Upload
layer7tech
View
214
Download
0
Embed Size (px)
Citation preview
8/2/2019 Belgium French Community (ETNIC)- SEcure eGovernment Services
1/2
ETNIC (Entreprise des Technologies Nouvelles de lInformation et de la
Communication), the Information Technology Agency of Belgium's French Community
(BFC) provides high quality solutions for the various public services of the BFC.Founded in 2002, ETNIC employs 150 IT specialists, and is annually allocated a budget
of 24 million.
BFC provides services relating to education, culture, research and training, health
(exclusively preventative medicine), assistance to young people, infrastructures,
sports and international relations. In this case, BCF tasked ETNIC with improving their
school student registration infrastructure.
eGovernment Services for Education
Much like any modernized education system, BFC had already undertaken to computerize as much of their
processes as possible. To that end, each school developed their own IT systems that featured applications written
using a diverse range of technologies (from Delphi to Java to Microsoft .Net and so on), while the BFC itself had
created centralized applications written in COBOL for their mainframe; Web Services written in Java and IBMsEnterprise Generation Language (EGL); links to Electronic Document Management (EDM) systems, and many
others. Because of the many disparate systems and actors, the registration process often devolved to sending
communications between stakeholders via paper documents and snail mail.
ETNIC knew that with so many diverse applications, a Service Oriented Architecture (SOA) approach would be the
best way to enable standards-based interoperability without requiring structural-level integration. ETNIC chose to
implement Layer 7s SecureSpan XML Gateway as the access point to the Servicemix Enterprise Service Bus (ESB)
from the open source Apache community. Because both SecureSpan and Servicemix support the industry standard
WS-* specifications, ETNIC could be assured of benefiting from all the advantages of SOA, including service reuse,
loose coupling and greater IT agility.
The architected solution called for ETNIC to expose Web services to requesters with the help of Layer 7s
SecureSpan Gateway. At runtime, SecureSpan processes incoming requests, applies an authentication and
authorization rule set defined in policy; queries databases to enrich the original request, and then invokes the
appropriate internal service via the ServiceMix ESB to construct a response formatted in accordance to the service
invoked.
Only one problem remained: establishing trust between the back-end and the myriad of clients deployed on all the
different platforms hosted throughout the school district. In order to maximize interoperability with local IT
standards, ETNIC enabled the possibility of authenticating eGovernment service requesters using the Belgium
electronic identity card (eID).
Balancing Security and Efficiency
In this model, the identity of the client-side service requester relies on government issued smart cards. But to
avoid the need for smart card access for each message exchange, ETNIC developed a client-side application called
WSGenCon (Web Services Generic Connector), which allowed for initial authentication of the identity to be
performed via a WS-Trust Request Security Token call to the SecureSpan Gateway. Using SSL mutual
authentication, SecureSpan authenticates the requesters identity and creates a WS-Secure Conversation session
with an associated shared secret key. The client-based WSGenCon relies on this session key for subsequent
exchanges, such as Web service invocation, without requiring further access to the requesters smart card. In order
to ensure a high security level, the key expires after a set amount of time, at which point WSGenCon negotiates a
new one. Using WS-Trust and WS-Secure Conversation in this way allows schools to make multiple student
registrations without constantly re-entering their beID PIN code, thereby maximizing system efficiency and
administrator productivity.
Belgium French Community (ETNIC)Securing eGovernment Education Services
ETNIC by the Numbers
Encompasses 3,500 schools
and 8,000 disparate clients
> 1,000,000 student
registrations
> 300 registrations per
second at peak
8/2/2019 Belgium French Community (ETNIC)- SEcure eGovernment Services
2/2
ETNIC Securing eGovernment Education Services
Copyright 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners 2
Security under the Hood
With each school implementing and maintaining their own IT systems, some schools necessarily have more (or
less) IT resources, budget and skills than others. The client-side WSGenCon service, in conjunction with the Layer 7
Gateway were key in ensuring all schools no matter their technical expertise could take advantage of the new
student registration system by hiding much of the complex security standards involved in the process.
For simple business requests, WSGenCon adds any of the WS-* stack stipulated in the security policy deployed on
the Layer 7 Gateway (such as WS-Addressing, WS-Security, WS-Trust and WS-Secure Conversation). WSGenCon
also handles the entire protocol layer (HTTP, HTTPS, SOAP, etc), as well as talking care of XML formatting. Each
schools local client application only needs to handle business concepts in its own format. The interaction between
WSGenCon and the Layer 7 Gateway encapsulates all the technical complexity, making the entire trust mechanism
completely transparent to the end-user, ensuring system usability and providing a simple way to secure
eGovernment service exchanges.
The Results
With ETNICs solution in place, communications between entities in the school registration process no longer have
to resort to manual, paper-based exchange of data, dramatically reducing errors in data entry and increasing
system efficiency. Within a school system that has more than 3,500 schools and a million students, even minor
gains in efficiency have a significant impact on the productivity of all administrators.
Going forward, changes to security requirements can be made quickly and simply in a single, central place: the
Layer 7 policy document, removing the burden from each schools IT team, which traditionally would need to
update their client systems to conform to the new requirements, test the changes, and redeploy the new client.
According to Anne Noseda from ETNICs support team, Layer 7 allows us to define complex security policies in a
graphical user-friendly way. Her colleague Sbastien Bal agreed with her: After a short period of adaptation, we
can now focus on security-related business logic requirements instead of their technical implementation. The
security policies are also easier to maintain.
Additionally, ETNIC now has a new addition to their library of freely available SOA artifacts that other projects can
leverage to reduce the cost and effort of their projects. For more information on WSGenCon (or any other ETNIC
project) visit the ETNIC website at http://www.etnic.be, or download source code directly at http://forge.etnic.be.