ARM 7: Securing e-Government of Thailand in Action

Securing E- Gov of Thailand in action

Kitisak Jirawannakool E-Government Agency (Public Organization)

[email protected]

1

About EGA❖ First established in 1997 as Government Information

Technology Services (GITS) ❖ ~ 200 staffs ❖ Services

❖ Government Information Network (GIN) ❖ Government Cloud Services (G-Cloud) ❖ MailgoThai service ❖ Government Computer Emergency and Readiness Team

(G-CERT) ❖ More details : http://www.ega.or.th

2

Smart Thailand 2014-2015

3

Smart Network

Smart Cloud

Cyber Security TH e-GIF ICT

Academy

GIN  

G-Cloud -  G-SaaS -  Mobile Application 

-  e-CMS2.0 -  Saraban as   a Service - มาตรฐาน สารบรรณ 

Smart Citizen Info. -  Gov. API -  Smart Box  Gov. Access Channel - e-Portal -  Gov.App.Center -  data.go.th 

Government Secure Monitoring 

ICT Training -  e-GCEO -  e-GEP - Technical   Training 

Data Center Consolidation

(77 Provinces )

e-Service for e-Gov : •  MOI •  MOE •  MOPH •  MOAG

4

E-Government services

5

24x7 Helpdesk and Contact CenterEGA Contact Center

Other Government’s servicesServices

Cloud Provider

Cloud Provider

Cloud Provider

Inter Cloud SaaS PaaS IaaS

Government AgencyGINGovernment Agency

Government Computer Emergency and Readiness

Team (G-CERT)

Risk Assessment

Incident Monitoring

Information Analysis

Response Team

Awareness Raising

Government Information Network (GIN)❖ Government Information Network

6

Gov. Orgs 

User� Network�

NSW

GFMIS

0GSMS

CABNET

ทะเบียนราษฎร 

Common0Service�

Gov. Orgs 

GIN 

User� Network�

Standard  - GDX Security  - Encryption  - CA 

NSW

GFMIS

GSMS

CABNET

ทะเบียนราษฎร 

Common0Service�

Before! A<er!

GIN❖ More than 2,000 links (subscribers) ❖ For government only ❖ Intranet for all government organizations ❖ Added-on services

❖ Intranet system ❖ GIN Conferences ❖ Other services integration

❖ DNSSEC implementation ❖ IPV6 implementation

7

Government Cloud Service (G-Cloud)

8

Ministry A Ministry B Ministry C

Government Cloud Service (G-Cloud)❖ Focus on IaaS (initial phrase) ❖ 214 Systems are running on G-Cloud ❖ Serve Government, Collaborate with Partners, and Work with Communities ❖ Next move for G-Cloud

❖ Back office system - “e-Saraban” (PaaS/SaaS) ❖ Government Application Center (SaaS)

9

G-Cloud

10

Security on G-Cloud❖ Firewall (Hi-speed firewall/Application firewall) ❖ SSL-VPN for Cloud Management ❖ Two factors Authentication ❖ Vulnerability Assessment and Penetration Testing ❖ ISO/IEC 27001:2005 implementation ❖ Security monitoring ❖ Security training courses for customers

11

G-CERT’s Roadmap

12

Education (Training and Awareness Raising)

Policy and Standard

Start in 2014 Start in 2015 Start in 2016

Media Relations (PR and Contents producer)

G-CERT

G-CERT ’s constituencies❖ EGA Internal ❖ EGA ’s customers

❖ G-Cloud ❖ GIN ❖ other services

❖ Critical Infrastructures ❖ Other Government

13

Services❖ Incident Response

❖ Government Security Monitoring

❖ IT Security Awareness Raising ❖ Quarterly Training ❖ Anual Conference ❖ Incident Drill

❖ Risk and Vulnerability Assessment ❖ IT Security Consultants

14

Our Concept❖ Public - help the government ❖ Private - by working with vendors ❖ Partnership - collaborate with other IT communities

15

Other IT security related activities❖ Cloud Security Alliance Thailand Chapter - CSA ❖ Open Web Application Security Project Thailand Chapter - OWASP

16

Cloud Security Activities in Thailand❖ Cloud Security Alliance (CSA) Thailand Chapter

❖ Cloud Security Audit for providers ❖ Cloud Security Experts building (Certified of Cloud Security Knowledge - CCSK)

❖ ASEAN CSA and OWASP Summit ❖ Many areas (Security, Providers, Education, Governance, Audit, Licensing, crisis and etc)

❖ Cloud R&D ❖ Cloud Control Matrix (for security auditing) ❖ Cloud Security Guideline for operators ❖ Cloud Interoperation (Integrating Cloud Infrastructure) ❖ Securing Cloud infrastructure and Application

17

EGA Cloud Control Self Assessment

18

ASEAN CSA Summit 2013 & 2014

19

OWASP Thailand’s working concepts❖ PPP - Public, Private, and Partnership ❖ Public

❖ Contribute how to secure web app for Government organizations

❖ Private ❖ Collaborate with SIPA and SW Park ❖ Guide the software houses to do secure coding

❖ Partnership ❖ Working with other IT and Security communities in Thailand

20

OWASP Thailand Chapter❖ Arrange monthly meetings ❖ Prepare many courses for web app security

❖ Web Application Security ❖ Web application testing ❖ Secure coding

❖ Translate some documents into Thai ❖ OWASP Top 10 2013

❖ Organize annual event : 2014 OWASP ASIA TOUR

21

Conclusion❖ Even we contribute a lot of security, however it ‘s still not enough ❖ Lacking of experts is one of the biggest problems ❖ Collaboration is the key factor ❖ Looking for new collaborations

22

Source : http://www.openpages.com/blog/index.php/2010-grc-wish-list-collaborate

Contact me

23

Contact me

[email protected] http://www.ega.or.th