Security requirements for e-government services: a methodological approach for developing a common PKI-based security policy

Abstract

The concept of one-stop on-line government is not science fiction any more. On the contrary, the high reliability and performance of communication links, combined with architectural models that facilitate transparent access to distributed computational and storage resources, propel the development of integrated e-government platforms that support increased citizen mobility. The price we have to pay is the complexity introduced in the design of the security mechanisms required for protecting several heterogeneous information systems—each one supporting some of the services offered through the e-government integrated environment—and ensuring user privacy.

This paper demonstrates that the security services offered by Public Key Infrastructure (PKI) can be employed for fulfilling most of the identified security requirements for an integrated e-government platform. The list of security requirements has been compiled by adopting an organisational framework that facilitates the classification of e-government services according to the security requirements they exhibit.

The proposed approach has been applied, as a case study, to the e-government system ‘Webocrat’, identifying its security requirements and then designing a PKI-based security architecture for fulfilling them.

Introduction

The advances in the Information and Communication Technologies (ICT) have raised new opportunities for the implementation of novel applications and the provision of high quality services over global networks. The aim is to utilise this ‘information society era’ for improving the quality of life for all citizens, disseminating knowledge, strengthening social cohesion, generating earnings and finally ensuring that organisations and public bodies remain competitive in the global electronic marketplace.

e-Government is the term reflecting the use of ICT in public administration in an attempt to ease access to governmental information and services for citizens, businesses, and government agencies. Furthermore it is always a target to improve the quality of the services and to provide greater opportunities for participating in democratic institutions and processes.

Such a rapid technological evolution could not be problem free. Concerns regarding the extent to which ‘information security’ and ‘user privacy’ can be ensured are raised. However, ‘growth’ of computerised facilities cannot be considered ‘progress’ until we are sure that the drawbacks do not outweigh the benefits. Information System Security is, therefore, an essential management responsibility for e-government, that has as a target to fulfil the fundamental security properties of: availability, confidentiality, integrity, accountability and information assurance [9]. A high level of confidence and trust among all users (citizens, businesses and government) will be the foundation of a successful e-government initiative [3].

In order to select and implement the necessary security measures it is necessary to identify and valuate the system assets, the associated threats and vulnerabilities, as well as to assess the consequences from a potential security incident. Risk analysis (RA) methodologies assist analysts to perform the above steps in a well structured way and thus to select the countermeasures that will ensure a security level analogous to the level of risks. However, a precondition for performing an RA is to have precisely specified the boundaries—both in logical and physical terms—of the information system. This is clearly not a straightforward task for e-government systems that can normally be seen as an amalgam of heterogeneous information systems facilitating the exchange of information between citizens, businesses and several governmental agencies.

Thus, a new framework for identifying and organising the security requirements that are common to all information systems that have been utilised for the development of an integrated on-line e-government platform, is required. Such a framework can facilitate the development of a unified e-government security policy. This is because, security-wise, each information system is not considered any more as an isolated stand-alone system but as a component of the e-government platform, protected through countermeasures and security services that are applicable to the entire platform.

This paper demonstrates the feasibility of such an approach by utilising the ‘Organisational Framework for the Security Requirements of e-government services’ (e-GOV-OFSR) [6] for identifying the (common) security requirements for an integrated on-line e-government service platform that supports distance learning, electronic voting, electronic collaboration of governmental departments and several web-bases public services (2 The e-government platform, 3 Security issues). In addition, Section 4 provides evidence that by utilising the security services offered by a Public Key Infrastructure (PKI), most of the consolidated e-government security requirements can be fulfilled. Finally, Section 5 presents, as a case study, the identification and classification of security requirements for the e-government system ‘Webocrat’, together with the PKI-based security architecture that has been implemented for its protection.