Trustworthy electronic signatures, secure e-Government and trust: the way forward for improving EU citizens’ trust in web services, outlined by EU Agency ENISA
January 2014 by Marc Jacob
The EU’s cyber security Agency, ENISA, is publishing a series of new studies about the current security practices of Trust Service Providers (TSPs) and recommendations for improving cross-border trustworthiness and interoperability for the new regulated TSPs and for e-Government services using them.
Secure governmental e-services are critical for society, e.g. health, procurement, justice. Security is crucial for gaining the trust of the EU citizens on using these services. However, there are many security challenges to overcome in order to ensure their successful deployment.
The TSP study underlines that:
A mutual assistance system between supervisory bodies in the Member States should be set up.
Client applications need to guarantee end-to-end encrypted communication with TSPs and e-Government services in order to safeguard EU citizens’ privacy.
The e-Government document uses a few of the European Commission-funded Large Scale Pilots that integrate TSP (epSOS for health, e-CODEX for justice and PEPPOL for procurement) as case studies. These cases are used to analyse current practices and identify gaps and where improvements can be made. In this report, the Agency issues detailed technical security practices recommendations for TSP and e-Government Services using them, including time-stamping, e-delivery, long time preservation and e-signature validation.
The more general TSP report from ENISA describes these services and the recommendations to improve their security in more detail.
Key recommendations identified to offer trustworthy e-Government services to EU citizens include:
Promote Trusted Marks assessed against eIDAS requirements that would be recognised across borders. Trust Services should be developed in a European scope, complying with both EU and local legislation. Specific Business Continuity Management standards should be adopted in the provision of trusted services (by TSPs) and required by e-Government customers.
Based on the criticality of the e-government services, they should always assess three aspects:
the strength of the authentication mechanisms to be used, encouraging the use of e-Signature.
the need for end-to-end encryption and
the need for audit trails to keep electronic evidence
The guidelines for Trust Service Providers give recommendations in the areas of legal and regulatory framework of TSPs, risk assessment for TSPs and mitigation of security incidents. The main points highlighted by the reports include:
legal acts in the EU and at the national level
available standards applicable to trust services
processes for effective risk management at TSPs
handling of security incidents occurring at TSPs, such as impersonation, compromise of Certificate Authority, organisational failures, etc.
The Executive Director of ENISA, Professor Udo Helmbrecht, stated: “It is vital for business and governments across Europe that citizens trust their online services and therefore implement the best technical e-signature solutions. These best practices need to be constantly reviewed through frequent risk analysis in order to keep up with the technical developments and overcome evolving cyber security challenges.”