The Secure Channel Project

1
The Secure Channel Project

• December 2004
• Brent Simmons

2
Briefing Agenda

• The Secure Channel Project
• SCNet
• Authentication Services
• Service Broker Capabilities
• Customer Implementation Team
• Future Enhancements and Common Services

3
The Secure Channel Project
The Secure Channel is a common infrastructure
that enables Canadians to conduct secure and
private electronic transactions with federal
departments
Goc Employees/ Citizen/Business Map
Access Options
Info
Transactions
Federal Departments
PKI
Provincial Ministries
Secure Channel
Municipal Departments
Non-Profit Agencies
Private Sector Organizations

• Responding to
• Individuals
• Businesses
• Trusted Partners
• Community Needs

Internet Telephone Kiosk Over the Counter
Access, Security, Authorization, Authentication,
Privacy, Inter-Communication, Data integrity,
Non-repudiation, Intelligent brokering
4
The Secure Channel Project

• What it is Development and provision of common
  infrastructure services to support Government
  On-Line objectives
• Services in place common network, directory,
  brokerage, authentication, payment and security
• Next services privilege management, enterprise
  application integration, Web services exchange,
  e-forms and work flow, etc.
• Authentication Services represent the biggest
  challenge, effort and investment to date

5
What is Secure Channel?

• External Services Enable federal departments and
  agencies to provide on-line services to
  Canadians, including
• Secure Channel Network (SCNet)
• Common Registration Services (CRS)
• Receiver General Buy Button (RGBB)
• Internal Services Enable services for GoC public
  servants and trusted partners, including
• Secure Applications and Key Management Services
  (SAKMS)
• e-portal service
• directory and white pages services such as the
  Government Electronic Directory Services (GEDS)
  and Federated Infrastructure National Directory
  Service (FINDS)

6
Secure Channel Services Key Enablers for GoC
Service Delivery Imperatives
Safeguarding privacy, building trust, enhancing
service delivery
7
SCNet - Service Capabilities

• Coast-to-coast advanced Internet Protocol (IP)
  network
• Availability of service-on-demand three
  performance levels tied to traffic priority
• Fully-Protected B (internal to the GoC)
• Managed Security Services available to all
  Departments (firewalls, URL filtering, etc.)
• Gigabit Ethernet access speeds (1,000 Mbps).

All departments and agencies now on-line 58
points of presence across Canada
8
Secure Channel Value Propositionat a Glance

• Citizen/Business
• Meets citizen expectations for client-centric
  service delivery, security and privacy.
• Significant reductions in business processing
  costs (especially small and medium business)
• Department/Agency
• Enables improved service delivery anywhere,
  anytime, on-line
• Shared infrastructure insulates departments from
  technology changes
• Supports interoperability with other departmental
  programs
• Reduced risk of security and privacy breaches
• Enables compliance with government-wide security
  and privacy policies and guidelines
• Government of Canada-wide
• Supports GOL and Shared Services strategies
• Supports objective of making the Internet the
  GoCs primary delivery channel
• Enables consistent, cross-departmental,
  cross-jurisdictional service delivery single
  sign-on, client-centric delivery
• Allows government to operate as an integrated
  enterprise

9
Strong Authentication and Full Encryption
Becoming Essential

• Increasing harmonization of GoC services and data
  exchange across departmental and jurisdictional
  boundaries makes data more vulnerable.
• Strong authentication a necessity to
• Limit departmental liability by reducing
  potential security breaches
• Provide Canadians the reassurance needed
• Comply with legislative requirements
• 92 of departments consulted in 2003 expressed
  requirement for strong authentication i.e., at
  least one of their programs will require epass.

10
Client Identity and PrivacyMeaningless unique
identifiers are key

• Client never identified inside the channel
• Identity known only at department program level
• A misappropriated certificate only contains a
  meaningless but numeric (MBUN) identifier
• Cannot be tied to an individual without access to
  a GoC program
• Certificate represents a repeatable identity
• medium assurance
• allows signing and encryption

11
Why SSL password are limited

• Soft Authentication in use today.
• Why SSL password are limited.
• Though SSL encrypts the pipe between browser and
  server, the data is in the clear beyond these
  points (e.g. application server)
• Passwords are easy to compromise (password
  cracking and central store attacks are
  increasing)
• SSL password cannot provide other security
  capabilities, e.g. digital signing
• Does not meet high-level GoC security
  requirements for security and privacy trust and
  compliance issues

• The Secure Channel Advantage
• Why PKI makes sense
• PKI Public Key Infrastructure Transactions
  protected end-to-end, with two-way encryption of
  data between Client and Application
• epass uses strong authentication and shared
  secrets with department application
• Offers other security capabilities such as
  digital signing, enables non-repudiation.
• Scaleable to meet demand with zero department
  footprint
• CSE-accredited, respects GoC legislations on
  privacy

12
Without Secure Channel
Browser
Dept. SPLASH Page
SSL
GoC DEPARTMENT
Internet
WEB SERVER
User Name Password
APPLICATION SERVER
13
With Secure Channel
Browser
Internet
Dept. SPLASH Page
SSL
Change DNS
Change Firewall
MBUN ( ePass)
SECURE CHANNEL
GoC DEPARTMENT
SCNet
FRONT CHANNEL
WEB SERVER
Secure Directory
Mapping Database
LWS
Receive Encrypted Payload
CRS
BROKER
APPLICATION SERVER
Call to Crypto
OOB
GOL Device Certificates
CRYPTO SERVICE
14
Authentication Services Building Blocks
Stand-alone service which can assist with Dept
Enrolment
Dept ID Proving Pages Hosted on SC
Provides Dept with Transaction Receipt,
Timestamping and Non Repudiation Store
Stand-alone service deployed within Dept Premise
Layer 4
Layer 4
Electronic PostMark (EPM)
Out of Band (PIN Generation)
Hosting Dept Web Pages


Layer 2
Dept Backend Crypto Operations
Layer 4
Layer 5

Browser Crypto Operations


Dept must map MBUN to Program ID
Layer 3
Layer 1
Login
Required
Dept must change DNS entries (i.e. to invoke
Reverse Proxy)
Application Routing
Dept code Web Pages to handle TruePass APIs
Network
Access to SC Data Channel VPN
15
Common Registration ServiceBusiness Benefits

• Application not directly exposed to Internet
• Intrusion Detection
• Anti Virus
• Denial of Service
• Ease of Use for Users
• Common Experience Govt as Integrated
  Enterprise
• Single Sign On
• Zero footprint certificate transparently
  downloaded
• SC Security Operations Center (SOC) has 7x24
  coverage
• Redundant Internet Access facilities and carriers
• Managed network
• SC (E-Pass) Help Desk has 7x24 coverage
• Reduction in application support cost
• Integrates with your application support desk

16
Common Registration ServiceBusiness Benefits

• Increased Security
• Privacy through anonymously issued certificates
• Encryption of data
• Non-Repudiation providing legal validation
• Digital Signatures to meet legal, policy and
  audit requirements (EAA and EDA)
• Customer Implementation Team
• Project management
• Application testing environment
• Integration Assistance Toolkits and Expert
  Advice
• Rapid Deployment
• Services in place now ready to go
• Assists departments to meet security obligations

17
Service Broker
Middleware service that allows departments to
combine and exchange services to offer truly
citizen-centric programs, while maintaining
autonomy of individual Departments.

• The broker provides secure connectivity to any
  service registered in the registry
• ensures that processing requests are always
  delivered to that service (guaranteed delivery)
• allows sharing and exchanging of services among
  departments (ie. One department can use another
  departments change of address system, for
  instance, reducing duplication of
  infrastructure)
• seamlessly connects a common service using
  business rules (i.e., if a particular kind of
  transaction requires non-repudiation, the broker
  will do that on the users behalf)

18
Provisioning a Service on the Broker
Steps 1. Service Provider adds service
description and publishes it in the Service
Registry (Help Desk) 2. The service is provided
an identifier in the Service Registry (number,
letter, etc.) 3. A Requester requires a service
and is provided with the identifier or searches
in the Service Registry for it 4. Once found the
requester negotiates with the provider to use the
service (Department Help Desk) 5. If allowed
the the provider adds the requester permission to
use the service in the Access Control service
19
Runtime of a Service on the Broker

• Steps
• Requester sends request to Service Registry to
  connect to service
• Service Registry determines routing of call
• Access Control validates permission to access the
  offered service
• Request for service is delivered to Service
  Provider if allowed
• Response back to Service requester is delivered.

20
Existing Services on the Broker
ePass CA
Transformation Service (Future)
HRDC Registration
Common Registration Service
Service Broker
Adapter (HTTP)
Adapter (HTTP)
MQ
MQ
DMZ Zone
CRTC Registration
DMZ Zone
Out of Band PIN
Access Control
UDDI
PMRA Registration
Workflow Service (Future)
Service Registry
RGBB Buy Button
Electronic Post Mark
Splash Page hosting
File Transfer
21
Departmental Support

• Uses the proven SC Client Implementation Team
  (CIT)
• CIT is a multi-disciplinary group of people
  responsible for assisting SC client
  organizations, agencies and crown corporations
  with the implementation of SC GA (General
  Availability) products/services
• Tested processes and standards
• CIT Implementation Plan can be customized to
  include specific migration requirements
• CIT Workbook deliverables matched to process and
  Implementation Plan
• Specific CIT resources PM and Technical
  assigned to work with departments through
  successful completion of implementation

22
Structure of the CIT Methodology
CRS
CRS
23
How the CIT Methodology is Used
Phase 1
Phase 2
Phase 3
Phase 4
Phase 5
Client Engagement
Technical Qualification
Integration Endorsement
CIT Integration
Client Readiness Development

• CIT Toolkits being used

CRS
Go Live
24
Common Services - Future Enhancements Services

• Common Services
• Secure Digital Forms Service (eForms)
• Archiving (Document Storage)
• Document Delivery (Web Box)
• Web Hosting
• SSL Service
• Secure Messaging

• Enhancements
• AMS Authorization (PMI)
• Non-Repudiation capability Optional
• Service Broker
• Workflow
• Message Transformation

Common Services will be invested in if
departmental demand warrants it!
25
Departments were working with in 2004 Committed
departments Work in Progress/Letters of
Agreement Signed

• Statistics Canada Census 2006 On-Line
• Veterans Affairs On-line benefits (pensions,
  allowances and health care)
• CRTC Filing of applications on-line
• Health Canada Pesticide Registration
• Health Canada (Health Products and Food Branch)
  filing/approval of new therapeutics products and
  foods
• HRSD Employment Insurance Appli-Web Automated
  Old Age Security pensions and automated CPP
  Pensions
• Canada Revenue Agency My Account

• Immigration Refugee Board Document exchange
  service (integrated case management)
• Atlantic Canada Opportunities Agency (ACOA)
  claims on-line
• Passport Office On-line passport renewal
• Public Service Commission e-recruiting and
  e-staffing
• Competition Tribunal e-filing of applications
• Téléfilm grants and contributions
• Public Safety and Emergency Preparedness Secure
  Forums

26
Departments were working with in 2004 Letters
of agreement pending

• Agriculture Canada Various farming financial
  support applications
• Canadian Nuclear Safety Commission Regulatory
  filing
• Health Canada Canada Health Infoway, Emergency
  Preparedness Centre, Drug Regulation
• Environment Canada air quality and pollutants
  information exchange
• Canadian Nuclear Safety Commission electronic
  regulatory filing
• Citizenship and Immigration global case
  management

• Statistics Canada Business surveys
• PWGSC Government of Canada Marketplace
• DFAIT e-CRM and Import/export control systems
• Industry Canada Strategis business intelligence
  products
• Environment Canada Regulatory filing
• Department of Fisheries and Oceans fishing
  licensing
• Passport Office data chip on passport
• National Defence on-line recruiting