A Model for Optimising Security in Public Key Infrastructure Solutions for eGovernment: A case study of Kenya
A Model for Optimising Security in Public Key Infrastructure Solutions for eGovernment: A case study of Kenya
Public Key Infrastructure PKI quality attributes like security, availability, integrity, interoperability etc. are latent in nature meaning they cannot be measured or observed directly. This presents a problem on how they can be optimized since as Drucker’s maxim goes, if you can’t measure it, you can’t manage it. We are cognizant of the fact that in most governments, the planners, implementers and assessors of PKI rely on quality management systems like ISO to qualitatively measure compliance to best practices through quarterly audits. Such strategies are paperwork intensive and try to ensure process adherence but lack the capacity to quantitatively measure non-functional quality properties. eGovernments and their cyber security strategies, face massive threats from a knowledge society that has easy access to hacking tools, and also well-funded hacker groups, some sponsored by foreign governments.In this work,we derive a conceptual framework from existing frameworks then model a quantitative decision support tool using path analysis techniques, specifically Partial Least Square Structural Equation Modeling.The data used to initialize the model is real data collected from an ongoing PKI implementation. We opine that if key decisions are optimized during planning, implementation and auditing, then the security of the a PKI solution will also be optimized. We also provide an eGovernment arrangement that relies on PKI security for identification, authentication and authorization. It is worthwhile to note that although PKI is a universal concept, its design and implementation in different contexts means that each context offers emergent challenges that require unique security solutions.
___
- [1] Ernst & Young. Identity and Access Management:
Beyond Compliance. Technical report. Ernst & Young,
http://www.ey.com/Publication/vwLUAssets/EY_-
_Evolving_identity_and_access_management/$FILE/E
Y-Evolving-identity-and-access-management.pdf,
2013.
- [2] R. Wagner, “Identity and Access Management: Key
Initiative Overview.” Gartner Inc., 2010.
- [3] T. Smedinghoff, “Building an Online Identity Legal
Framework: The Proposed National Strategy,” The
Bureau of National Affairs, USA, Report 800-372-
1033, 2010.
- [4] ISC, “PKI Assessment Guidelines.” Information
Security Committee, American Bar Association, 2003.
- [5] C. M. Ringle, S. Wende, and J.-M. Becker, “SmartPLS
3,” A Primer on Partial Least Squares Structural
Equation Modeling (PLS-SEM), 2014. [Online].
Available: http://www.smartpls.com. [Accessed: 03-
Jan-2015].
- [6] K. K.-K. Wong, “Partial Least Squares Structural
Equation Modeling (PLS-SEM) Techniques Using
SmartPLS,” Marketing Bulletin, vol. Technical Note,
no. 1, 2013.
- [7] N. Merlo-Schett, M. Glinz, and A. Mukhija,
“COCOMO,” presented at the Seminar on Software
Cost Estimation, Zurich, Switzerland, 2002.
- [8] P. Johnson, R. Lagerstrom, M. Ekstedt, and M.
Osterlind, IT Management with Enterprise
Architecture. Stockholm, Sweden: Royal Institute of
Technology, 2014.
- [9] G. Chemwa, “Electronic Identity and Access
Management for E-Government: Optimising Public
Key Infrastructure Initiatives Through Probabilistic
Assessment of Quality Attributes,” in Proceedings of
the 2014 JKUAT Scientific, Technological and
Industrialisation Conference, Nairobi, Kenya, 2014,
pp. 542–551.
- [10] R. Kazman, M. Barbacci, M. Klein, S. J. Carrière, and
S. G. Woods, “Experience with Performing
Architecture Tradeoff Analysis,” in Proceedings of the
21st International Conference on Software
Engineering, New York, NY, USA, 1999, pp. 54–63.
- [11] V. Veerappa and E. Letier, “Understanding Clusters of
Optimal Solutions in Multi-objective Decision
Problems,” in Proceedings of the 2011 IEEE 19th
International Requirements Engineering Conference,
Washington, DC, USA, 2011, pp. 89–98.
- [12] A. Brady and T. Menzies, “Case-Based Reasoning vs
Parametric Models for Software Quality
Optimisation.” ACM, 2010.
- [13] E. Kurilovas and V. Dagiene, “Multiple Criteria
Evaluation of Quality and Optimisation of e-Learning
System Components,” Electron. J. E-Learn., vol. 8, no.
2, pp. 141–151, 2010.
- [14] M. Harman, U. Ph, and B. F. Jones, “Search-Based
Software Engineering,” Inf. Softw. Technol., vol. 43,
pp. 833–839, 2001.
- [15] S. Yoo, M. Harman, and S. Ur, “Highly Scalable Multi
Objective Test Suite Minimisation Using Graphics
Cards,” in Search Based Software Engineering, M. B.
Cohen and M. Ó. Cinnéide, Eds. Springer Berlin
Heidelberg, 2011, pp. 219–236.
- [16] T. Waema and E. Adera. Local Governance and ICT’s
in Africa: Case Studies and Guidelines for
Implementation and Evaluation. Pambazuka Press UK,
2011(Book).
- [17] A. Ntoko, “e-Business: A Technology Strategy for
Developing Countries,” e-Business:A Technological
Strategy for Developing Countries, 2010. [Online].
Available: http://www.itu.int/ITUD/cyb/publications/archive/wmrcjune00/ntoko.html.
[Accessed: 17-Feb-2015].
- [18] Transparency International, “Corruption Perception
Index 2014,” Transparency International, Berlin,
Germany, Report, 2014.
- [19] J. Satyanarayana, E Government: The Science of the
Possible. PHI Learning Pvt. Ltd., 2004.
- [20] A. Kalja, N. Reitsakas, and N. Saard, “eGovernment in
Estonia: Best Practices,” Technol. Manag. Unifying
Discip. Melting Boundaries, pp. 500–506, 2005.
- [21] Australian Government, “National e-Authentication
Framework.” Australian Government Infromation
Management Office, 2009.
- [22] GoK, “The Kenya National ICT Master Plan 2013/14 -
2017/18.” ICT Authority, 2014.
- [23] GoK, “Cybersecurity Strategy.” Ministry of
Information and Communication, 2014.
- [24] R. K. Das, S. Patnaik, and A. K. Misro, “Adoption of
Cloud Computing in e-Governance,” in Advanced
Computing, N. Meghanathan, B. K. Kaushik, and D.
Nagamalai, Eds. Springer Berlin Heidelberg, 2011, pp.
161–172.
- [25] Australian Government, “Gatekeeper PKI Framework
Threat and Risk Assessment Template,” Australian
Government Information Management Office, 2009.
- [26] D. Zubrow, “Software Quality Requirements and
Evaluation, the ISO 25000 Series.” Software
Engineering Institute, Carnegie Mellon, 2004.
- [27] Accenture, “Citizen Identity Authentication Programs:
Challenges and Benefits.” 2008.
- [28] P. Johnson and M. Ekstedt, Enterprise Architecture
Models and Analyses for Information Systems
Decision Making. Stockholm: Studentlitteratur, 2007.
- [29] Cooper et al., “RFC 5280: Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation
List (CRL) Profile.” The Internet Society, 2008.
- [30] E. Wheeler, Security Risk Management: Building an
Information Security Risk Management Program from
the Ground Up. Elsevier, 2011.
- [31] P. Buttles-Valdez, A. Svolou, and F. Valdez, “A
Holistic Approach to Process Improvement Using the
People CMM and the CMMI-DEV: Technology,
Process, People & Culture, The Holistic
Quadripartite,” presented at the Software Engineering
Institute Tutorial, CarnegieMellon, 2005.
- [32] StatSoft, “Partial Least Squares (PLS),” Partial Least
Square, 2000. [Online]. Available:
http://www.uta.edu/faculty/sawasthi/Statistics/stpls.ht
ml. [Accessed: 18-Feb-2015].
- [33] A. O. Skyles, “An Introduction to Regression
Analysis.” The University of Chicago Law School,
1992.
- [34] J. Fox and H. S. Weisberg, An R Companion to
Applied Regression, Second Edition edition. Thousand
Oaks, Calif: SAGE Publications, Inc, 2010.
- [35] R. E. Schumacker and R. G. Lomax, A Beginner’s
Guide to Structural Equation Modeling: Third Edition.
Routledge, 2012.
- [36] University of North Carolina, “Variance and Design of
Experiments,” Variance, 2007. [Online]. Available:
http://www.unc.edu/courses/2007spring/psyc/530/001/
variance.html. [Accessed: 27-Feb-2015].
- [37] J. M. Carroll and P. A. Swatman, “Structured-case: a
methodological framework for building theory in
information systems research,” Eur. J. Inf. Syst., vol.
9, no. 4, pp. 235–242, Dec. 2000.
- [38] J. Hulland, “Use of partial least squares (PLS) in
strategic management research: a review of four recent
studies,” Strateg. Manag. J., vol. 20, no. 2, pp. 195–
204, Feb. 1999.
- [39] R. P. Bagozzi and Y. Yi, “On the evaluation of
structural equation models,” J. Acad. Mark. Sci., vol.
16, no. 1, pp. 74–94, Mar. 1988.