Good afternoon, dear reader!
I have been actively following the updates and news of the Digital Economy program for some time. From the point of view of an internal employee of the EGAIS system, of course, a process for decades. And from the point of view of development, and from the point of view of testing, rollbacks and further implementation, followed by the inevitable and painful adjustments of all kinds of bugs. Nevertheless, the matter is necessary, important and overdue. The main customer and driver of all this fun, of course, is the state. Actually, like all over the world.
All processes have long flowed into digital or on the way to it. It's still wonderful. However, there are also reverse sides of medals for distinction. I am a person who works constantly with a digital signature. I am a supporter of maybe βyesterdayβ, but βold-fashionedβ reliable and win-win methods of protecting an electronic signature using tokens. But digitalization shows us that everything has been in the βcloudsβ for a long time and CEP also needs to go there and needs it very quickly.
I tried to figure out, so far at the level of the legislative and technical base, where it was possible, how things are with cloud ES in our country and in Europe. In fact, more than one scientific dissertation has already been published on this topic. Therefore, they call on the pros in this matter to connect to the development of the topic.
Why is CEP in the cloud attractive? In fact, there are positives. These pluses are enough. It's fast and convenient. It sounds like an advertising slogan, you will agree, but these are the objective characteristics of a cloud-based EDS.
The speed lies in the ability to sign documents without being tied to tokens or smart cards. It does not oblige us to use only the desktop. One hundred percent cross-platform history for any OS and browsers. This is especially true for fans of Apple products, for whom there are certain difficulties in supporting ES in the MAC system. Exit from anywhere in the world, freedom of choice of CA (not even Russian ones). Unlike CEP hardware, cloud computing avoids the complexity of software and hardware compatibility. Which is, yes, convenient, and, yes, fast.
And how can one not be tempted by such beauty? The devil is in the details. Let's talk about security.
"Cloudy" CEP in Russia
The security of cloud solutions, and in particular the digital signature, is one of the main pains of security people. What exactly I donβt like, the reader will ask me, because everyone has been using cloud services for a long time, and with SMS itβs even more reliable to make a bank transfer.
In fact, again, back to the details. Cloud EDS is the future, which is hard to argue with. But not now. To do this, there must be regulatory and legal changes that will protect the owner of cloud EDS.
What do we have today? There are a number of documents that define the concept of ES, electronic document management (EDF), as well as laws on information protection and data circulation. In particular, it is necessary to take into account the Civil Code (Civil Code of the Russian Federation), which regulates the use of ES in documents.
Federal Law No. 63-FZ "On Electronic Signature" dated April 06.04.2011, XNUMX. The main and framework law describing the general meaning of the use of electronic signatures in transactions of various nature and the provision of services.
Federal Law No. 149-FZ βOn Information, Information Technologies and Information Protectionβ dated July 27.07.2006, XNUMX. This document specifies the concept of an electronic document and all related segments.
There are additional legislative acts that are involved in the regulation of EDF
Federal Law 402-FZ "On Accounting" dated 06.12.2011. The legislative act provides for the systematization of requirements for accounting and accounting documents in electronic form.
Incl. you can take into account the Arbitration Procedure Code of the Russian Federation, which allow documents signed by ES as evidence in court.
And it was here that it occurred to me to dig deeper into the issue of security, because our standards for crypto-protection tools are provided by the FSB and ensure the issuance of certificates of conformity. Since February 18, new GOSTs have been introduced. Thus, the keys stored in the cloud are not directly protected by FSTEC certificates. The protection of the keys themselves and secure entry into the "cloud" are the cornerstones that we have not yet decided on. Next, I will consider an example of regulation in the European Union, which will clearly demonstrate a more advanced security system.
European experience in the use of cloud ES
Let's start with the main thing - cloud technologies, not only ES, have a clear standard. The basis of the Cloud Standard Coordination (CSC) Group of the European Telecommunications Standards Institute (ETSI). However, there are still differences in data protection standards across countries.
The basis for comprehensive data protection is mandatory certification for providers according to ISO 27001:2013 for information security management systems (the corresponding Russian GOST R ISO / IEC 27001-2006 is based on the 2006 version of this standard).
ISO 27017 provides additional security elements for the cloud that are not in ISO 27002. The full official title of this standard is "Code of practice for information security controls based on ISO/IEC 27002 for cloud services" ("Code of practice for information security controls based on ISO/IEC 27002 for cloud services").
In the summer of 2014, ISO published ISO 27018:2015 on the protection of personal data in the cloud, and at the end of 2015, ISO 27017:2015 on information security controls for cloud solutions.
In the autumn of 2014, the new European Parliament Regulation No. 910/2014, called eIDAS, came into force. The new rules allow users to store and use the CEP key on the server of an accredited trusted service provider, the so-called TSP (Trust Service Provider).
The European Committee for Standardization (CEN) in October 2013 adopted the technical specification CEN / TS 419241 "Security Requirements for Trustworthy Systems Supporting Server Signing", dedicated to the regulation of cloud EDS. The document describes several levels of security compliance. For example, to comply with the "level 2" required for the formation of a qualified electronic signature, is to support strong options for user authentication. According to the requirements of this level, user authentication occurs directly on the signature server, in contrast, for example, to the authentication allowed for "level 1" in an application that, on its own behalf, accesses the signature server. Also, in accordance with this specification, user signature keys for the formation of a qualified ES must be stored in the memory of a specialized secure device (hardware security module, HSM).
User authentication in the cloud service must be at least two-factor. As a rule, the most accessible and easy-to-use option is to confirm entry through the code received in an SMS message. So, for example, most of the personal accounts of RBS of Russian banks have been implemented. In addition to the usual cryptographic tokens, an application on a smartphone and one-time password generators (OTP tokens) can also be used as a means of authentication.
I can sum up an intermediate result for the time being, regarding the fact that cloud CEPs are still being formed in our country and it is too early to move away from iron. In principle, this is a natural process, which even in Europe (oh, great!) Lasted about 13-14 years, until more or less accurate standards were developed.
Until we develop good GOSTs that regulate our cloud services, it's too early to talk about a complete rejection of hardware solutions. Rather, they will now, on the contrary, begin to move towards βhybridsβ, that is, work with cloud signatures as well. Some examples that correspond to European standards for working with Cloud have already been implemented. But more about this in a new article.
Source: habr.com