Cloud electronic signature in Russia and the world
Good afternoon, dear reader!
For some time I have been actively following the updates and news of the Digital Economy program. From the point of view of the internal employee of the EGAIS system, of course, the process is for decades. And from the point of view of development, and from the point of view of testing, rollbacks and further implementation with subsequent inevitable and painful corrections of various bugs. Nevertheless, a necessary, important and matured business. The main customer and driver of all this fun, of course, is the state. Actually, as in the whole world.
All processes have long spilled over into digital or on the way to it. This is wonderful. Nevertheless, there are also the flip sides of medals for distinction. I am a person who works constantly with a digital signature. I’m a supporter of maybe “yesterday’s”, but “antiquated” reliable and win-win methods of protecting electronic signatures using tokens. But digitalization shows us that everything has long been in the "clouds" and CEP, too, is needed there and is needed very quickly.
I tried to figure it out, so far at the level of the legislative and technical base, where it was possible, what is the situation with cloudy EP in our country and in Europe. In fact, more than one scientific dissertation has come out on this subject. Therefore, they urge the pros in this issue to connect to the development of the topic.
Why is CEP in the cloud attractive? In fact, there are pluses. These pluses are enough. It is fast and convenient. It sounds like an advertising slogan, agree, however, these are objective characteristics of a cloud digital signature.
Speed lies in the ability to sign documents without being tied to tokens or smart cards. It does not oblige us to use only the desktop. One hundred percent cross-platform history for any OS and browser. Especially true for fans of Apple products, for which there are certain difficulties in supporting ES in the MAC system. Exit from anywhere in the world, the freedom to choose a CA (not even a Russian one). Unlike CEP hardware, cloud technology avoids the complexity of software and hardware compatibility. Which, yes, is convenient, and, yes, fast.
And how can one not be tempted by such beauty? The devil is in the details. Talk about security.
The security of cloud solutions, and especially EDS - is one of the main pains for security. What exactly do not I like, the reader will ask me, because everyone has been using cloud services for a long time, and with SMS, it is even more reliable to make a bank transfer.
In fact, again, back to the details. Cloud EDS is a future that is hard to argue with. But not now. To do this, regulatory changes must occur that will protect the owner of cloud digital signatures.
What do we have today? There are a number of documents defining the concept of electronic signature, electronic document management (EDI), as well as laws on the protection of information and data circulation. Including it is necessary to take into account the Civil Code (Civil Code of the Russian Federation), which governs the use of electronic signature in documents.
Federal Law No. 63-ФЗ On Electronic Signatures of 04/06/2011. The main and framework law describing the general meaning of using electronic signatures in transactions of various nature and the provision of services.
Federal Law No. 149-ФЗ On Information, Information Technologies and Information Protection of 07.27.2006. This document specifies the concept of an electronic document and all segments associated with it.
There are additional legislative acts that are involved in the regulation of EDI
Federal Law 402-FZ "On Accounting" dated 06.12.2011. The legislative act provides for the systematization of requirements for accounting and accounting documents in electronic form.
Including You can take into account the Arbitration Procedure Code of the Russian Federation, which allow documents signed by the EP as evidence in court.
And it was here that it occurred to me to dig deeper into the issue of security, because we have the standards for crypto protection provided by the FSB and the issuance of certificates of compliance. On February 18, new GOSTs were introduced. Thus, keys stored in the cloud are not directly protected by FSTEC certificates. Protecting the keys themselves and secure access to the "cloud" are the cornerstones that we have not yet decided on. Next, I will consider an example of regulation in the European Union, which will clearly demonstrate a more advanced security system.
Let's start with the main thing - cloud technologies, not only ESs have a clear standard. The basis of the Cloud Standard Coordination (CSC) of the European Telecommunications Standards Institute (ETSI). However, in different countries there are still differences in data protection standards.
The basis for comprehensive data protection is mandatory certification for providers according to ISO 27001: 2013 for information security management systems (the corresponding Russian GOST R ISO / IEC 27001-2006 is based on the version of this standard from 2006).
ISO 27017 provides additional security features for the cloud that are not found in ISO 27002. The full official name for this standard is “Code of practice for information security controls based on” based on ISO / IEC 27002 for cloud services. ISO / IEC 27002 for cloud services ").
In the summer of 2014, ISO published the ISO 27018: 2015 standard on the protection of personal data in the cloud, and at the end of 2015, ISO 27017: 2015 on information security controls for cloud solutions.
In the fall of 2014, a new Decree of the European Parliament No. 910/2014, called eIDAS, entered into force. The new rules allow users to store and use the CEP key on the server of an accredited provider of trusted services, the so-called TSP (Trust Service Provider).
The European Committee for Standardization (CEN) in October 2013 adopted the technical specification CEN / TS 419241 "Security Requirements for Trustworthy Systems Supporting Server Signing", dedicated to the regulation of cloud EDS. The document describes several levels of security compliance. For example, to comply with the “level 2” presented for the formation of a qualified electronic signature, is to support strong options for user authentication. According to the requirements of this level, user authentication occurs directly on the signature server, in contrast, for example, from the authentication acceptable for “level 1” in the application, which accesses the signature server on its own behalf. Also in accordance with this specification,
User authentication in the cloud service must be at least two-factor. As a rule, the most accessible and easy to use option is confirmation of entry through the code received in the SMS message. So, for example, most of the personal accounts of the RB of Russian banks have been implemented. In addition to the usual cryptographic tokens, an application on a smartphone and one-time password generators (OTP tokens) can also be used as an authentication tool.
I can summarize an intermediate result so far, regarding the fact that cloud CECs are still being formed and it is too early to leave iron. In principle, this is a natural process, which even in Europe (oh, great!) Lasted about 13-14 years, until more or less precise standards were developed.
Until we develop good GOSTs that govern our cloud services, it is too early to talk about a complete rejection of hardware solutions. Rather, they now, on the contrary, will begin to move towards "hybrids", that is, work with cloud signatures as well. Some examples that meet European standards for working with Cloud have already been implemented. But more about that in the new material.
For some time I have been actively following the updates and news of the Digital Economy program. From the point of view of the internal employee of the EGAIS system, of course, the process is for decades. And from the point of view of development, and from the point of view of testing, rollbacks and further implementation with subsequent inevitable and painful corrections of various bugs. Nevertheless, a necessary, important and matured business. The main customer and driver of all this fun, of course, is the state. Actually, as in the whole world.
All processes have long spilled over into digital or on the way to it. This is wonderful. Nevertheless, there are also the flip sides of medals for distinction. I am a person who works constantly with a digital signature. I’m a supporter of maybe “yesterday’s”, but “antiquated” reliable and win-win methods of protecting electronic signatures using tokens. But digitalization shows us that everything has long been in the "clouds" and CEP, too, is needed there and is needed very quickly.
I tried to figure it out, so far at the level of the legislative and technical base, where it was possible, what is the situation with cloudy EP in our country and in Europe. In fact, more than one scientific dissertation has come out on this subject. Therefore, they urge the pros in this issue to connect to the development of the topic.
Why is CEP in the cloud attractive? In fact, there are pluses. These pluses are enough. It is fast and convenient. It sounds like an advertising slogan, agree, however, these are objective characteristics of a cloud digital signature.
Speed lies in the ability to sign documents without being tied to tokens or smart cards. It does not oblige us to use only the desktop. One hundred percent cross-platform history for any OS and browser. Especially true for fans of Apple products, for which there are certain difficulties in supporting ES in the MAC system. Exit from anywhere in the world, the freedom to choose a CA (not even a Russian one). Unlike CEP hardware, cloud technology avoids the complexity of software and hardware compatibility. Which, yes, is convenient, and, yes, fast.
And how can one not be tempted by such beauty? The devil is in the details. Talk about security.
Cloudy CEP in Russia
The security of cloud solutions, and especially EDS - is one of the main pains for security. What exactly do not I like, the reader will ask me, because everyone has been using cloud services for a long time, and with SMS, it is even more reliable to make a bank transfer.
In fact, again, back to the details. Cloud EDS is a future that is hard to argue with. But not now. To do this, regulatory changes must occur that will protect the owner of cloud digital signatures.
What do we have today? There are a number of documents defining the concept of electronic signature, electronic document management (EDI), as well as laws on the protection of information and data circulation. Including it is necessary to take into account the Civil Code (Civil Code of the Russian Federation), which governs the use of electronic signature in documents.
Federal Law No. 63-ФЗ On Electronic Signatures of 04/06/2011. The main and framework law describing the general meaning of using electronic signatures in transactions of various nature and the provision of services.
Federal Law No. 149-ФЗ On Information, Information Technologies and Information Protection of 07.27.2006. This document specifies the concept of an electronic document and all segments associated with it.
There are additional legislative acts that are involved in the regulation of EDI
Federal Law 402-FZ "On Accounting" dated 06.12.2011. The legislative act provides for the systematization of requirements for accounting and accounting documents in electronic form.
Including You can take into account the Arbitration Procedure Code of the Russian Federation, which allow documents signed by the EP as evidence in court.
And it was here that it occurred to me to dig deeper into the issue of security, because we have the standards for crypto protection provided by the FSB and the issuance of certificates of compliance. On February 18, new GOSTs were introduced. Thus, keys stored in the cloud are not directly protected by FSTEC certificates. Protecting the keys themselves and secure access to the "cloud" are the cornerstones that we have not yet decided on. Next, I will consider an example of regulation in the European Union, which will clearly demonstrate a more advanced security system.
European experience using cloud-based ES
Let's start with the main thing - cloud technologies, not only ESs have a clear standard. The basis of the Cloud Standard Coordination (CSC) of the European Telecommunications Standards Institute (ETSI). However, in different countries there are still differences in data protection standards.
The basis for comprehensive data protection is mandatory certification for providers according to ISO 27001: 2013 for information security management systems (the corresponding Russian GOST R ISO / IEC 27001-2006 is based on the version of this standard from 2006).
ISO 27017 provides additional security features for the cloud that are not found in ISO 27002. The full official name for this standard is “Code of practice for information security controls based on” based on ISO / IEC 27002 for cloud services. ISO / IEC 27002 for cloud services ").
In the summer of 2014, ISO published the ISO 27018: 2015 standard on the protection of personal data in the cloud, and at the end of 2015, ISO 27017: 2015 on information security controls for cloud solutions.
In the fall of 2014, a new Decree of the European Parliament No. 910/2014, called eIDAS, entered into force. The new rules allow users to store and use the CEP key on the server of an accredited provider of trusted services, the so-called TSP (Trust Service Provider).
The European Committee for Standardization (CEN) in October 2013 adopted the technical specification CEN / TS 419241 "Security Requirements for Trustworthy Systems Supporting Server Signing", dedicated to the regulation of cloud EDS. The document describes several levels of security compliance. For example, to comply with the “level 2” presented for the formation of a qualified electronic signature, is to support strong options for user authentication. According to the requirements of this level, user authentication occurs directly on the signature server, in contrast, for example, from the authentication acceptable for “level 1” in the application, which accesses the signature server on its own behalf. Also in accordance with this specification,
User authentication in the cloud service must be at least two-factor. As a rule, the most accessible and easy to use option is confirmation of entry through the code received in the SMS message. So, for example, most of the personal accounts of the RB of Russian banks have been implemented. In addition to the usual cryptographic tokens, an application on a smartphone and one-time password generators (OTP tokens) can also be used as an authentication tool.
I can summarize an intermediate result so far, regarding the fact that cloud CECs are still being formed and it is too early to leave iron. In principle, this is a natural process, which even in Europe (oh, great!) Lasted about 13-14 years, until more or less precise standards were developed.
Until we develop good GOSTs that govern our cloud services, it is too early to talk about a complete rejection of hardware solutions. Rather, they now, on the contrary, will begin to move towards "hybrids", that is, work with cloud signatures as well. Some examples that meet European standards for working with Cloud have already been implemented. But more about that in the new material.