softwaredevelopers.ato.gov.au · Web viewA robust encryption and supply chain solution will provide a level of confidence in the integrity of data, which flows through a supply chain

UNCLASSIFIED

Supply Chain and Encryption POSITION PAPER November 2018

Position Paper format DATE

Supply Chain and EncryptionDraft Position Paper

For more information on this position paper, email [email protected]

UNCLASSIFIED PAGE 1 OF 13

UNCLASSIFIED

This paper provides key factors on the approach for implementing supply chain visibility and encryption, to provide a level of confidence in the integrity and confidentiality of data, which flows through a supply chain between the client and the ATO.

Introduction1. A robust encryption and supply chain solution will provide a level of confidence in the

integrity of data, which flows through a supply chain between the client and the ATO. This means confidence for users, service providers and for the ATO. There is a mutual need to ensure that the overall integrity of the ecosystem is upheld.

Key considerations2. Information transmitted to the ATO must be submitted via an authorised party

regardless of the number of DSPs or the roles they play in the supply chain.

3. Encryption is a key component of hardening the security of the ecosystem, and needs to allow:

Confidentiality between the parties

Non-repudiation

Integrity (via digital signatures)

4. As business models and the broader ecosystem evolve, encryption standards must provide the flexibility to support these changes.

5. The position of the focus group should support both:

End-to-end encryption (payload-level encryption) – data is encrypted by the sending party and can travel through multiple third parties before reaching the final receiving party. The message can only be decrypted once it reaches the final receiving party.

Party-to-party encryption – data is encrypted by the sending party and can travel through multiple third parties before reaching the final receiving party. Each party in the supply chain can decrypt and re-encrypt the message before on sending.

6. DSPs with ‘party-to-party encryption’ – where data is decrypted at each hop - should require implementing greater level of controls and auditing to maintain a level of confidence in the supply chain.

What we heard Supply Chain7. There was agreement that we collectively need to tighten the security across the

supply chain and breaches anywhere in the supply chain, impact the confidence and perception right through the chain.

8. Supply chain visibility may present some challenges dependent on the transport mechanism used (eg annotating data transferred through FTP).

UNCLASSIFIED PAGE 2 OF 13

UNCLASSIFIED

Encryption 9. While encryption in transit presents a number of challenges (including ensuring non-

repudiation and increased risk of data leakage), full end to end encryption and encryption in transit are not mutually exclusive and should co-exist to support the diversity of supply chains.

10. The payload-level encryption needs to be agnostic of the message and standalone in its own right.

11. There was agreement that it is fundamental that the solution supports signing, encryption and compression. One standard needs to handle all three of those components.

12. There was a strong preference to be able to use Government credentials to support business-to-business interactions.

Alternatives exploredEncryption 13. AS4 was raised as alternative payload level encryption. It was agreed that this

approach would not allow for the payload to be agnostic of the message.

14. S/MIME was considered as the payload encryption standard – however the focus group had a preference for the Cryptographic Message Syntax (CMS) encryption standard instead.

Conclusion15. Technology exists to support immediate implementation of:

Encryption in transit,

Encryption at rest.

16. However, new technology solutions are required to support:

Payload encryption,

Supply Chain Visibility.

Timelines for design and implementation of these new technology solutions have not been developed at this stage.

EncryptionThere was agreement for encryption standards:

17. Encryption of data in transit

Mandatory for all transmissions over public or shared network infrastructure to use ASD Approved Cryptographic Algorithms and Protocols.

In majority of cases this will be TLS v1.2.

18. Encryption of data at rest

DSPs to use either full-disk, container, application or database Level encryption techniques, using ASD Approved Cryptographic Algorithms and Protocols.

UNCLASSIFIED PAGE 3 OF 13

UNCLASSIFIED

19. Payload-level encryption

Encryption should be considered in conjunction with non-repudiation and integrity between the parties (via digital signatures).

The encryption mechanism should be payload and messaging agnostic.

Cryptographic Message Syntax (CMS) will form the basis of the solutions with a local customisation profile as required.

20. The proposed timeframe for DSPs to implement encryption of data in transit and at rest, is the 01 February 2018.

Refer to pg 242- 247 of the Australian Government Information Security Manual for the ASD Approved Cryptographic Algorithm standards.

Supply chain visibility21. Agreement on a design principle of annotating the identity and functional role to the

message for every DSP that reads or modifies sensitive data – where the payload is not encrypted end-to-end (ie payload-level encryption).

22. The functional roles within a supply chain were defined as: Data Collection - Party responsible for the acquisition of data through user

interface interaction or APIs. Data Validation – Party responsible for the verification of data types, structures,

formats and/or data values. Data Integrator – Party responsible for combining data from multiple sources for

use. Data Analysis & Extraction – Party responsible for performing analysis on data to

extract a data sub-set or additional derived/calculated data Data Transformation - Party responsible for change syntactic representation of

data Data Provider - Party responsible for the payload (which maybe encrypted). Data Transmitter - Party responsible for the message with the payload. (eg.

ebMS3/AS4 transmission)

23. Supply chain visibility will be part of a broader suite of controls, which includes audit logging, encryption, monitoring and certification of providers.

UNCLASSIFIED PAGE 4 OF 13

UNCLASSIFIED

APPENDIX 1 – CERTIFICATION SCOPE

UNCLASSIFIED PAGE 5 OF 13

The outcomes from the focus group will contribute to the controls required for desktop and cloud services.

UNCLASSIFIED

APPENDIX 2 – ENCRYPTION REQUIREMENTS

UNCLASSIFIED PAGE 6 OF 13

FEATURE 1 CHANNEL

GBB2 it solves a security problem for

government and creates an opportunity for business. A wholesale offering must cater for both B2B and B2G channels with one solution.

FEATURE 2 STANDARD

with a consistent approach to encryption regardless of message transport and data format, a wholesale offering provides a standard that remains build agnostic.

FEATURE 3 CURRENT

up to date with the latest ASD approved cryptographic algorithms. A solution will ensure currency by supporting the latest evaluated protocols and algorithms.

FEATURE 4 SCALABLEthe creation of a public key exchange controlled by government that offers revocation and an OCSP, will solve the key distribution problem for industry.

Encryption is a key component of hardening the security of the operational framework ecosystem and includes:

• Confidentiality between parties• Non-repudiation• Integrity (digital signatures)

UNCLASSIFIED

UNCLASSIFIED PAGE 7 OF 13

UNCLASSIFIED

APPENDIX 3 – FUNCTIONAL ROLES IN A SUPPLY CHAIN

UNCLASSIFIED PAGE 8 OF 13

A supply chain may comprise of variety of functional roles, however the Data Collection and Data Transmitter roles are essential in every supply chain. It is important to note that the roles may not always be in the order listed.

UNCLASSIFIED

APPENDIX 4 – FUNCTIONAL ROLES EXAMPLES

UNCLASSIFIED PAGE 9 OF 13

UNCLASSIFIED

UNCLASSIFIED PAGE 10 OF 13

UNCLASSIFIED

UNCLASSIFIED PAGE 11 OF 13

UNCLASSIFIED

UNCLASSIFIED PAGE 12 OF 13

UNCLASSIFIED

UNCLASSIFIED PAGE 13 OF 13