstrable and significant benefits to all
  stakeholders.
• Benefits to Govt
• Reformist outlook, Efficient governance
• Transparency, Clean System, Drastic reduction in
  adverse press reports
• Benefits to suppliers
• Empowerment of suppliers
• Remote submission of bids
• No more dependency on departments
• Quicker results
• Benefits to departments
• Discount bids(24) by suppliers due to anonymity,
  even in single bid tenders
• Reduced tender process time
• Lower NIT publication costs

7
Security and Authentication

• Issues concerning Suppliers
• Is my bid submitted to correct URL
• Is my bid submission confidential
• Is my bid submitted before closing date
• Can any one see and alter my bid
• Can any one detach uploaded documents
• What if the department, favored bidder and system
  administrator collude.

8
Issues concerning departments

• Is the tender data secure with private party
• Is information flow secured in internet
• Is this the bid of authorised supplier
• Is the information stored in database properly
• Can a supplier submit bids after the lapse of
  official bid closing time
• Can any one tamper with server time
• What if a supplier backtracks on his bid
• Are these eprocurement transactions legal
• What if the administrator and a unscrupulous
  bidder collude
• Can the audit trails of administrator logs be
  tampered
• Whether the tender data can be revisited for the
  inspections of Vigilance and Accountant General

9
Strategy

• Use technology to address concerns of
  stakeholders
• Sustenance of the system depends on demonstrating
  security and authenticity
• Security objectives of eprocurement
• Privacy prevents unwanted disclosure of
  information
• Authenticity the recipient can ascertain the
  origin of information
• Non-Repudiation The bidder can not deny having
  submitted the bid
• Data integrity Not modified in transit and at
  database
• Sound security policy for eprocurement
• Legal Framework in place through IT Act 2000
• Change management strategy to focus on security
  in eprocurement

10
Security policy

• Secured Hosting facility
• Web security
• Two factor authentication with Digital Signatures
• Bid encryption
• Audit trail of each activity
• Good backup policy
• Security audit by independent third party
• Digital notarization and time stamping.
• Access control systems

11
Physical Security at Data Center

• Physical access control with three level security
  checks
• Biometric based smart cards
• Closed circuit TV
• Fire fighting facility
• Complete protection to servers

12
Web Security

• Secured Socket layer
• SSL ensures security to data packets while
  transit over internet
• 128 bit encryption of data
• Snooping eliminated.
• Web server Digital Certificate authenticates the
  ownership of URL
• Fire walls to filter unwanted traffic
• Protects services from DOS attacks
• Malicious attacks, worms

13
(No Transcript)
14
Web Security

• Intrusion detection system
• All packets are scanned for intrusion activity
  and malicious packets are dropped before reaching
  the server.
• OS patches update
• Anti-virus
• Real Time Protection Mode
• Application scans all uploads for virus at client
  end.
• All I/O and uploads are scanned in real time
• Cleans virus or quarantines infected files
• Updates signatures automatically

15
Two factor authentication

• Password authentication is weak and does not
  address non-repudiation
• Digital certificate authentication for secured
  login to the system
• Digital certificates
• Issued by CA authorized by CCA India
• CA establishes trust chain
• Class 2 certificates are issued after validating
  with documented data base.
• Certificate keys generated in pairs one is made
  public and other is private

16
(No Transcript)
17
(No Transcript)
18
(No Transcript)
19
(No Transcript)
20
Bid encryption Asymmetric public key
cryptographic method

• The tender inviting authority publishes his
  public key at the time of NIT
• Bidder signs the bid with his digital certificate
  at the time of bid submission
• The bid data is encrypted with a random key and
  random key is encrypted with public key of TIA
  and stored in data base.
• At the time of bid opening the TIA decrypts the
  random key with his private key and this random
  key decrypts the data

21
Issues in PKI

• Issue of class 2 Digital Certificates by CA is
  not instantaneous, process time is 2 to 3 days
• New bidders trying to bid last minute may miss
  bidding
• CA likes to hold proprietary control in
  integrating PKI with eProcurement applications
• Cross certification
• Transfers of Procurement Entities in large
  organisations with distributed procurement

22
Lessons

• PKI is a complete solution to address security
  and authentication issues
• PKI is not mere technology but a collaborative
  system
• Security policy
• Security infrastructure
• Application enablement
• Service availability
• Stake holders involvement
• Dedicated help desk support
• Additional security measures viz., Time stamping
  and Access control softwares adds to the cost
• Third party security audit and certification of
  system prior to launch helps

23
Thank You