An authentication and auditing architecture for enhancing security on egovernment services

摘要

eGovernment deploys governmental information and services for citizens and general society. As the Internet is being used as underlying platform for information exchange, these services are exposed to data tampering and unauthorised access as main threats against citizen privacy. These issues have been usually tackled by applying controls at application level, making authentication stronger and protecting credentials in transit using digital certificates. However, these efforts to enhance security on governmental web sites have been only focused on what malicious users can do from the outside, and not in what insiders can do to alter data straight on the databases. In fact, the lack of security controls at back-end level hinders every effort to find evidence and investigate events related to credential misuse and data tampering. Moreover, even though attackers can be found and prosecuted, there is no evidence and audit trails on the databases to link illegal activities with identities. In this article, a Salting-Based Authentication Module and a Database Intrusion Detection Module are proposed as enhancements to eGovernment security to provide better authentication and auditing controls.