Secure Method of Information Exchange: Overview of Hub Concept & Prototype

This document presents an overview of the Hub Concept & Prototype for Secure Method of Information Exchange (SMIE) developed in April 2013 by New Zealand and the USA. It discusses drivers, ePhyto transmission options, Direct NPPO to NPPO ePhyto exchange, Hub/Cloud communication, security mechanisms, transaction types, examples of transactions, and next steps. The focus is on providing an effective, efficient, and secure method for information exchange between participating NPPOs. The content highlights the differences between Direct NPPO to NPPO communication and Cloud/Hub communication, emphasizing simplicity, cost-effectiveness, security, and flexibility.

• Secure Method
• Information Exchange
• Hub Concept
• Prototype
• NPPOs

naev_6 Follow

Uploaded on Sep 18, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Overview of the Hub Concept & Prototype for Secure Method of Information Exchange (SMIE) April 2013 Prepared by NZ & USA www.mpi.govt.nz 1

2. Contents: Drivers ePhyto transmission options 1. Direct NPPO to NPPO ePhyto exchange (Many to many via Bi-lateral agreement) 2. Overview of Cloud/Hub Communication (one to Many) Key difference between Direct NPPO to NPPO versus Cloud/Hub What s in the Hub/Cloud Concept Hub Prototype: Portal access System to System and Portal Access Hub Prototype: Security Mechanisms Hub Prototype: Transaction Types Prototype: Examples of Transactions (Information Flows) Next Steps 2

3. Drivers Provide an effective , efficient & secure method for information exchange between participating NPPOs by eliminating the need for other countries to access exporting countries systems directly. E.g. Exporting NPPO push the export certificate information to the hub, importing NPPO pulls it from the hub. Reduce the complexity and cost of having multiple Many to Many interfaces for information exchanges with trading partners. E.g. One standardised, secure interface to the hub for all electronic information exchange activities between participating NPPOs. Ability to provide Portal solution to enable countries to receive Ephyto certificate information. 3

4. Direct NPPO to NPPO ePhyto exchange (Many to Many via Bi-Lateral Agreement) US - PCIT Kenya New Zealand Korea Netherlands Canada 4

5. Overview of Cloud/Hub Communication (One to Many) US - PCIT Kenya New Zealand Korea Netherlands Canada 5

6. Differences between Direct NPPO to NPPO versus Cloud/Hub communications Direct NPPO to NPPO communication : multiple interfaces resulting in complexity and increased cost to manage & maintain challenges firewall security relies on pull technology Cloud/Hub communication : Reduced complexity and rigidity Simpler setup and ongoing maintenance for participating countries = lower cost. Improved visibility of certificate exchanges. Able to separate the message carrier (envelope) from the actual certificate information payload making it more flexible and modular not hard coded together. Use of internet standard SSL certificates = lower cost for participating countries. 6

7. Whats in the basic Prototype of the Hub concept? Utilises modern Cloud technology. A secure folder for each countries certificate information. Consideration for a linked folder for attachments (i.e. Re-export phytosanitary certificate message situations). Portal Access enabling countries without software to software capability to receive an electronic XML phytosanitary certificate message Secure information exchange mechanisms using the security SSL certificate (X.509 certificate) 7

8. Hub Prototype: Portal access Provides basic functionality for member countries that don t have the software functionality or enough trade volume to justify building a software to software solution. Allows exporting NPPO to push certificate messages to the Hub prototype rather than having to host them on their own websites. Importing NPPOs operating through the Portal benefit by not having to go to several different websites to look up certificate messages. Allows Portal participating member country NPPOs to do basic lookups and potentially could provide some standardised reporting capabilities for example, allow exporting NPPO to see when an importing NPPO last retrieved its certificates. Can be used to provide status information and notifications of any upgrades/changes. 8

9. Hub Prototype: Software-to-Software and Portal Access Software to Software Certificate Information Exchange. Country B Software to Software Country G Hub Portal Country D User Access Portal Potential for User Access Portal providing receiving access to countries who cannot access Software to Software. 9

10. Hub Prototype: Security Mechanism Envelope to deliver certificate information: Involves a message carrier or envelope similar to the traditional postage envelope identifies; - the sender, - the receiver, and - where the envelope actually originated from. Separates the delivery (transport) carrier/envelope message from the actual content (certificate information payload) of the message taking care & enhancing the security element. Message Carrier/Envelope Contains: Protocol-type Receiver ID Sender ID Transaction ID Security SSL Certificate (X.509 certificate) Encryption Mechanism 10

11. Hub Prototype: Security Mechanism Certificate information inside the Envelope : Contains the specific certificate information being exchanged Accommodates exchanges of; - normal/standard phytosanitary certificate information, and - Re-export phytosanitary certificate information ( includes ability to attach the original certificate). Message Contains: Message Header - System level information includes security credentials, transaction context, & session identifiers. Message Body Actual encrypted XML message contents (as per ePhyto XML data map) using SSL certificate. Attachments Original certificate in Re- Export certificate situations. 11

12. Hub Prototype: Transaction Types Operational Transactions Description Submit Submit an approved certificate data set to the hub. Revoke Revoke an existing certificate data set. Replace Replace an existing certificate data set with an updated one. Retrieve Retrieve a list of certificate data sets based on: country status date range Commodity Reject Importing country rejects a certificate set it receives via the hub. Polling Query Polls to check if there are any new certificate data sets for a specific country. 12

13. Prototype Transaction: Submit certificate information Export NPPO ePhyto system & Hub activity: Export Country Import Country Hub Steps: 1. Export NPPO ePhyto system contacts the Hub. 2. Hub authenticates and authorises the export country, validates Certificate XML Schema. 3. Export NPPO ePhyto system pushes/sends approved certificate information to Hub 4. Hub puts certificate information into importing NPPO s secure storage folder (and in re-export certification situations, strips off the original certificate attachment and puts this into the import NPPO s attachment container). 5. Hub sends confirmation and hub transaction ID to Export NPPO ePhyto system 13

14. Prototype Transaction: Revoke certificate information Export NPPO ePhyto system & Hub activity: Export Country Import Country Hub Revoke Update with Transaction ID. Steps: 1. Export NPPO ePhyto system contacts the Hub 2. Hub authenticates and authorises the export country. 3. Validates Certificate XML information to ephyto XML data map 4. Updates event in transaction database with the revoked status. 5. Hub sends confirmation of status update to Export NPPO ePhyto system. 14

15. Prototype Transaction: Replacement certificate information Export NPPO ePhyto system & Hub activity: Export Country Import Country Hub Replacement certificate data set with Transaction ID of original. Steps: 1. Export NPPO ePhyto system contacts the Hub 2. Hub authenticates and authorises the export country. 3. Hub validates certificate XML inforamation to ePhyto XMl data map. 4. Hub creates a new transaction database entry 5. Hub looks up original certificate data set and flag as replaced and link to new transaction. 6. Hub puts certificate information and any original certificate attachments (Re-export situations) into the country container. 7. Hub sends confirmation and new transaction ID to Export NPPO ePhyto system. 15

16. Prototype Transaction:Polling Query Import NPPO ePhyto system & Hub activity: Export Country Import Country Hub Request for list of certificates for a exporting country based on certificate status, commodity type and date/time range. Steps: 1. Import NPPO ePhyto system contacts the Hub. 2. Hub authenticates and authorises the import country. 3. Hub looks up events for that country based on date range, certificate status and/or commodity type. 4. Hub returns relevant entries (i.e. list of certificates and transaction IDs falling within the query parameters. 16

17. Prototype Transaction: Retrieve certificate information Import NPPO ePhyto system & Hub activity: Import Country Hub Request certificate data set (and Re-export original attachments if required) based the hub transaction ID or certificate ID. Steps: 1. Import NPPO ePhyto system contacts & Polls the Hub for certificate information. 2. Hub authenticates and authorises the import country. 3. Hub looks up hub transaction ID and/or certificate data set ID in the hub database and find any Re-export original certificate attachments associated with the certificate if requested. 4. Hub sends requested certificate information to importing country ePhyto system (including any attachments). 17

18. Prototype transaction: Reject certificate information Import NPPO ePhyto system & Hub activity: Export Country Import Country Hub Request certificate (and attachments if required) based the hub transaction ID or certificate ID. Steps: 1. 2. 3. Import NPPO ePhyto system contacts the Hub. Hub authenticates and authorises the import country. Hub looks up the hub transaction ID and/or certificate ID in the hub database (and find any Re-export certificate information & attachment of the original certificate) Hub sends requested certificate information (and attachment in a Re-export certification situation) to the Import NPPO ePhyto system. Steps: 1. Import NPPO ePhyto system contacts the Hub which in turn authenticates and authorises the import country. 2. Hub looks up the hub transaction ID and/or certificate ID in hub database and flags certificate information as rejected and put reason into database. 3. Hub sends official interception reject/notification to exporting country. 4. Reject certificate and provide reason why rejected. Hub acknowledges rejection to Import NPPO ePhyto system. 18

19. Next Steps! Agree on the basics associated with the Cloud/Hub Concept Set up and complete feasibility study: (e.g. Use of a cloud based platform to provide cost effective, scalable and secure IT hardware/software. Use of commercial SSL certificates to make it easier, more secure and less costly to join. Use of a systems integrator/support organisation to provide service & support for the global hub. Initial business rules regards data retention, archive requirements, audit / activity reporting, service levels for hub) Set up a proof of concept: Support pilot testing between small group of countries Share experiences obtained to inform feasibility study 19

20. Questions Peter Johnston peter.johnston@mpi.govt.nz Lukasz Zawilski lukasz.zawilski@mpi.govt.nz 20