View
4
Download
0
Category
Preview:
Citation preview
connect • communicate • collaborate
CERT BEST PRACTICES – BULGARIAN CERT AS SERVICE
ORIENTED ORGANIZATION Slavcho Manolov - BREN
GN3+ TERENA e-Infrastructure Summer workshop Sofia, 16 - 20 June 2014
connect • communicate • collaborate
Service-oriented approach of CERTs
According to authoritative researches, in the recent years the frequency and complexity of Cyber-attacks have significantly increased. The experts assert that we have intervened in the fifth generation of Cyber-crime, characterized not only by multi-level organization and specialization of criminals, but also with application of methods for automation. In this situation the international community has established a new policy and organization of security protection as multi-level infrastructure including international collaboration. The Computer Emergency Response Teams (CERTs) are designed to play a major role in this infrastructure. Owing to the efforts of the international CERT community, primarily CERT/CC, FIRST and TF-CSIRT, and also of institutions, such as NIST and ENISA, the diverse activities of the CERT are described, formalized and standardized thoroughly. That’s why we can treat CERT as a manufacturing enterprise with fully regulated production cycle consisting of flows of business processes. The international best practices clearly show that the most effective way to organize such businesses is the transition to so called service-oriented organization.
connect • communicate • collaborate
Service Oriented Architecture (1)
The Service Oriented Architecture (SOA) is probably the most important technology initiative facing business today. SOA is more than a new direction of technology development in the software industry. It represents a dramatic change in the relationships between business and IT. SOA helps business and IT to unify goals and bridge the gaps between their very separate worlds by establishing a common language and creating a more flexible infrastructure to support changes. Service is a complex and dynamic collaboration between provider and customer. Therefore, companies need to continually optimize the interactions of all the components that make up the service to ensure that changing business objectives are met, and they need to improve both the customer interaction and relationship over time. SOA is architecture for building business applications as a set of loosely-coupled black box components orchestrated to deliver a well-defined level of service by linking together business processes. In other words, Service Oriented Architecture (SOA) is an architectural style that enables the assembly of systems from distributed, federated resources.
connect • communicate • collaborate
Service Oriented Architecture (2)
connect • communicate • collaborate
The nature of electronic services
The electronic services incorporate procedures with varying degrees of automation. In general these are chains of procedures implemented automatically, semi-automatically or manually provided by different suppliers. The modern infrastructure for complex electronic services entails: • implementation of services as a set of value-added chain; • centralized management of the process of service delivery in all its "Life cycle"; • requesting and obtaining the services from "one-stop-shopping" (including territorial distributed ones). This can be achieved by so called "Orchestration of primary services."
connect • communicate • collaborate
Services
Message Exchange Pattern
describe
Operational Requirements
enforce
State
manage
Applications
composed of
Messages
exchange
is a set of Contracts
bound by
contain
Schemas define structure of
governed by Policies
have
Internal structure of the e-Service
connect • communicate • collaborate
The conceptual model of public services, created in the framework of European programme IDABC is shown in the figure below. It is flexible due to the fact that it allows different aggregate services to be created by combining basic public services from multiple providers.
European Conceptual model of public services
connect • communicate • collaborate
The Law on e-Governance (in force as of 13 June 2008, promulgated in State Gazette No 46 of 12 June 2007) regulates three main groups relations, namely: " the ways of providing services to citizens electronically; " the relationships related to the internal exchange of information and
documents, simultaneous movement of paper and electronic documents, assigning them creation, storing and archiving of electronic documents;
" relations associated with the automated exchange of electronic documents between administrative authorities.
As an addition to the law, six regulations, adopted by the Council of Ministers, detail its application.
Bulgarian Law on e-Governance
connect • communicate • collaborate
STATE AUTHORITY
Citizens. Businesses
STATE AUTHORITY
STATE AUTHORITY
Provision of electronic services
Activities related to working with e- documents
Electronic document exchange between
state authorities
Exceptions:
1. Does not apply to electronic documents containing classified information
2. Does not rescind regulations for paper documents when a particular format or work order are provided
The scope of the Law on
e-Governance
connect • communicate • collaborate
Key features of the Law (1)
The e-Governance Law and its ordinances define a new type of architecture in the organization of administrative activities. These regulations contain a set of instructions concerning the conduct of the interface of the administrations in their relation with citizens and businesses. For the most part, these instructions concern the provision of administrative services electronically. The unification is the most important element in the transition to the new type of administrative organization, namely “service-oriented activity”. In this regard: a) all requests (external or internal) are treated similarly in respect to the start of administrative processes (in terms of their quality of “initiating documents”); b) all orders (external or internal) to the administration are treated similarly in respect to the launch of its processes (in terms of their quality of “initiating documents”); c) any process started by the initiating document is presented as a sequence of stages of processing of the respective activity; d) each stage is defined in a unified form.
connect • communicate • collaborate
Key features of the Law (2)
In this regard, the organizational and process-oriented aspects of the re-engineering of the administrative information system include: – unification of the stages of the services and procedures;
– unification of internal administrative processes;
– unification of activities fulfilling by administration;
– formation of the status of implementation of service or procedure;
– providing an uniform means for control of all activities in the administration;
– preparation of internal rules for conduct of administrative activities.
connect • communicate • collaborate
Bulgarian CERT as service-oriented organization
According to the Law on e-Governance, the Bulgarian national CERT (which affiliate is the Academic CERT), develops its activities as so called “Service-oriented Organization”. This includes two essential elements:
a) realization of the activities of the CERT as electronic services in the interpretation of the Ordinance on electronic services and the Ordinance on general requirements for interoperability and information security.
This means that the concrete services will be entered in the Register of electronic services, maintained by the State Administration. Also the data elements composing the service must be entered into the Register of information objects.
The structures of both registers are shown below; b) all business processes in the organization are related to flow of
electronic documents and have been managed by an Administrative Information System according to the Ordinance on the internal circulation of electronic documents and documents in hard-copy form in the administrations.
The essence of this system will be described further.
connect • communicate • collaborate
The Register of information objects
Technological Sub-Systems Sub-Registers:
Register
Information Objects
Creation and Processing
User Interface and
Access Management
Sub-Register of the Terms
Sub-Register of the Elements “Nomenclature”
Sub-Register of the Elements “Value”
Sub-Register of the Data Segments
Sub-Register of the Electronic Documents
In the Interoperability context “the Electronic Document” can be defined as “ logically completed self-described information structure, which can be visualized and meanwhile automatically processed by the information systems without human intervention. The e-Document contains tools for undoubted authentication and protection against the illegal access”.
connect • communicate • collaborate
The Register of electronic services
Technological Sub-Systems Sub-Registers:
Register
e-Services Creation and Processing
User Interface and Access Management
Primary (atomic) services
Composite services
BPEL-descriptions XML-descriptions
In the Interoperability context “the primary (atomic) e-Service” can be defined as “autonomous completed and realizable functionality with well defined I/O interface (i.e. e-Documents registered in the i-Objects Register)”.
connect • communicate • collaborate 15
UEEED
BG-Data models
Repository
The infrastructure for e-Services consists of:
• unified definitions of e-services
• unified environment for exchange of electronic documents- UEEED
• centralized resources providing services for persons and companies identification and another services with specialized purposes
• decentralized resources at the competent authorities allowing them to provide the services within their competence
connect • communicate • collaborate
Electronic services delivered by Bulgarian CERT
Following the above-mentioned regulations, the Bulgarian CERT has developed electronic services in the majority of its main activities. This includes:
1. Electronic service “Obtaining of incident report from constituency”; 2. Electronic service “Requests for receipt of warnings about
vulnerabilities in the specified range of applications”; 3. Electronic service “Entry and update of the Installation Database of
constituency”; 4. Electronic service “Reporting incident to the Commission for
Regulation of Telecommunications according to the Directive 2009/140/EC”
connect • communicate • collaborate
1. Analysis and modeling of business processes 2. Optimization of information resources 3. Automated Process Management and Users Notification Service 4. Automated data transfer with other business systems 5. Centralized maintenance of the records of services 6. Real time management of service requests
The main features of the service-oriented organization
connect • communicate • collaborate
Restructuring operations in the service-oriented organization
A. Functional-oriented organizational events - adoption of service-oriented strategy; - definition and parameterization of services as a set of elementary services (value-added chain), assessment of the possibility of automation of these chains; - adoption of development plan for the business processes and service-oriented projects; - adoption of an organizational structure consistent with the internal interactions in complex services and their centralized management. B.Tehnological-oriented organizational events According to a leading analyst companies the transition to a "service-oriented corporate intelligence" is necessarily linked to the centralized management of information resources of the organization (regardless of physical decentralization of resources) and closer integration between IT infrastructure and organizational structure.
connect • communicate • collaborate
Legislation
Register of the Registers
Register of the Information
Objects
Register of the Electronic Services
Register of the Certified Systems
Register of the Unified
Definitions of the Services
National Nomenclature of
Documents
National Nomenclature of
Records
The National Administrative Data Model
connect • communicate • collaborate
Inter-system exchange through UEEDE
Having in mind that constituency of CERP-Bulgaria are mainly administrative bodies and academic institutions, the exchange must be realized by so called Unified Environment for e-Documents Exchange (UEEDE) maintained by the Ministry of Transport, Information Technology and Communications. UEEDE is a secure managed environment for exchange of electronic documents, registered in the Register of information objects, between registered parties. The document exchange is protected by encryption / decryption procedure through asymmetric public key cryptography using digital certificates of the UEEDE-server and UEEDE-clients. These transport certificates will be issued by the internal public key infrastructure for all administrations, maintained by the Ministry of Transport, Information Technology and Communications. The transfer protocol is based on the German standard “OSCI Transport” recognized informally for now as pan-European one.
connect • communicate • collaborate
Exchange of documents through UEEDE
Administration “A” UEEDE Administration “B”
AIS: Service procedure “A”
UEEDE Client “A”
UEEDE Server UEEDE Client “B”
AIS: Service procedure “B”
Document “A”
OSCI Message “A”
OSCI Message “B”
Document “A”
OSCI Receipt “B”
OSCI Receipt “A”
connect • communicate • collaborate
Execution of complex e-Service
CES_REQ CES_RSP
PES_RSPi
PES_RSPj
PES_RSPk
Answer Composition
PES_REQi
PES_REQj
PES_REQk
Request Decomposition
Complex Services Agent UEEDE Administration i
Administration k
Administration j
connect • communicate • collaborate
Request Decomposition
PES_REQi
PES_REQj
PES_REQk
XLT_REQi
XLT - Interpreter
XLT_REQj
XLT_REQk
CES_REQ
XLT_Library
connect • communicate • collaborate
Answer Composition
PES_RESi
PES_RESj
PES_RESk
XLT_RESi
XLT - Interpreter
XLT_RESj
XLT_RESk
CES_RES
XLT_Library
connect • communicate • collaborate
Management of the execution of complex e-Service
UEEDE
CES_REQ
CES_RSP
BPeL – Composition
Decomposition
BPeL Interpreter
BPeL – Workflow
BPeL_Library
connect • communicate • collaborate
The Refference Model of AIS
connect • communicate • collaborate
The core position of AIS
Web
Scanned paper documents
AIS
CC
Integrated Web-application
Module for integration with
CC
Module for e-Mail exchange
Module for exchange manually
Валидация
UEEDE
Manually
ХХ
●● ●
Sys 1
Sys 3
Sys n
Administration
Sys 2
connect • communicate • collaborate
Technological process of AIS re-engineering (1)
The technological process of the re-engineering of the Administrative Information System (AIS) consists of a following sequence of actions: - - analysis of the type and quantity of indispensable Document Registers; - - registration of these registers in the Register of registers and data; - - adjustment of AIS for processing with these registers; - establishment and maintenance into AIS of Classification Schemes for following types of information objects:
" users; " documents; " tasks; " personal data; " nomenclatures,
- establishment of Departmental nomenclature of types of documents for concrete administration; adjustment of AIS for processing with this nomenclature;
connect • communicate • collaborate
Technological process of AIS re-engineering (2)
- establishment of Departmental nomenclature of stages of services and procedures for concrete administration, adjustment of AIS for processing with this nomenclature; - establishment of Departmental nomenclature of services and procedures for concrete administration, adjustment of AIS for processing with this nomenclature; - establishment of Departmental nomenclature of schemes for storage of documents for concrete administration; adjustment of AIS for processing with this nomenclature; - creation of interfaces between AIS and “external environment” by specialized application, integrated into the AIS, such as: " module for Web-application; " module for integration with the Communication Client of the Unified Environment for Exchange of Electronic Documents (UEEED); " module for e-Mail exchange; " module for reception of documents stored on magnetic of other external media.
connect • communicate • collaborate
Technological process of AIS re-engineering (3)
- interface modules for connection with other specific system of this administration – the regulations of the e-Governance Law do not prescribe any special requirements for these connections. The administration has an alternative between direct communication (i.e. the method of components call) and communication based on messages). The advantages of the second one are related to the ability to separate components one from another; - establishment of internal rules for processing with the AIS adapted to the specifics of the particular administration; - creation of profiles for access of various groups of employees to the resources of the AIS. The profiles correspond to the duties of employees included in job description.
connect • communicate • collaborate
LNoSP
S/P1 Еа Еb Еf Еr Еs Еx Еz
S/P2 Еа Еb Еg Еz
S/P3 Еc Еe Еf Еg Еs Еy
S/Pn Еd Еb Еf Еh Еq Еx Еz
Doc І
Doc ІІ
Doc ІІІ
Doc ІV
Doc V
Doc VІ
Doc VІІ
Doc VІІІ
Doc ІХ
LNoD
?
▪ ▪ ▪
Web
UEEDE
Manually
Scanned paper documents
The documents induce starting of determinate procedures
connect • communicate • collaborate
Web application for documents receipt
Integrated Web-
application File Entry
Applications for editing
Web
Valid
atio
n
connect • communicate • collaborate
Model of the status
of procedure
List “Outstanding
stages”
Document
Status of the service
or procedure
List “Executed
stages”
List “Canceled
stages”
Stage 1
Stage n Stage n
Stage 1
Performer n
Performer 1
●●●
Correspondence
App “E1”
App “En”
Service Status
connect • communicate • collaborate
The realization of CERT activities as electronic services leads consequently to unification and formalization of business processes and data associated with them. This is a prerequisite for setting standards for the presentation of data. As a result, it will allow in the future to introduce methods for automated exchange of information between the CERT and its constituents, as well as between the various CERT-s involved in joint activities. This automated data exchange could be based on the new recommendation of International Telecommunication Union (ITU) X.1500, named “the Cybersecurity Information Exchange Framework (CYBEX)”.
Perspective for automated data exchange
connect • communicate • collaborate
Thank you!
slav1943@gmail.com
Recommended