UN

/CEFA

CT

  

e-Procurement 

The Next Steps: Security and ebXML  

Presented by

NexTenders (India) Pvt. Ltd.Confidential

This document is the property of NexTenders (India) Private Limited, who owns the copyright thereof. The information in this document is given in confidence. This document (wholly or partly) may not be transmitted in any form (copied, reprinted, reproduced), without the written consent of NexTenders. The contents of this document or any methods or techniques available there from, may not be disclosed to any third party whatsoever without the written consent of NexTenders.

4th October 2006, New Delhi, India

UN/CEFACT

LvL 1: Electronic Notification of Tenders on the Internet (3%)

LvL 2: Posting of Tender Documents on the Internet (7%)

LvL 3: Electronic Bid Submission & ePayments (25%)

LvL 4: Online Tender Preparation & Bid Preparation (50%)

LvL 5: Online Evaluation of Bids, Award of Tenders & PO (70%)

LvL 6: Online Pre-tender & Post Award Negotiation Enabling (80%)

LvL 7: Online Contract Tracking & Fulfilment (100%+)

LvL 8: Enterprise-wide Integration of Procurement Process (100%++)

Mat

uri

ty L

vL

Sec

uri

ty L

vL

Maturity of usage of ETS

2

2

2

2

2

2

22

2

2

4

1

1

1 3

5

55

In numbers :

1. Over 50% of India is using one form of E- tendering

2. Version 1 of NexTenders was at Level 4. Version 2.1 was at lvl 5

3. First lvl 6 (Version 2.3) implementation happening this month in 2 of India’s top 10 PSUs

4. Total Amount of tenders Processed by NexTenders (ie all lvl 4+ installations) has been in excess of 2.8 Billion USD or 2.5 Billion Euro (above Rs. 12,500 Cr.) from only 4 of 26 states * conversions done with approx moving average figures for Dollar and Euro)

5. These figures are for the last 36 months alone out of which last 12 months account for almost 60% of the load.

3

UN/CEFACT

ApproachManagement Challenges Benefits• Solution to handle multiple

procedure/ policies.

• Catering to World Bank norms, CVC Guidelines.

• Enhance user base/ access to tenders

• Reduce the cycle time and cost involved in the tendering process

• Seamless submission of bids

• Reduction in unfair practices

• User awareness

• Enhanced transparency

• Processing of 103 tenders in a period of 30 days by 8 resources.

• Better and more responsive contractors

• Reduced tender cycle time (90 days to 30 days)

• Minimal human error and misuse

• Reduced contractors collusion

• Reduction in unfair practices 

• Maturity LvL in a period of less than a year

• Customization & Implementation of Solution.

• Deployment of team for administrative & support functions.

• User friendly application for faster

adaptation.

• Facilitation and consultancy in adoption to electronic tendering.

• Impart training and administrative support.

• Uninterrupted services.

• Procurement worth INR 3000+ crore processed

Government of AssamDepartments such as Roads, NH Works, Building, RIDF & ARIASP

Departments are handling schemes like PMGSY, MPNA, State Plan, NABARD, CRF, NHAI, NLCPR, World Bank & Asian Development Bank Funding

Implementation Experience (Government/ PSU – India)

UN/CEFACT

ApproachManagement Challenges Benefits

• Solution to handle multiple procedure/ policies.

• Multiple department interface

• Low LvL of IT awareness

• Reduce the cycle time and cost involved in the tendering process

• Increased participation of contractors/ suppliers

• Reduction in unfair practices

• Processing of $ 500 million worth of procurement spread over 1500 tenders by a single department

• Access to new contractors

• Reduced tender cycle time

• Cost competitiveness

• Enhanced participation of contractors/ suppliers

• Transparency 

• Customization of department specific Solution.

• Deployment of team for administrative & support functions.

• Extensive training for adaptation

to eProcurement Solution.

• Awareness workshops and facilitations.

Government of ChhatisgarhDepartments such as PWD, Water Resources, RRDA, SIDC, Housing Board, Ispat Bhoomi Ltd, PR.

Departments are handling various schemes catering to various policies.

Implementation Experience (Government/ PSU – India)

UN/CEFACT

ApproachManagement Challenges Benefits

• Install and implement an Electronic Procurement System.

• Adherence to CVC Guidelines and IT Act 2000.

• Reduce underhand practices and introduce transparency

• Reduce the cycle time and cost involved in the tendering process

• Introduce efficient procurement to pay process

• User Awareness

• Processing of over 8000 Tenders in a span of 12 months

• Greater transparency• Overall cost saving• Access to new contractors• Reduced tender cycle time (90

days to 30 days)• Reduced human error and

misuse• Reduced contractors collusion• Reduction in unfair practices • Capacity enhancement• Presently – Over 1600 Tenders

Live

• Electronic tendering• Payment gateways• Digital signature• Anti collusion security system• Change Management• Implementation and integration of

the IT network• System administration of the

Electronic Procurement System • Integration with Public key

infrastructure (PKI) and Payment Gateway.

• Provision of digital certificates for the users and vendors.

• Impart training to corporation staff and vendors (300 users, 5000 contractors)

• Availability of a Service Help Desk.

Municipal Corporation DelhiDepartments such as Education, Conservancy, Sanitation, Engineering, Health and Horticulture

Common procedures but differential workflow

Implementation Experience (Government/ PSU – India)

UN/CEFACT

ApproachManagement Challenges Benefits• Solution to handle multiple location

and user defined procedure.

• Providing one stop solution for multiple interface.

• Consulting and process re-engineering to adopt best practices.

• Reduction in cycle time involved and setting up a benchmark

• Efficient and secured handling of procurement process

• Adherence to CVC Guidelines and other relevant norms.

• IT Culture in the organization

• Reduction in process time.• Formulation of electronic

procurement policy.• Enhanced transparency• 1 stop solution for

procurement • Reduction in errors and

misuse• Reduced contractors

collusion• Reduction in unfair

practices • Roll out plan initiated for

complete coverage.• Analysis Mechanism and

Spend Analysis

• Process analysis and implementation of solution.

• Demo portal and for training and hands-on session.

• Pilot events for user adoption and

analysis of gaps

• Remote administration and on-line support on need basis.

• Formulation of On-line Procurement Policy Document for the organization.

• Consulting in gap analysis and process re-engineering.

National Thermal Power CorporationOne of the “nine jewels” of the Government of India, catering to power sector and a profit making CPU.

High standard of work. Over 29 Plants and Other Offices spread across India

Implementation Experience (Government/ PSU - India

UN/CEFACT

UN/CEFACT

Interesting Observations:

At lvl 5 the average saving done by the tendering authority as cost saving was estimated (by themselves) as “above 20%”

20% savings imply 25% more development/expenditure surplus for these organisations

It has been estimated that the present lvl 4+ setups are affecting the lives of over 100 million people directly

These observations led to the overall policy of the Govt changing which has issued a circular to this effect by which all Govt tenders above a value of .... need to be necessarily tendered ONLY via e-tendering

UN/CEFACT

India E-Procurement top 10 – Facing the music of Enlarged needs for new Features

“E Procurement is working fine - i want all my employees to take part in it and have access to it”

“We have an internal workflow and we now want the system to support that – each one’s responsibility should be noted”

“I want JIT inventory – give me the facility to issue direct PO from existing Rate Contracts”

“We need to share our tender forms with other organisations and they need to float a similiar tender – why cant I simply email them the template”

“Dont expect me to buy keys for all my employees - use our existing infra structure and give me a solution – but dont dare compromise on security”

“Non repudation my foot – that guy simply said he was not aware that the translation is wrong – the translator is not responsible in your system”

“We need to have the tender automatically approved with the budgets in our accounts system realtime”

“Integrate to my ERP – we have SAP – it should be a simple thing”

“I dont care for standards – my vendors dont need to fill these fields – take them off”

“Whatever you do – dont ask me to buy out Dell!!!!”

UN/CEFACT

Translation...

Need to integrate and interchange data (inlcuding masters) with 3P software easily

Need to export data out in an easy portable fashion

Need to use standards which allow flexibility to extend the scope

Need to make it platform independent

Need to have end user programmibility

Need to build is dynamically allocable power structures (for escalation), power charts (for budget sanctions) and organgrams

Need to conform to International Standards

UN/CEFACT

The Solution was actually a non brainer

USE XML FROM START TO END

and only keep indexing and authentication information in database

It implies using XML

for UI

for datastoring

for data comparing

for input / output

for messaging

for conformation to standards (UN/CEFACT & ebXML standards) for input and output

Eureka! We have a solution

But what about security??

Need for XML Security

Securing Connection vs. Securing content

1 . Direct connection between client and server must be established which means Multiple intermediaries require multiple HTTPS connections piped together

• Opens potential security holes at connecting nodes, but also creates a public key certificate management nightmare

2. Can not provide granular content security• Scenarios such as multi-level approval require parts of information to

– Connection-based security are insufficient

– Verify the authenticity of approval signatures

– Unnecessarily encrypting all content also introduces more processing overhead

UN/CEFACT

Overall View

Case Study

Field Agent

Sign and send an order. The order

contains an encrypted

accountnumber

Manager

Verify the order Signature; attach

an approval signature

Payment Center

Verify the approvalSignature; decryptaccount number;Attach a paymentstatus signature;

remove the account number

Factory

Verify the paymentstatus signature;

Verify agentaddress, send

product

UN/CEFACT

XML Security Means

1. Availability

2. Integrity

3. Confidentiality

4. Authentication

5. Accountability

UN/CEFACT

1. Availability

• Availability assures that the information and essential services will be available for the authorised users at the required moment, including the efforts required to regain lost information.

UN/CEFACT

2 . Integrity

• Integrity guarantees the correctness and completeness of the information. Cryptography (such as hashes or check-sum mechanisms) is a perfect means to assure the information integrity. Both are used to detect changes to the original information, however hashes are more focussed on malicious changes whilst check-sums are applied to detect coincidentally changes.

• As such, we consider the integrity issue as a requirement to be addressed by sXML.

UN/CEFACT

3. Confidentiality

• Confidentiality protects sensitive information against disqualified examination by unauthorised individuals, entities or processes. Clearly, cryptography provides excellent means to support confidentiality by applying symmetric or asymmetric encryption mechanisms.

UN/CEFACT

4. Authentication

• Authentication assures that the identity of the source indeed is identical to what it is claimed to be and can be applicable to persons, processes, systems or information. Cryptography, and more specific the use of asymmetric encryption, provide means to assure the authentication, also known as non-repudiation.

UN/CEFACT

5. Accountability

• Accountability records the responsibility of the individuals belonging to the organisation for which a policy regarding information security has been established. This aspect thus relates to organisations and responsibilities.

UN/CEFACT

Solutions Overview

1. XML Encryption

2. XML Digital Signature

3. Includes XML Canonicalization

4. XML Key Management System

5. Security Assertion, Access Control Markup

6. WS-Security

UN/CEFACT

XML Encryption

• Proper encryption is crucial for XML data security, particularly sensitive data that's passed across unprotected networks such as the Internet. Enter XML Encryption.

• It's easy to think of encryption as a "blanket" operation-data is encrypted on one end, then decrypted on the other. But more information is required to perform this operation successfully. In an XML instance, there are four basic types of information:

UN/CEFACT

Encryption Description

1. Encrypted content, which contains the actual encrypted data or a reference to the location of this data. There is virtually unlimited flexibility in both the types of data that can be included and methods for logical data collection for encryption.

2. Unencrypted content, which contains other information that is pertinent to the context of the interaction but isn't encrypted for some reason, perhaps due to performance concerns or because it wasn't deemed private or sensitive enough to warrant encryption.

Continued…

UN/CEFACT

3 .Key information, which contains information or pointers to information about the keys that perform the encryption, and, therefore the keys that perform the decryption. The key information can be maintained elsewhere and replaced by a URL in the XML instance.

4. Recipient information, which contains information about one or more intended recipients of the encrypted data. This information is optional, thus allowing situations where the applicable recipient information is known or provided out of band, such as with business partners that have a preexisting contractual relationship.

UN/CEFACT

Encrypting XML data follows the traditional encryption steps for public key cryptography. First, the data is encrypted, typically using a randomly created secret key. Then the secret key is encrypted using the intended recipient's public key. This information is packaged to ensure that only the intended recipient can retrieve the key and decrypt the data. Decryption involves applying the private key to decrypt the secret key, then decrypting the data with the secret key. There are a number of options being evaluated for encrypting XML portions, as well as multiple ways of embedding these encryption elements within an XML instance.

UN/CEFACT

XML Signature

• Digest of data, protected with encryption

• Creating digital signature (roughly):

• Digest the data

• Encrypt the digest (with private or shared key)

• The encrypted result is the signature

UN/CEFACT

XML Signature Verification

• Verifying digital signature (roughly): • Digest the data • Decrypt the signature (with known public key of signer or with shared key) • The digest must match the decrypted signature• Signature verifies data is same as was signed• With public-key cryptography, signature also gives non-repudiation

UN/CEFACT

XML Canonicalization• For signature, data is digested• Digest algorithms work with octet streams• Equivalent XML may have different octet stream representations: <element att="val"/>

<element att = 'val' />• Canonicalization (C14N) prescribes the one serialization• Serious issues with namespaces, other inherited

values (xml:base, xml:lang etc.)• Must be inherited to be verified by signature• Same applies to encrypting only parts of XML

documents

UN/CEFACT

XML Key Management, XACML, SAML

• XKMS – XML Key Management Specification• Distributing and registering public keys• Minimizing complexity of using XML Signature• XACML – eXtensible Access Control Markup Language • Authorization policies• SAML – Security Assertion Markup Language • Authentication, transfer of authentication and

authorization decisions

UN/CEFACT

Web Application based on XML Document Security

Browser[Web 2.0

client using Ajax]

Web Server

PresentationProcessor

Security ProcessorPAM & REM

Key Store Key StoreKey Store

HTTP Get

HTML/JavaScript/XML

HTTP Put

UN/CEFACT

Conclusion

• XML is poised to redefine the way we use the Internet by providing real-time, interactive capabilities for sharing data among entities-so start planning now.

• Encryption and signature standards for XML documents will permit the maximum use of XML capabilities in conducting business transactions over the Internet.

• These standards will strengthen the security mechanisms surrounding XML processes while harnessing XML's power.

UN/CEFACT

This document is a confidential document of NexTenders (India) Pvt. Ltd. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, whether electronic, mechanical, photocopying, recording or otherwise, without the written permission of NexTenders.

Thank YouIf you have questions, please feel free to contact sujeet@nextenders.com