A Model for Optimising Security in Public Key Infrastructure Solutions for eGovernment: A case study of Kenya

Year 2016, Volume: 5 Issue: 1, 8 - 20, 01.03.2016

Geoffrey Wekesa Chemwa

Abstract

Public Key Infrastructure PKI quality attributes like security, availability, integrity, interoperability etc. are latent in nature meaning they cannot be measured or observed directly. This presents a problem on how they can be optimized since as Drucker’s maxim goes, if you can’t measure it, you can’t manage it. We are cognizant of the fact that in most governments, the planners, implementers and assessors of PKI rely on quality management systems like ISO to qualitatively measure compliance to best practices through quarterly audits. Such strategies are paperwork intensive and try to ensure process adherence but lack the capacity to quantitatively measure non-functional quality properties. eGovernments and their cyber security strategies, face massive threats from a knowledge society that has easy access to hacking tools, and also well-funded hacker groups, some sponsored by foreign governments.In this work,we derive a conceptual framework from existing frameworks then model a quantitative decision support tool using path analysis techniques, specifically Partial Least Square Structural Equation Modeling.The data used to initialize the model is real data collected from an ongoing PKI implementation. We opine that if key decisions are optimized during planning, implementation and auditing, then the security of the a PKI solution will also be optimized. We also provide an eGovernment arrangement that relies on PKI security for identification, authentication and authorization. It is worthwhile to note that although PKI is a universal concept, its design and implementation in different contexts means that each context offers emergent challenges that require unique security solutions.

Keywords

Public Key Infrastructure, Digital Certificate, eGovernment, Cyber Security, Structural Equation Modelling

References

• [1] Ernst & Young. Identity and Access Management: Beyond Compliance. Technical report. Ernst & Young, http://www.ey.com/Publication/vwLUAssets/EY_- _Evolving_identity_and_access_management/$FILE/E Y-Evolving-identity-and-access-management.pdf, 2013.
• [2] R. Wagner, “Identity and Access Management: Key Initiative Overview.” Gartner Inc., 2010.
• [3] T. Smedinghoff, “Building an Online Identity Legal Framework: The Proposed National Strategy,” The Bureau of National Affairs, USA, Report 800-372- 1033, 2010.
• [4] ISC, “PKI Assessment Guidelines.” Information Security Committee, American Bar Association, 2003.
• [5] C. M. Ringle, S. Wende, and J.-M. Becker, “SmartPLS 3,” A Primer on Partial Least Squares Structural Equation Modeling (PLS-SEM), 2014. [Online]. Available: http://www.smartpls.com. [Accessed: 03- Jan-2015].
• [6] K. K.-K. Wong, “Partial Least Squares Structural Equation Modeling (PLS-SEM) Techniques Using SmartPLS,” Marketing Bulletin, vol. Technical Note, no. 1, 2013.
• [7] N. Merlo-Schett, M. Glinz, and A. Mukhija, “COCOMO,” presented at the Seminar on Software Cost Estimation, Zurich, Switzerland, 2002.
• [8] P. Johnson, R. Lagerstrom, M. Ekstedt, and M. Osterlind, IT Management with Enterprise Architecture. Stockholm, Sweden: Royal Institute of Technology, 2014.
• [9] G. Chemwa, “Electronic Identity and Access Management for E-Government: Optimising Public Key Infrastructure Initiatives Through Probabilistic Assessment of Quality Attributes,” in Proceedings of the 2014 JKUAT Scientific, Technological and Industrialisation Conference, Nairobi, Kenya, 2014, pp. 542–551.
• [10] R. Kazman, M. Barbacci, M. Klein, S. J. Carrière, and S. G. Woods, “Experience with Performing Architecture Tradeoff Analysis,” in Proceedings of the 21st International Conference on Software Engineering, New York, NY, USA, 1999, pp. 54–63.
• [11] V. Veerappa and E. Letier, “Understanding Clusters of Optimal Solutions in Multi-objective Decision Problems,” in Proceedings of the 2011 IEEE 19th International Requirements Engineering Conference, Washington, DC, USA, 2011, pp. 89–98.
• [12] A. Brady and T. Menzies, “Case-Based Reasoning vs Parametric Models for Software Quality Optimisation.” ACM, 2010.
• [13] E. Kurilovas and V. Dagiene, “Multiple Criteria Evaluation of Quality and Optimisation of e-Learning System Components,” Electron. J. E-Learn., vol. 8, no. 2, pp. 141–151, 2010.
• [14] M. Harman, U. Ph, and B. F. Jones, “Search-Based Software Engineering,” Inf. Softw. Technol., vol. 43, pp. 833–839, 2001.
• [15] S. Yoo, M. Harman, and S. Ur, “Highly Scalable Multi Objective Test Suite Minimisation Using Graphics Cards,” in Search Based Software Engineering, M. B. Cohen and M. Ó. Cinnéide, Eds. Springer Berlin Heidelberg, 2011, pp. 219–236.
• [16] T. Waema and E. Adera. Local Governance and ICT’s in Africa: Case Studies and Guidelines for Implementation and Evaluation. Pambazuka Press UK, 2011(Book).
• [17] A. Ntoko, “e-Business: A Technology Strategy for Developing Countries,” e-Business:A Technological Strategy for Developing Countries, 2010. [Online]. Available: http://www.itu.int/ITUD/cyb/publications/archive/wmrcjune00/ntoko.html. [Accessed: 17-Feb-2015].
• [18] Transparency International, “Corruption Perception Index 2014,” Transparency International, Berlin, Germany, Report, 2014.
• [19] J. Satyanarayana, E Government: The Science of the Possible. PHI Learning Pvt. Ltd., 2004.
• [20] A. Kalja, N. Reitsakas, and N. Saard, “eGovernment in Estonia: Best Practices,” Technol. Manag. Unifying Discip. Melting Boundaries, pp. 500–506, 2005.
• [21] Australian Government, “National e-Authentication Framework.” Australian Government Infromation Management Office, 2009.
• [22] GoK, “The Kenya National ICT Master Plan 2013/14 - 2017/18.” ICT Authority, 2014.
• [23] GoK, “Cybersecurity Strategy.” Ministry of Information and Communication, 2014.
• [24] R. K. Das, S. Patnaik, and A. K. Misro, “Adoption of Cloud Computing in e-Governance,” in Advanced Computing, N. Meghanathan, B. K. Kaushik, and D. Nagamalai, Eds. Springer Berlin Heidelberg, 2011, pp. 161–172.
• [25] Australian Government, “Gatekeeper PKI Framework Threat and Risk Assessment Template,” Australian Government Information Management Office, 2009.
• [26] D. Zubrow, “Software Quality Requirements and Evaluation, the ISO 25000 Series.” Software Engineering Institute, Carnegie Mellon, 2004.
• [27] Accenture, “Citizen Identity Authentication Programs: Challenges and Benefits.” 2008.
• [28] P. Johnson and M. Ekstedt, Enterprise Architecture Models and Analyses for Information Systems Decision Making. Stockholm: Studentlitteratur, 2007.
• [29] Cooper et al., “RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.” The Internet Society, 2008.
• [30] E. Wheeler, Security Risk Management: Building an Information Security Risk Management Program from the Ground Up. Elsevier, 2011.
• [31] P. Buttles-Valdez, A. Svolou, and F. Valdez, “A Holistic Approach to Process Improvement Using the People CMM and the CMMI-DEV: Technology, Process, People & Culture, The Holistic Quadripartite,” presented at the Software Engineering Institute Tutorial, CarnegieMellon, 2005.
• [32] StatSoft, “Partial Least Squares (PLS),” Partial Least Square, 2000. [Online]. Available: http://www.uta.edu/faculty/sawasthi/Statistics/stpls.ht ml. [Accessed: 18-Feb-2015].
• [33] A. O. Skyles, “An Introduction to Regression Analysis.” The University of Chicago Law School, 1992.
• [34] J. Fox and H. S. Weisberg, An R Companion to Applied Regression, Second Edition edition. Thousand Oaks, Calif: SAGE Publications, Inc, 2010.
• [35] R. E. Schumacker and R. G. Lomax, A Beginner’s Guide to Structural Equation Modeling: Third Edition. Routledge, 2012.
• [36] University of North Carolina, “Variance and Design of Experiments,” Variance, 2007. [Online]. Available: http://www.unc.edu/courses/2007spring/psyc/530/001/ variance.html. [Accessed: 27-Feb-2015].
• [37] J. M. Carroll and P. A. Swatman, “Structured-case: a methodological framework for building theory in information systems research,” Eur. J. Inf. Syst., vol. 9, no. 4, pp. 235–242, Dec. 2000.
• [38] J. Hulland, “Use of partial least squares (PLS) in strategic management research: a review of four recent studies,” Strateg. Manag. J., vol. 20, no. 2, pp. 195– 204, Feb. 1999.
• [39] R. P. Bagozzi and Y. Yi, “On the evaluation of structural equation models,” J. Acad. Mark. Sci., vol. 16, no. 1, pp. 74–94, Mar. 1988.