PARIS, Aug. 16, 2004 — In February 2004, government officials and business leaders in Mauritius gathered to inaugurate their new electronic marketplace for international trade. Among the attendees was European Union Trade Commissioner Pascal Lamy, who commended the security measures built into the site as a model for governments within and outside of Europe. Lamy also invited the government of Mauritius to connect its new portal with the EU’s own e-marketplaces — promising an additional boost to the island nation’s trade and economic development.
Government-sponsored Internet marketplaces connecting manufacturers, distributors and retailers are nothing new. Their value lies in removing logistical barriers to trade by facilitating monetary transactions and helping trading companies clear customs, complete the proper documentation and fulfill regulatory requirements via the Internet. The sticking point for many governments, however, has been the high cost of ensuring absolute trust and data security. This cost has left such online services out of reach of most developing nations, and perpetuates the disparity among advanced and emerging economies.
Strong security for Internet transactions is one of the last technical hurdles to achieving true e-government, enabling the broadest range of online government services while streamlining bureaucracy and providing efficient alternatives to in-person contact between government agencies and their constituents. For Mauritius, a grant from the EU’s European Development Fund led to the island nation having one of the most secure e-marketplaces on the Internet.
Wisekey Offers Federated Identity Solutions on the Windows Server 2003 Platform
Behind Mauritius’ e-marketplace is Switzerland-based Wisekey, an independent software vendor (ISV) and Microsoft technology partner specializing in IT security. Wisekey develops applications for organizations that require a layer of security higher than is typically available in the market — in sectors such as government, finance and defense.
“Essentially, governments want to emulate the interactions that take place in the analogue world online,” says Carlos Moreira, CEO of Wisekey. “Before they create binding transactions among citizens, businesses and governments, they want to have the authentication infrastructure in the country and not somewhere else. You wouldn’t expect France to issue a passport for England, for example.”
Wisekey developed the Mauritian trading portal around a public key infrastructure (PKI) security framework, creating a safe online trading environment where companies in Mauritius can sell and procure products, and transact business electronically with customers around the world. With PKI technology, the authenticity of each party involved in an Internet transaction is verified before the exchange of encrypted data can continue. Certificate authorities — usually third-party companies — issue digital certificates of identity, which are attached to secure transmissions.
Wisekey technology enables organizations to host a PKI certificate authority within their own infrastructure, using a model of cross-certificates between organizations to establish absolute trust. This autonomy is essential for governments, which must house their own IT security infrastructure to maintain complete control over their national security.
Last month, building on momentum following the Mauritius project, Wisekey and Microsoft signed a contract with the government of Portugal to establish a similar identity framework. Three of Portugal’s ministries have independent authentication systems, with different passwords required for each. Microsoft is teaming up with Wisekey to implement the solution, initially to integrate Portugal’s disparate systems, and subsequently to incorporate PKI security.
Portugal’s new security platform will likely be among the most advanced in Europe, Moreira says, allowing the country to establish a common digital ID system, with the option of implementing a national ID card in the future.
Wisekey’s technology takes advantage of the certificate authority built into Windows Server 2003, which Microsoft originally designed to manage user licenses for the operating system. Wisekey’s security solution enables Windows Server 2003 to serve as a full PKI certificate authority at a fraction of the cost of a traditional certificate authority application.
“With this combination of Windows Server 2003 and federated identity technology from Wisekey, we can deliver, for less than $20,000, a full identity infrastructure which a year ago would have cost $1 million or more,” Moreira says. “So now that it is becoming affordable, developing countries as well as smaller organizations and companies can afford to move into Class 3 security, and this in turn will increase the transactional value of the Internet.”
Why Is Authentication So Important?
Digital signatures are essential to certain types of online interactions. Although many people use the Internet to interact with their bank or government agencies, they still have to provide original signatures, through the mail or in person, when renewing their driving license, for example. PKI’s certificate-based client authentication, strong encryption and secure electronic signatures eliminate the need for people to print out, sign and send in forms they download from government Web sites. PKI is a prerequisite to paperless interactions, because a trusted digital signature is the only way to be sure of the confidentiality and authenticity required for these automated processes.
For governments, PKI security enables organizations to achieve a greater level of online service and automation, even when a signature is needed. It also eliminates processing time, cross-checking and transaction errors, because information is captured through the PKI infrastructure and not re-entered by clerks in different divisions or agencies, on different systems.
“PKI is well established as a trusted security model, but broad adoption requires solutions that are designed to take advantage of it,” says Per Bendix Olsen, government partner manager for Microsoft Europe, Middle East and Africa. “Now governments are starting to see more real-world applications using PKI and the possibility of end-to-end case management over the Internet, which is essential if they want to harvest all the benefits of e-government.”
Digital identity technology is behind the growing support in Europe for national ID cards, which would allow governments to provide even more services to citizens more efficiently. These ID cards would require Class 3 security — absolute, two-way authentication — and therefore must employ PKI. Lower levels of IT security known as Class 1 and Class 2 security consist of simple data encryption or user authentication at the server gateway, and are appropriate for many types of online interactions. But only Class 3 security is acceptable for core governmental functions such as voting, immigration and taxes, for example.
“The question has never been whether PKI is the right technology, but whether it can be implemented in a user-friendly way, without investing of millions of dollars,” Moreira says. “Now the consensus in the security market is that nothing can replace PKI because more and more national legislation recognizes digital signatures as equivalent to written signatures.”
Moreira adds that even if governments turn to biometric technologies such as retinal scanning for identity verification, the system still must be based on the PKI model and infrastructure.
Integration Is the Path to Efficient E-Government
In Mauritius, the EU funding aimed to establish an integrated Internet portal for Mauritius to promote commerce, particularly with Europe. But the Mauritian government faced a common challenge: multiple government agencies involved in trade were operating their own Web sites and services on different IT platforms, and with different security practices. To create an integrated e-marketplace for trade, the Mauritian government needed to unify its security across these agencies.
Wisekey implemented a cross-government identity platform based on Windows Server 2003, creating a single framework for the government to interact with companies and citizens. In the context of the e-marketplace, this means that Mauritius can offer its products much more readily to European buyers, with completely secure online transactions. And the traders in Mauritius benefit from single sign-on and authentication for all of the processes involved in foreign trade — customs, trade documentation, payment, export regulations and so on.
“Organizations are starting to look to the Internet for highly strategic transactions, and now they can reach that level of transaction security with Windows 2003, a browser and Wisekey,” Moreira says. “So extremely secure applications like e-voting are possible with the right solution set and Windows infrastructure.”
Assembling a Full Set of Software Solutions for the Public Sector in EMEA
Standardized technology solutions are rarely suitable for public-sector organizations. Because they operate in different regions, face different priorities and serve constituents with vastly different circumstances, all governments face a unique set of challenges and operational requirements. So Microsoft maintains a continual dialogue with governments to understand their IT needs, and collaborates with industry partners to provide tailored software solutions, in any language, for virtually any scenario.
“Information security and the extension of workflow to include citizens and companies are key components of e-government,” Olsen says. “We look to partners such as Wisekey to ensure that solutions based on Microsoft technology are delivering value for the unique needs of the public sector.”
To showcase solutions for public sector organizations built on Microsoft platforms, Microsoft EMEA recently launched an Internet e-marketplace of its own, the Microsoft Public Sector Marketplace, displaying IT solutions for government from ISVs across the region. The marketplace is an ecosystem of technology providers — systems integrators, independent software vendors, and consulting and training firms — all oriented to the needs of governments and public agencies. Microsoft hosts the site at no charge to participants to make it easier for public organizations to locate vendors that can develop and deploy custom IT solutions in their local language and to meet their specific objectives.
According to Olsen, “By bringing together these solutions together in the context of one public sector resource, we not only support our partners with additional reach and exposure for their products, we give public organizations the tools to enhance and extend their IT infrastructure and build on their existing investment in Microsoft platforms and desktops.”