UN/CEFACT
e-Procurement
The Next Steps: Security and ebXML
Presented by
NexTenders (India) Pvt. Ltd.
4th October 2006, New Delhi, India
Confidential
This document is the property of NexTenders (India) Private Limited, who owns the copyright thereof. The information in this
document is given in confidence. This document (wholly or partly) may not be transmitted in any form (copied, reprinted,
reproduced), without the written consent of NexTenders. The contents of this document or any methods or techniques
available there from, may not be disclosed to any third party whatsoever without the written consent of NexTenders.
UN/CEFACT
Maturity of usage of ETS
LvL 2: Posting of Tender Documents on the Internet (7%)
LvL 3: Electronic Bid Submission & ePayments (25%)
LvL 4: Online Tender Preparation & Bid Preparation (50%)
LvL 5: Online Evaluation of Bids, Award of Tenders & PO (70%)
LvL 6: Online Pre-tender & Post Award Negotiation Enabling (80%)
LvL 7: Online Contract Tracking & Fulfilment (100%+)
LvL 8: Enterprise-wide Integration of Procurement Process (100%++)
Security LvL
Maturity LvL
LvL 1: Electronic Notification of Tenders on the Internet (3%)
UN/CEFACT
In numbers :
1.
Over 50% of India is using one
form of E- tendering
2.
Version 1 of NexTenders was at
Level 4. Version 2.1 was at lvl 5
3.
First lvl 6 (Version 2.3)
implementation happening this
month in 2 of India’s top 10 PSUs
4.
5.
Total Amount of tenders
Processed by NexTenders (ie all
lvl 4+ installations) has been in
excess of 2.8 Billion USD or 2.5
Billion Euro (above Rs. 12,500
Cr.) from only 4 of 26 states *
conversions done with approx
moving average figures for Dollar
and Euro)
These figures are for the last 36
months alone out of which last 12
months account for almost 60%
of the load.
2
2
2
5
2
2
2
5
2
1
4
3
3
1
2
1
5
2
2
UN/CEFACT
Implementation Experience (Government/ PSU – India)
Government of Assam
Departments such as Roads, NH Works, Building,
RIDF & ARIASP
Departments are handling schemes like PMGSY,
MPNA, State Plan, NABARD, CRF, NHAI, NLCPR,
World Bank & Asian Development Bank Funding
Management Challenges
• Solution to handle multiple
procedure/ policies.
• Catering to World Bank norms,
CVC Guidelines.
• Enhance user base/ access to
tenders
• Reduce the cycle time and cost
involved in the tendering process
• Seamless submission of bids
• Reduction in unfair practices
• User awareness
Approach
• Customization & Implementation of
Solution.
• Deployment of team for
administrative & support functions.
• User friendly application for faster
adaptation.
• Facilitation and consultancy in
adoption to electronic tendering.
• Impart training and administrative
support.
Benefits
• Enhanced transparency
• Processing of 103 tenders in a
period of 30 days by 8 resources.
• Better and more responsive
contractors
• Reduced tender cycle time (90
days to 30 days)
• Minimal human error and misuse
• Reduced contractors collusion
• Uninterrupted services.
• Reduction in unfair practices
• Procurement worth INR 3000+
crore processed
• Maturity LvL in a period of less
than a year
UN/CEFACT
Implementation Experience (Government/ PSU – India)
Government of Chhatisgarh
Departments such as PWD, Water Resources, RRDA,
SIDC, Housing Board, Ispat Bhoomi Ltd, PR.
Departments are handling various schemes catering
to various policies.
Management Challenges
• Solution to handle multiple
procedure/ policies.
Approach
Benefits
• Customization of department
specific Solution.
• Processing of $ 500 million worth
of procurement spread over 1500
tenders by a single department
• Low LvL of IT awareness
• Deployment of team for
administrative & support functions.
• Access to new contractors
• Reduce the cycle time and cost
involved in the tendering process
• Extensive training for adaptation to
eProcurement Solution.
• Increased participation of
contractors/ suppliers
• Awareness workshops and
facilitations.
• Multiple department interface
• Reduction in unfair practices
• Reduced tender cycle time
• Cost competitiveness
• Enhanced participation of
contractors/ suppliers
• Transparency
UN/CEFACT
Implementation Experience (Government/ PSU – India)
Municipal Corporation Delhi
Departments such as Education, Conservancy,
Sanitation, Engineering, Health and Horticulture
Common procedures but differential workflow
Management Challenges
• Install and implement an
Electronic Procurement System.
• Adherence to CVC Guidelines and
IT Act 2000.
• Reduce underhand practices and
introduce transparency
• Reduce the cycle time and cost
involved in the tendering process
• Introduce efficient procurement
to pay process
Approach
•
•
•
•
•
•
•
•
•
•
• User Awareness
•
Electronic tendering
Payment gateways
Digital signature
Anti collusion security system
Change Management
Implementation and integration of
the IT network
System administration of the
Electronic Procurement System
Integration with Public key
infrastructure (PKI) and Payment
Gateway.
Provision of digital certificates for
the users and vendors.
Impart training to corporation staff
and vendors (300 users, 5000
contractors)
Availability of a Service Help Desk.
Benefits
• Processing of over 8000
Tenders in a span of 12 months
• Greater transparency
• Overall cost saving
• Access to new contractors
• Reduced tender cycle time (90
days to 30 days)
• Reduced human error and
misuse
• Reduced contractors collusion
• Reduction in unfair practices
• Capacity enhancement
• Presently – Over 1600 Tenders
Live
UN/CEFACT
Implementation Experience (Government/ PSU - India
National Thermal Power Corporation
One of the “nine jewels” of the Government of India,
catering to power sector and a profit making CPU.
High standard of work. Over 29 Plants and Other
Offices spread across India
Management Challenges
Approach
• Solution to handle multiple location
and user defined procedure.
• Process analysis and
implementation of solution.
• Providing one stop solution for
multiple interface.
• Demo portal and for training and
hands-on session.
• Consulting and process reengineering to adopt best practices.
• Pilot events for user adoption and
analysis of gaps
• Reduction in cycle time involved and
setting up a benchmark
• Efficient and secured handling of
procurement process
• Adherence to CVC Guidelines and
other relevant norms.
• IT Culture in the organization
• Remote administration and on-line
support on need basis.
• Formulation of On-line
Procurement Policy Document for
the organization.
• Consulting in gap analysis and
process re-engineering.
Benefits
• Reduction in process time.
• Formulation of electronic
procurement policy.
• Enhanced transparency
• 1 stop solution for
procurement
• Reduction in errors and
misuse
• Reduced contractors
collusion
• Reduction in unfair practices
• Roll out plan initiated for
complete coverage.
• Analysis Mechanism and
Spend Analysis
UN/CEFACT
Interesting Observations:
At lvl 5 the average saving done by the tendering authority as cost saving
was estimated (by themselves) as “above 20%”
20% savings imply 25% more development/expenditure surplus for these
organisations
It has been estimated that the present lvl 4+ setups are affecting the lives of
over 100 million people directly
These observations led to the overall policy of the Govt changing which has
issued a circular to this effect by which all Govt tenders above a value of ....
need to be necessarily tendered ONLY via e-tendering
UN/CEFACT
India E-Procurement top 10 – Facing the music of Enlarged needs for
new Features
“E Procurement is working fine - i want all my employees to take part in it and have access to it”
“We have an internal workflow and we now want the system to support that – each one’s
responsibility should be noted”
“I want JIT inventory – give me the facility to issue direct PO from existing Rate Contracts”
“We need to share our tender forms with other organisations and they need to float a similiar tender
– why cant I simply email them the template”
“Dont expect me to buy keys for all my employees - use our existing infra structure and give me a
solution – but dont dare compromise on security”
“Non repudation my foot – that guy simply said he was not aware that the translation is wrong – the
translator is not responsible in your system”
“We need to have the tender automatically approved with the budgets in our accounts system
realtime”
“Integrate to my ERP – we have SAP – it should be a simple thing”
“I dont care for standards – my vendors dont need to fill these fields – take them off”
“Whatever you do – dont ask me to buy out Dell!!!!”
UN/CEFACT
Translation...
Need to integrate and interchange data (inlcuding masters) with 3P software easily
Need to export data out in an easy portable fashion
Need to use standards which allow flexibility to extend the scope
Need to make it platform independent
Need to have end user programmibility
Need to build is dynamically allocable power structures (for escalation), power charts (for budget
sanctions) and organgrams
Need to conform to International Standards
UN/CEFACT
The Solution was actually a non brainer
USE XML FROM START TO END
and only keep indexing and authentication information in database
It implies using XML
for UI
for datastoring
for data comparing
for input / output
for messaging
for conformation to standards (UN/CEFACT & ebXML standards) for input and output
Eureka! We have a solution
But what about security??
UN/CEFACT
Need for XML Security
Securing Connection vs. Securing content
1 . Direct connection between client and server must be
established which means Multiple intermediaries require
multiple HTTPS connections piped together
•
Opens potential security holes at connecting nodes, but also creates a public key
certificate management nightmare
2. Can not provide granular content security
•
Scenarios such as multi-level approval require parts of information to
– Connection-based security are insufficient
– Verify the authenticity of approval signatures
– Unnecessarily encrypting all content also introduces more processing overhead
UN/CEFACT
Overall View
Case Study
Payment Center
Field Agent
Sign and send an
order. The order
contains
an encrypted
account
number
Factory
Manager
Verify the order
Signature; attach
an approval
signature
Verify the approval
Signature; decrypt
account number;
Attach a payment
status signature;
remove the
account number
Verify the payment
status signature;
Verify agent
address, send
product
UN/CEFACT
XML Security Means
1. Availability
2. Integrity
3. Confidentiality
4. Authentication
5. Accountability
UN/CEFACT
1. Availability
• Availability assures that the information and essential
services will be available for the authorised users at the
required moment, including the efforts required to regain
lost information.
UN/CEFACT
2 . Integrity
• Integrity guarantees the correctness and completeness
of the information. Cryptography (such as hashes or
check-sum mechanisms) is a perfect means to assure
the information integrity. Both are used to detect
changes to the original information, however hashes are
more focussed on malicious changes whilst check-sums
are applied to detect coincidentally changes.
• As such, we consider the integrity issue as a
requirement to be addressed by sXML.
UN/CEFACT
3. Confidentiality
• Confidentiality protects sensitive information against
disqualified examination by unauthorised individuals,
entities or processes. Clearly, cryptography provides
excellent means to support confidentiality by applying
symmetric or asymmetric encryption mechanisms.
UN/CEFACT
4. Authentication
• Authentication assures that the identity of the source
indeed is identical to what it is claimed to be and can
be applicable to persons, processes, systems or
information. Cryptography, and more specific the use
of asymmetric encryption, provide means to assure
the authentication, also known as non-repudiation.
UN/CEFACT
5. Accountability
• Accountability records the responsibility of the individuals
belonging to the organisation for which a policy
regarding information security has been established.
This aspect thus relates to organisations and
responsibilities.
UN/CEFACT
Solutions Overview
1. XML Encryption
2. XML Digital Signature
3. Includes XML Canonicalization
4. XML Key Management System
5. Security Assertion, Access Control Markup
6. WS-Security
UN/CEFACT
XML Encryption
• Proper encryption is crucial for XML data security,
particularly sensitive data that's passed across
unprotected networks such as the Internet. Enter XML
Encryption.
• It's easy to think of encryption as a "blanket" operationdata is encrypted on one end, then decrypted on the
other. But more information is required to perform this
operation successfully. In an XML instance, there are
four basic types of information:
UN/CEFACT
Encryption Description
1.
Encrypted content, which contains the actual
encrypted data or a reference to the location of this
data. There is virtually unlimited flexibility in both the
types of data that can be included and methods for
logical data collection for encryption.
2. Unencrypted content, which contains other information
that is pertinent to the context of the interaction but isn't
encrypted for some reason, perhaps due to
performance concerns or because it wasn't deemed
private or sensitive enough to warrant encryption.
Continued…
UN/CEFACT
3 .Key information, which contains information or pointers
to information about the keys that perform the encryption,
and, therefore the keys that perform the decryption. The
key information can be maintained elsewhere and
replaced by a URL in the XML instance.
4. Recipient information, which contains information about
one or more intended recipients of the encrypted data.
This information is optional, thus allowing situations where
the applicable recipient information is known or provided
out of band, such as with business partners that have a
preexisting contractual relationship.
UN/CEFACT
Encrypting XML data follows the traditional encryption steps
for public key cryptography. First, the data is encrypted, typically
using a randomly created secret key. Then the secret key is
encrypted using the intended recipient's public key. This
information is packaged to ensure that only the intended
recipient can retrieve the key and decrypt the data. Decryption
involves applying the private key to decrypt the secret key, then
decrypting the data with the secret key.
There are a number of options being evaluated for
encrypting XML portions, as well as multiple ways of embedding
these encryption elements within an XML instance.
UN/CEFACT
XML Signature
• Digest of data, protected with encryption
• Creating digital signature (roughly):
• Digest the data
• Encrypt the digest (with private or shared key)
• The encrypted result is the signature
UN/CEFACT
XML Signature Verification
• Verifying digital signature (roughly):
• Digest the data
• Decrypt the signature (with known public key of
signer or with shared key)
• The digest must match the decrypted signature
• Signature verifies data is same as was
signed
• With public-key cryptography, signature also
gives non-repudiation
UN/CEFACT
•
•
•
XML Canonicalization
For signature, data is digested
Digest algorithms work with octet streams
Equivalent XML may have different octet stream
representations:
<element att="val"/>
<element att = 'val' />
• Canonicalization (C14N) prescribes the one
serialization
• Serious issues with namespaces, other inherited
values (xml:base, xml:lang etc.)
• Must be inherited to be verified by signature
• Same applies to encrypting only parts of XML
documents
UN/CEFACT
XML Key Management, XACML,
SAML
•
•
•
•
XKMS – XML Key Management Specification
Distributing and registering public keys
Minimizing complexity of using XML Signature
XACML – eXtensible Access Control Markup
Language
• Authorization policies
• SAML – Security Assertion Markup Language
• Authentication, transfer of authentication and
authorization decisions
UN/CEFACT
Web Application based on XML
Document Security
Presentation
Processor
HTTP Get
Browser
[Web 2.0
client using
Ajax]
Key Store
HTML/JavaScript/
XML
HTTP Put
Web Server
Security Processor
PAM & REM
Key Store
Key Store
UN/CEFACT
Conclusion
• XML is poised to redefine the way we use the
Internet by providing real-time, interactive
capabilities for sharing data among entities-so start
planning now.
• Encryption and signature standards for XML
documents will permit the maximum use of XML
capabilities in conducting business transactions over
the Internet.
• These standards will strengthen the security
mechanisms surrounding XML processes while
harnessing XML's power.
Thank You
If you have questions, please
feel free to contact
[email protected]
This document is a confidential document of NexTenders (India) Pvt. Ltd. No part of this publication
may be reproduced, stored in a retrieval system or transmitted in any form or by any means, whether
electronic, mechanical, photocopying, recording or otherwise, without the written permission of
NexTenders.
Descargar

Slide 1