arm 7: securing e-government of thailand in action
TRANSCRIPT
Securing E- Gov of Thailand in action
Kitisak Jirawannakool E-Government Agency (Public Organization)
1
About EGA❖ First established in 1997 as Government Information
Technology Services (GITS) ❖ ~ 200 staffs ❖ Services
❖ Government Information Network (GIN) ❖ Government Cloud Services (G-Cloud) ❖ MailgoThai service ❖ Government Computer Emergency and Readiness Team
(G-CERT) ❖ More details : http://www.ega.or.th
2
Smart Thailand 2014-2015
3
Smart Network
Smart Cloud
Cyber Security TH e-GIF ICT
Academy
GIN
G-Cloud - G-SaaS - Mobile Application
- e-CMS2.0 - Saraban as a Service - มาตรฐาน สารบรรณ
Smart Citizen Info. - Gov. API - Smart Box Gov. Access Channel - e-Portal - Gov.App.Center - data.go.th
Government Secure Monitoring
ICT Training - e-GCEO - e-GEP - Technical Training
Data Center Consolidation
(77 Provinces )
e-Service for e-Gov : • MOI • MOE • MOPH • MOAG
E-Government services
5
24x7 Helpdesk and Contact CenterEGA Contact Center
Other Government’s servicesServices
Cloud Provider
Cloud Provider
Cloud Provider
Inter Cloud SaaS PaaS IaaS
Government AgencyGINGovernment Agency
Government Computer Emergency and Readiness
Team (G-CERT)
Risk Assessment
Incident Monitoring
Information Analysis
Response Team
Awareness Raising
Government Information Network (GIN)❖ Government Information Network
6
Gov. Orgs
User� Network�
NSW
GFMIS
0GSMS
CABNET
ทะเบียนราษฎร
Common0Service�
Gov. Orgs
GIN
User� Network�
Standard - GDX Security - Encryption - CA
NSW
GFMIS
GSMS
CABNET
ทะเบียนราษฎร
Common0Service�
Before! A<er!
GIN❖ More than 2,000 links (subscribers) ❖ For government only ❖ Intranet for all government organizations ❖ Added-on services
❖ Intranet system ❖ GIN Conferences ❖ Other services integration
❖ DNSSEC implementation ❖ IPV6 implementation
7
Government Cloud Service (G-Cloud)❖ Focus on IaaS (initial phrase) ❖ 214 Systems are running on G-Cloud ❖ Serve Government, Collaborate with Partners, and Work with Communities ❖ Next move for G-Cloud
❖ Back office system - “e-Saraban” (PaaS/SaaS) ❖ Government Application Center (SaaS)
9
Security on G-Cloud❖ Firewall (Hi-speed firewall/Application firewall) ❖ SSL-VPN for Cloud Management ❖ Two factors Authentication ❖ Vulnerability Assessment and Penetration Testing ❖ ISO/IEC 27001:2005 implementation ❖ Security monitoring ❖ Security training courses for customers
11
G-CERT’s Roadmap
12
Education (Training and Awareness Raising)
Policy and Standard
Start in 2014 Start in 2015 Start in 2016
Media Relations (PR and Contents producer)
G-CERT
G-CERT ’s constituencies❖ EGA Internal ❖ EGA ’s customers
❖ G-Cloud ❖ GIN ❖ other services
❖ Critical Infrastructures ❖ Other Government
13
Services❖ Incident Response
❖ Government Security Monitoring
❖ IT Security Awareness Raising ❖ Quarterly Training ❖ Anual Conference ❖ Incident Drill
❖ Risk and Vulnerability Assessment ❖ IT Security Consultants
14
Our Concept❖ Public - help the government ❖ Private - by working with vendors ❖ Partnership - collaborate with other IT communities
15
Other IT security related activities❖ Cloud Security Alliance Thailand Chapter - CSA ❖ Open Web Application Security Project Thailand Chapter - OWASP
16
Cloud Security Activities in Thailand❖ Cloud Security Alliance (CSA) Thailand Chapter
❖ Cloud Security Audit for providers ❖ Cloud Security Experts building (Certified of Cloud Security Knowledge - CCSK)
❖ ASEAN CSA and OWASP Summit ❖ Many areas (Security, Providers, Education, Governance, Audit, Licensing, crisis and etc)
❖ Cloud R&D ❖ Cloud Control Matrix (for security auditing) ❖ Cloud Security Guideline for operators ❖ Cloud Interoperation (Integrating Cloud Infrastructure) ❖ Securing Cloud infrastructure and Application
17
OWASP Thailand’s working concepts❖ PPP - Public, Private, and Partnership ❖ Public
❖ Contribute how to secure web app for Government organizations
❖ Private ❖ Collaborate with SIPA and SW Park ❖ Guide the software houses to do secure coding
❖ Partnership ❖ Working with other IT and Security communities in Thailand
20
OWASP Thailand Chapter❖ Arrange monthly meetings ❖ Prepare many courses for web app security
❖ Web Application Security ❖ Web application testing ❖ Secure coding
❖ Translate some documents into Thai ❖ OWASP Top 10 2013
❖ Organize annual event : 2014 OWASP ASIA TOUR
21
Conclusion❖ Even we contribute a lot of security, however it ‘s still not enough ❖ Lacking of experts is one of the biggest problems ❖ Collaboration is the key factor ❖ Looking for new collaborations
22
Source : http://www.openpages.com/blog/index.php/2010-grc-wish-list-collaborate