Cloud electronic signature in Russia and the world
Good afternoon, dear reader!
For some time, I actively followed the updates and news of the Digital Economy program. From the point of view of an internal employee of the EGAIS system, of course, a process for decades. And from the point of view of development, and from the point of view of testing, haulage and further implementation with the subsequent inevitable and painful adjustments of all sorts of bugs. Nevertheless, it is a necessary, important and urgent matter. The main customer and driver of all this fun, of course, is the state. Actually, as in the whole world.
All processes have long flowed into the figure or on the way to it. This is still wonderful. However, there are downsides of medalek for differences. I am a person who works constantly with a digital signature. I may be a supporter of yesterday’s, but “old-fashioned”, reliable and reliable methods of protecting electronic signatures using tokens. But digitalization shows us that everything has long been in the "clouds" and CEP, too, must and must be there very quickly.
I tried to figure out, so far, at the level of the legislative and technical base, where it was possible, as is the case with cloud EDS in our country and in Europe. In fact, more than one scientific dissertation has already been published on this topic. Therefore, they urge the pros in this matter to connect to the development of the topic.
Why is CEP in the cloud attractive? In fact, there are pluses. These advantages are sufficient. It is fast and convenient. Sounds like an advertising slogan, agree, however it is the objective characteristics of a cloud EDS.
')
Quickness is the ability to sign documents without binding to tokens or smart cards. It does not oblige us to use only the desktop. One hundred percent cross-platform history for any OS and browsers. Especially important for fans of Apple products, for which there are certain difficulties of supporting ES in the MAC system. Exit from anywhere in the world, freedom to choose a CA (not even Russian). Unlike CEP hardware, cloud technologies allow you to avoid difficulties with the compatibility of software and hardware. What, yes, it is convenient, and, yes, quickly.
And how can you not be seduced by such beauty? The devil is in the details. Let's talk about security.
Cloud security, especially EDS, is one of the main pains of security people. What exactly I do not like, the reader will ask me, after all, everyone has been using cloud services for a long time, and with SMS it is even safer to make a bank transfer.
In fact, again, back to the details. Cloud EDS is a future with which it is difficult to argue. But not now. To do this, there must be regulatory changes that will allow to protect the owner of cloud EDS.
What do we have today? There are a number of documents defining the concept of electronic signature, electronic document management (EDM), as well as laws on data protection and data circulation. Including it is necessary to take into account the Civil Code (GK RF), which regulates the use of electronic signature in documents.
Federal Law No. 63-FZ “On Electronic Signature” dated April 6, 2011. The basic and framework law describing the general meaning of the use of electronic signature in transactions of various nature and the provision of services.
Federal Law No. 149- “On Information, Information Technologies and Protection of Information dated July 27, 2006. This document specifies the concept of an electronic document and all its related segments.
There are additional laws that are involved in the regulation of the EDM
Federal Law 402- “On Accounting” dated December 6, 2011. The legislative act provides for the systematization of requirements for accounting and accounting documents in electronic form.
Including it is possible to take into account the Arbitration Procedure Code of the Russian Federation, which allows documents signed by an ES as evidence in court.
And it was here that it occurred to me to dig deeper into the issue of security, because we have standards for crypto-protection tools provided by the FSB and ensures the issuance of certificates of conformity. From February 18, the new GOSTs were introduced. Thus, the keys stored in the cloud are not directly protected by FSTEC certificates. Protecting the keys themselves and safe entry into the "cloud" are the cornerstones that we have not yet decided with us. Next, I will consider an example of regulation in the European Union, which will vividly demonstrate a more advanced security system.
Let's start with the main thing - cloud technologies, not only ES have a clear standard. The foundation is the Cloud Standard Coordination (CSC) of the European Telecommunications Standards Institute (ETSI). However, there are still differences in data protection standards in different states.
The basis for comprehensive data protection is mandatory for providers ISO 27001: 2013 certification for information security management systems (the corresponding Russian GOST R ISO / IEC 27001-2006 is based on the version of this standard of 2006).
ISO 27017 provides additional security elements for the cloud, which are absent in ISO 27002. The full official name of this standard is: “A set of rules for information security management tools based on ISO / IEC 27002 for cloud services” (“ ISO / IEC 27002 for cloud services ”).
In the summer of 2014, ISO published ISO 27018: 2015 on the protection of personal data in the cloud, and at the end of 2015 - ISO 27017: 2015 on information security controls for cloud solutions.
In the fall of 2014, a new Regulation of the European Parliament â„–910 / 2014, called eIDAS, entered into force. New rules allow users to store and use the CEP key on the server of an accredited trusted service provider, the so-called TSP (Trust Service Provider).
In October 2013, the European Committee for Standardization (CEN) adopted the technical specification CEN / TS 419241 "Security Requirements for Trustworthy Systems Supporting Server Signing", dedicated to the regulation of cloud EDS. The document describes several levels of security compliance. For example, in order to comply with the “level 2” presented for the formation of a qualified electronic signature, is the support of strict user authentication options. According to the requirements of this level, user authentication occurs directly on the signature server, in contrast, for example, to the authentication for an “level 1” authentication in an application that addresses the signature server on its own behalf. Also, in accordance with this specification, user signature keys to form a qualified ES must be stored in the memory of a specialized secure device (eng. Hardware security module, HSM).
User authentication in the cloud service must be at least two-factor. As a rule, the most accessible and easy to use option is to confirm the entry through the code received in the SMS message. So for example, most of the personal banking offices of Russian banks are sold. In addition to the usual cryptographic tokens, an application on a smartphone and one-time password generators (OTP tokens) can also be used as a means of authentication.
For the time being, I can sum up the interim result, regarding the fact that cloudy CEPs are still being formed in our country and it is too early to move away from iron. In principle, this is a natural process, which also in Europe (oh, great!) Lasted for about 13-14 years, while less precise standards were developed.
While we do not develop good GOSTs that regulate our cloud services, it’s too early to talk about the total rejection of hardware solutions. Rather, they now, on the contrary, will begin to move in the direction of "hybrids", that is, to work with cloud signatures as well. Some examples corresponding to the European standards for working with the Cloud have already been implemented. But more about this in the new material.
For some time, I actively followed the updates and news of the Digital Economy program. From the point of view of an internal employee of the EGAIS system, of course, a process for decades. And from the point of view of development, and from the point of view of testing, haulage and further implementation with the subsequent inevitable and painful adjustments of all sorts of bugs. Nevertheless, it is a necessary, important and urgent matter. The main customer and driver of all this fun, of course, is the state. Actually, as in the whole world.
All processes have long flowed into the figure or on the way to it. This is still wonderful. However, there are downsides of medalek for differences. I am a person who works constantly with a digital signature. I may be a supporter of yesterday’s, but “old-fashioned”, reliable and reliable methods of protecting electronic signatures using tokens. But digitalization shows us that everything has long been in the "clouds" and CEP, too, must and must be there very quickly.
I tried to figure out, so far, at the level of the legislative and technical base, where it was possible, as is the case with cloud EDS in our country and in Europe. In fact, more than one scientific dissertation has already been published on this topic. Therefore, they urge the pros in this matter to connect to the development of the topic.
Why is CEP in the cloud attractive? In fact, there are pluses. These advantages are sufficient. It is fast and convenient. Sounds like an advertising slogan, agree, however it is the objective characteristics of a cloud EDS.
')
Quickness is the ability to sign documents without binding to tokens or smart cards. It does not oblige us to use only the desktop. One hundred percent cross-platform history for any OS and browsers. Especially important for fans of Apple products, for which there are certain difficulties of supporting ES in the MAC system. Exit from anywhere in the world, freedom to choose a CA (not even Russian). Unlike CEP hardware, cloud technologies allow you to avoid difficulties with the compatibility of software and hardware. What, yes, it is convenient, and, yes, quickly.
And how can you not be seduced by such beauty? The devil is in the details. Let's talk about security.
Cloud CEP in Russia
Cloud security, especially EDS, is one of the main pains of security people. What exactly I do not like, the reader will ask me, after all, everyone has been using cloud services for a long time, and with SMS it is even safer to make a bank transfer.
In fact, again, back to the details. Cloud EDS is a future with which it is difficult to argue. But not now. To do this, there must be regulatory changes that will allow to protect the owner of cloud EDS.
What do we have today? There are a number of documents defining the concept of electronic signature, electronic document management (EDM), as well as laws on data protection and data circulation. Including it is necessary to take into account the Civil Code (GK RF), which regulates the use of electronic signature in documents.
Federal Law No. 63-FZ “On Electronic Signature” dated April 6, 2011. The basic and framework law describing the general meaning of the use of electronic signature in transactions of various nature and the provision of services.
Federal Law No. 149- “On Information, Information Technologies and Protection of Information dated July 27, 2006. This document specifies the concept of an electronic document and all its related segments.
There are additional laws that are involved in the regulation of the EDM
Federal Law 402- “On Accounting” dated December 6, 2011. The legislative act provides for the systematization of requirements for accounting and accounting documents in electronic form.
Including it is possible to take into account the Arbitration Procedure Code of the Russian Federation, which allows documents signed by an ES as evidence in court.
And it was here that it occurred to me to dig deeper into the issue of security, because we have standards for crypto-protection tools provided by the FSB and ensures the issuance of certificates of conformity. From February 18, the new GOSTs were introduced. Thus, the keys stored in the cloud are not directly protected by FSTEC certificates. Protecting the keys themselves and safe entry into the "cloud" are the cornerstones that we have not yet decided with us. Next, I will consider an example of regulation in the European Union, which will vividly demonstrate a more advanced security system.
European experience in using cloud e-commerce
Let's start with the main thing - cloud technologies, not only ES have a clear standard. The foundation is the Cloud Standard Coordination (CSC) of the European Telecommunications Standards Institute (ETSI). However, there are still differences in data protection standards in different states.
The basis for comprehensive data protection is mandatory for providers ISO 27001: 2013 certification for information security management systems (the corresponding Russian GOST R ISO / IEC 27001-2006 is based on the version of this standard of 2006).
ISO 27017 provides additional security elements for the cloud, which are absent in ISO 27002. The full official name of this standard is: “A set of rules for information security management tools based on ISO / IEC 27002 for cloud services” (“ ISO / IEC 27002 for cloud services ”).
In the summer of 2014, ISO published ISO 27018: 2015 on the protection of personal data in the cloud, and at the end of 2015 - ISO 27017: 2015 on information security controls for cloud solutions.
In the fall of 2014, a new Regulation of the European Parliament â„–910 / 2014, called eIDAS, entered into force. New rules allow users to store and use the CEP key on the server of an accredited trusted service provider, the so-called TSP (Trust Service Provider).
In October 2013, the European Committee for Standardization (CEN) adopted the technical specification CEN / TS 419241 "Security Requirements for Trustworthy Systems Supporting Server Signing", dedicated to the regulation of cloud EDS. The document describes several levels of security compliance. For example, in order to comply with the “level 2” presented for the formation of a qualified electronic signature, is the support of strict user authentication options. According to the requirements of this level, user authentication occurs directly on the signature server, in contrast, for example, to the authentication for an “level 1” authentication in an application that addresses the signature server on its own behalf. Also, in accordance with this specification, user signature keys to form a qualified ES must be stored in the memory of a specialized secure device (eng. Hardware security module, HSM).
User authentication in the cloud service must be at least two-factor. As a rule, the most accessible and easy to use option is to confirm the entry through the code received in the SMS message. So for example, most of the personal banking offices of Russian banks are sold. In addition to the usual cryptographic tokens, an application on a smartphone and one-time password generators (OTP tokens) can also be used as a means of authentication.
For the time being, I can sum up the interim result, regarding the fact that cloudy CEPs are still being formed in our country and it is too early to move away from iron. In principle, this is a natural process, which also in Europe (oh, great!) Lasted for about 13-14 years, while less precise standards were developed.
While we do not develop good GOSTs that regulate our cloud services, it’s too early to talk about the total rejection of hardware solutions. Rather, they now, on the contrary, will begin to move in the direction of "hybrids", that is, to work with cloud signatures as well. Some examples corresponding to the European standards for working with the Cloud have already been implemented. But more about this in the new material.
Source: https://habr.com/ru/post/444830/
All Articles