Improving trust in web services

The EU’s cyber security Agency, ENISA, is publishing a series of new studies about the current security practices of Trust Service Providers (TSPs) and recommendations for improving cross-border trustworthiness and interoperability for the new regulated TSPs and for e-Government services using them.

Secure governmental e-services are critical for society, e.g. health, procurement, justice. Security is crucial for gaining the trust of the EU citizens on using these services. However, there are many security challenges to overcome in order to ensure their successful deployment.

The TSP study underlines that:

• A mutual assistance system between supervisory bodies in the Member States should be set up.
• Client applications need to guarantee end-to-end encrypted communication with TSPs and e-Government services in order to safeguard EU citizens’ privacy.

The e-Government document uses a few of the European Commission-funded Large Scale Pilots that integrate TSP (epSOS for health, e-CODEX for justice and PEPPOL for procurement) as case studies. These cases are used to analyse current practices and identify gaps and where improvements can be made.

In this report, the Agency issues detailed technical security practices recommendations for TSP and e-Government Services using them, including time-stamping, e-delivery, long time preservation and e-signature validation.

Key recommendations identified to offer trustworthy e-Government services to EU citizens include:

• Promote Trusted Marks assessed against eIDAS requirements that would be recognised across borders.
• Trust Services should be developed in a European scope, complying with both EU and local legislation.
• Specific Business Continuity Management standards should be adopted in the provision of trusted services (by TSPs) and required by e-Government customers./li>
• Based on the criticality of the e-government services, they should always assess three aspects:
  • the strength of the authentication mechanisms to be used, encouraging the use of e-Signature.
  • the need for end-to-end encryption and
  • the need for audit trails to keep electronic evidence.

The guidelines for Trust Service Providers give recommendations in the areas of legal and regulatory framework of TSPs, risk assessment for TSPs and mitigation of security incidents. The main points highlighted by the reports include:

• legal acts in the EU and at the national level
• available standards applicable to trust services
• processes for effective risk management at TSPs
• handling of security incidents occurring at TSPs, such as impersonation, compromise of Certificate Authority, organisational failures, etc.

The Executive Director of ENISA, Professor Udo Helmbrecht, stated: “It is vital for business and governments across Europe that citizens trust their online services and therefore implement the best technical e-signature solutions. These best practices need to be constantly reviewed through frequent risk analysis in order to keep up with the technical developments and overcome evolving cyber security challenges.”

The full reports are available here.