Vedlikehold av sikkerhetsløsninger fra et infrastruktur perspektiv Ole Hanseth Department of Informatics University of Oslo, Norway
Infrastruktur Veier, jernbane, vann,.. Applikasjoner infrastruktur Informasjons infrastruktur: Applikasjoner som infrastruktur
Eksempel og best practice: Internet
eprescription MyPresciptions Information on medicins in use eprescriptions information Prescription information EPJ- Systems Prescription Recall Hand-over message Deleted prescription Reply from Medicine Agency Consent information Reference number eprescriptions Exchange Request for expedition Prescription information Hand-over message Request for assessment by Gvt Medicine Agency Pharmacysystem Application NAV Prescription and expedition information Notification Applicationto of Medicine Agency hand-over Reply on application GP information Refund request Refunds and control (NAV ) Reply on Refund request FEST (Gvt Medicine Agency) Application (Gvt Medicine Agency) Prescription and expedition information
ecustoms Harmonizing, streamlining customs declarations in EU Aim: Single window Increased trade/globalization New risks: Mad cow, terror, counterfeit,.. Containers, big hubs New customs control procedures
EU Domain Strategy/Programme Projects Danish Domain Projects/Subprojects Arla Domain Projects Multi Annual Strategic Plan NCTS e Customs Project Adaption projects Customs 2002 Customs 2007 Customs 2013 AEO EORI ECS ICS... NCTS AEO EORI ECS... ICS ECS ICS Figure 4. Organization of e-customs projects at EU, national, and trader level.
TBG18 Agriculture TBG2 Digital Paper TBG15 Trade Facilitation TBG8 Insurance TBG19 egov TGB15 International Trade Single Window TBG14 International Supply Chain Model & TBG2 UNeDocs Data Model TBG17 UN/CEFACT Core Component Library United Trade Data Elements Directory (UNTED) TBG1 Supply Chain TBG4 WCO DM TBG3 Transport TBG13 Environment TBG5 Finance Figure 3. UN/CEFACT International Trade and Business Processes Group (TBG) and key relationships between these working groups. Redrawn from Dill (2007).
System abbreviations: ECS: Export Control System EORI: European Operators Registration and identification system ASS: Agriculture Subvention System EMCS: European Movement Control System CRMS: Customs Risk Management Systems Figure 5. Information flows in an export process
Figure 6. Development of the European e-customs information infrastructure 2000-2010
Cases Health care: EPR, RIS/PACS, EDI networks, telemedicine, HISP Industry: SAP implementation, corporate standards/infrastructures, supply chain (oil) Mobile Internet: CPA, billing systems Internet: strategy, standardization, Nordunet Digital music ++ egovernement: ecustoms
Summary Care Record Systems Scotland: 3 MGBP (4M Euros, 4 M USD) Denmark: Official, top down 10 M Euros, Faded out after about 4 years, officially canceled after 8 Unofficial, bottom up Great success Norway (eprescription) UK 500 MNOK, currently pilot in one GP office Started 2004, early adoption 2007, further deployment is frozen Spent 240 MGBP
Defining Information Infrastructure Information Infrastructure Open Evolving Heterogeneous Installed base Information System Closed Life cycle Homogeneous (??) Designed from scratch Cultivating living organism Design of dead material
Utvikling av II Standardisering Internet: bottom up, evolusjonær utvikling OSI/telekom: top down, spesifikasjons drevet, big bang Design dilemmaer: Take off problemet Lock in problemet
Sikkerhetsløsninger Også infrastruktur Åpen Løsning Brukere Utviklere Evolusjon (gateways) Heterogenitet Eksempel: eresept
Vedlikehold PKI Sykehus: PKI 2014 Alternativ løsning: Virksomhets sertifikater Pris: Sykehusene:? De andre: 20 MNOK (= total løsning i Skottland)
Mange aktører mer politikk Sikkerhet = politikk Bare det beste er godt nok? Uhellige allianser: fundamentalistiske teknologer ++ Sikkerhet er kritisk ressurs Kontroll av sikkerhet = kontroll av infrastruktur analogi end 2 end Blitt brukt for åstoppe prosjekt Nasjonalt Helsenett Helsedirektoratet
Konklusjon Vellykkede sikkerhets løsninger må etableres på samme måte som andre vellykkede infrastrukturer: bottom up, evolusjon, enkle løsninger, håndtere åpenhet Ikke som et lukket system! Må håndtere samspillet mellom teknologi, organisasjon, politikk
The EDI Paradigm Information flow ICT architecture Project organization GP offices Hospitals Hospital systems Vendors of hospital syst. NAV Pharmacies Labs NAV systems Pharmacy systems Lab systems NAV s dev. org. Vendor of the Pharmacies system Vendors of Lab systems
An alternative GP office GP s computer GP s EPR system GP GP computer Client module Communication system/network Server module Project org. Lab/hospital Lab system Lab/hospital ICT architecture Project organization
Differences EDI Paradigm Complex technical solution Very complex project organization Top down Escalating complexity (destbilizing) Stabilizing (freezing) user practices Failure ASPO architecture Simple technical solution Very simple project organization Bottom up, evolutionary Stable complexity Destibilizing user practices (stimulating organizational innovation) Success
Top down All stakeholders involved Each has separate requirements The more stakeholders involved, the more new requirements will be generated Each change: all stakeholders have their requirements.. Aims at stability generates destabilizing processes