Digital Administration– the process-driven future Mastering the challenges of the Digital Administration 2020 in a secure and easy way.
25.08.2016
Safety is innovative! Since the founding of our company in 1999, safety and confidentiality in electronic communication have been key to our work, taking into consideration both national and international legislation.
About us
Consistent dialogue with customers and associates has made us what we are today. Legal compliance and legal security take centre stage in developing our solutions. In addition to that, innovation as well as interoperability and security of investment are the driving forces behind our work. Innovation and motivation of our 120 employees form both basis and drive for our success that reaches beyond Germany‘s borders. We highly value close proximity to our customers and partners. Together we discuss further developments of our products based on new technologies and customer demands. In this way we provide for a secure future and sustainable investment.
Facts & Figures
Governikus GmbH & Co. KG at a glance Location
Governikus GmbH & Co. KG Am Fallturm 9, 28359 Bremen
Foundation
July 1999 (as bremen online services GmbH & Co. KG)
Unlimited Partner
Governikus Bremen GmbH ( 100,0 % ownership by the Free Hanseatic City of Bremen)
Limited Partners
Free Hanseatic City of Bremen : 55,1 % Telekom Deutschland GmbH: 15,0 % Die Sparkasse Bremen: 15,0 % BREKOM GmbH (EWE Gruppe): 14,9 %
General Manager
Dr. Stephan Klein
Head of Supervisory Board Work Force
Dr. Martin Hagen
roughly 120 employees
Digital Administration
Change by digitalisation The implementation of activities within the scope of the Digital Agenda, such as the E-Government Act, the National E-Government Strategy and in the future also the eIDAS Regulation by the European Commission, presents a challenge to the public sector. Our solutions provide important components for the implementation of a process-driven future.
General conditions for our solutions Process-driven future E-Government Acts E-Justice Act eIDAS Regulation
General conditions
Digital administration – general conditions for our solutions
(Digital administration)
Scope of activities
Digital Agenda National E-Government Strategy
E-Government Act Federal Government. Federal States E-Justice Act eIDAS Regulation
Legal framework
Process-driven future
Outline of the process-driven future As the leading provider of IT solutions for secure communication with and among authorities in administration and judiciary we are your central point of contact concerning the digitalisation of your administrative processes.
Required implementation of federal and state E-Government Act
Implementation requirements of the E-Justice Act
eIDAS Regulation
Consistent and mandatory regulations for secure business processes and traceability of electronic transactions eIDAS Regulation of the European Commission effective in EU and EFTA countries Electronic Identification (eID) Means of electronic identification (in Germany: national identity card)
Trust Services
Electronic signatures Electronic time stamps Electronic registered mail / delivery services Electronic seals Electronic preservation services Website authentication
Implementation requirements of the eIDAS Regulation
Timeline eIDAS Regulation 2014
2015
2016
2017
2018
2019
17.09.2014: eIDAS Regulation becomes effective
eID
Trust services
29.09.2015: Optional recognition of notified eIDs and authentication services
01.07.2016: Recognition of notified trust service providers and trust services according to eIDAS
18.09.2018: Mandatory recognition of notified eIDs and authentication services
Governikus Solutions Suite
Governikus Portfolio – powerful, performant & reliable Governikus is the solution to central problems related to electronic communication: security of transmitted data, integrity and authenticity as well as long-term storage. The Governikus Portfolio is of modular build and easy to administrate.
Governikus Solutions Suite
Governikus Product Portfolio Modular Components Build How our partners integrate the Governikus Portfolio
Governikus Solutions Suite
Governikus Solutions Suite With five main topics, our solutions are divided into three suites Identity, Communication and Data which have been developed within the context of national and international laws and regulations.
eID
Secure Identity Suite
Long term storage Secure Data Suite
Signature and verification
Secure data transmission
Secure Communication Suite
Encryption and decryption
Governikus Solutions Suite
Governikus Product Portfolio Security for the entire life cycle of electronic data and documents. Our server and client applications can be easily integrated with existing IT environments.
Part of the application of the IT Planning Council Some components are included in the application of the IT Planning Council
Secure Identity Suite
Secure Communication Suite
Secure Data Suite
Authentication
Data transport
Probative value
Governikus Components
Modular Components Build Security for the entire life cycle of electronic data and documents. Our server and client applications can be easily integrated with existing IT environments.
Secure Identity
Secure Communication
Authentication Clients
Communication Framework
AutentApp
AusweisApp2
Communicator Justice Edition
Secure Data
Signer Framework
Signer Framework Authentication Services
OSCI Server ArchiSig Module
Directory Services
Krypto Server Verification Server
Application of IT Planning Council
Server components
User interfaces
Communication Gateway Multi Channel Processor
Archive Gateway
Add-In
LZA Frontend
Partner references – Software AG
Einbindung des GMM oder des GCGs
Partner references – Bechtle
Partner references – T-Systems
Partner references – Atos
Partner references – PDV
Governikus Autent at a glance
Challenges
§§ Acts
Benefit
Product Architecture Governikus Autent
Scenarios
References
Features
Challenges: Protection, legal security and federation of electronic identities The security of electronic identities is gaining increasing importance. The course of digitalisation is unimaginable without them.
Simplification in accordance with E-Government Act > Electronic identity card / residence permit
Interoperability > National and international eID > SAFE
Substitute for the written form
Federation
Integration Existing IT environments > Application process > Inquiry proceedings > Web portal login
Open industry standards > SAML > WS-Trust
Several acts and regulations deal with electronic identities
Germany and Europe
Act on Identity Act on Identity Cards Cards and and Electronic Electronic Identification Identification
Act on Fight Act on Fight against against Money Money Laundering Laundering
Act Government ActtotoPromote Promote Electronic Electronic Government : : EGovG
Act on Act on Administrative Administrative Proceedings Proceedings
…
ActAct totoPromote Justice: : EPromote Electronic Electronic Justice E-Justice-G Justice-G
eIDAS Regulation
Flexible yet secure handling of identities Governikus Autent offers all functionalities necessary for modern identity management.
Flexible handling of different means of identification (electronic identity card, electronic residence permit, certificates, user name / password) Secure access to web portals
Benefit
Legal certainty Interoperability Profitability
Demand-driven development
Autent Server and Autent ID Connect eIDAS ready Management of Card Verifiable Certificates (CVC)
Procured identities via IdP Proxy / support of active directory
Autent ID Connect > Process cards > Multiple services with one Card Verifiable Certificate (CVC)
Easy to extend > Business delegates > Customised authentication processes
Accounting / Monitoring
Federated scenarios > SAFE > Service accounts
Extensive user administration
Multi-client capability
High availability (including HSM)
Server architecture for identity management EVA
Input / Output
Processing
Persistence
Functional requirements
ID Transmissions
Identity Assesment
Identity Database
Component
ID interfaces
Core module
WS (Sec Token Service) WS (TR-3130)
Implementation
Autent Server
Validators Locally: • Username / password • Certificates • Electronic ID Cards
Database
Support for various database systems
SAML
Procured: • IdP-Proxy
ID Connect
Explanations
Logs e.g.: Browser log fpr transport Encryption log Signing log Substitute for the written form
General workflow of authentication, configuration
Special workflow of authentication, call of specific authentication
Administration of specialist user data, e.g. related to service accounts
Scenario interoperable service accounts
Interoperable service accounts
Germany
Federal State
User case beA Bar Council Bar council software
Lawyer
Customised search
Find-a-lawyer
SAFE-Connector
Browser
Client
Lawyer‘s computer
Autent Server (conforming to SAFE)
Trust
SAFE justice Intermediary justice
beA application
beA system
EGVP client justice Legal system
A few references … Elster (service of the Inland Revenue Office)
Autent Server
ITDZ IT.N (IdP-Proxy) RZ Ravensberg-Lippe
United Internet Cosmos Direkt Techniker Krankenkasse
eID Service
Bundesagentur für Arbeit Citeq AKDB
… Totalling 105 Card Verifiable Certificates (CVC)
The federal eID client: AusweisApp2 User-friendly
Features
Lean Secure and certified Cross-platform development
Usability
Academic support Extensive usability tests
Acceptance Range of functionality Barrier-low accessibility
Available here: www.ausweisapp.bund.de
Windows 7, 8 and 10 Mac OS X 10.9 and above
AusweisApp2 goes mobile Current design study and proof of concept for Android without additional card reader The NFC interface of the following devices works with AusweisApp2: Samsung Galaxy S5 Sony Xperia Z1, Z2, Z3, Z4, Z5 HTC One M8 and M9 LG G3 and G4 Samsung Galaxy Active Tablet Sony Xperia Z3 and Z4 Tablet Vodafone Smart 4G (formerly known as: Yulong Coolpad 8860U)
Note: All iOS devices still require a Bluetooth card reader.
Main topics for further development in 2016 AusweisApp2 for mobile devices
Smartphone acting as card reader
SDK
Android
iOS
Sign up for the field test:
[email protected] (Please indicate your operating system)
The additionally required card reader is often perceived as an impediment to using the online identification function. It is therefore planned to use NFC-capable mobile devices as card readers.
A software development kit is planned for the integration of AusweisApp2 with mobile applications.
Governikus SC at a glance Outlook 2016/2017
Benefit Nutzen
Productarchitecture
Governikus Service Components
Components
Features
Central security infrastructure for secure electronic communication •
Governikus Service Components is the serverbased infrastructure for OSCI
Secure Identity
Secure Communication
Secure Data
communication. •
It is the main component of the application „Governikus“ of the IT Planning Council.
•
Signer Framework Authentication Services
ArchiSig Module
Outline agreements make Directory Services
Governikus available to the Federal Government and 15 Consistent and demand-
Application of the IT Planning Council
driven development in close contact with our customers.
Krypto Server Verification Server
states and their municipalities. •
OSCI Server
Server components
Communication Gateway
Powerful, high-performance, reliable, multi-client capable eIDAS ready Simultaneous operation of OSCI 1.2 and OSCI 2 scenarios
Krypto Module and ArchiSig according to TR-ESOR Strong end-to-end encryption
Integrated eID services Signature and validation
XTA Server
Time stamp request and validation
Process cards, logging, acknowledgement, monitoring
Modular and SOA-oriented
Evaluated according to Common Criteria
About 500 Mio. OSCI messages are sent each year
Administration (DVDV)
• • • •
Registration (registration offices, communication of registration data between registration and revenue offices, German statutory pension insurance scheme, licence fee collection, churches, etc.) Civil status registration Foreigner administration Transmission of data to the Federal Printing Office Trade registration
Legal relations (SAFE)
•
Communication within and with the justice system
Other OSCI scenarios
• • • • • • • •
German Emissions Trading Authority VEMAGS (Online-Genehmigungsverfahren für Großraum- und Schwertransporte) German Patent and Trade Mark Office DEMIS (Meldesystem für Infektionsschutz) Krebsregister, Mammografie Künstlersozialkasse Federal Aviation Office …
•
Main topics for further development in 2016/2017 in coordination with the Governikus steering committee
eIDAS regulation
From release 3.20.0.0 onwards
Governikus SC 4.0
The major release 4.0 features
Miscellaneous topics
Transmission of Big Data
(30.06.2016), components to
a newly designed administrator
validate signatures in line with
interface and will be available
communication structures (GCG
eIDAS regulation will be
as of the end of 2016 /
for XTA implementations)
available.
beginning of 2017.
2016/2017 gradual
Further development of Autent
implementation of the required
components for use with service
standardisation.
accounts
Standardised access to XÖV
Conformity with requirements of electronic legal relations.
Product architecture (as of July 2016) Backend / Application
Governikus Core System
OSCI inbox OSCI 2 Message box
Client Applications OSCI2 Starterkit OSCI2 Enabler
External directory services
Document Interface (DI) (JMS, SOAP/HTTP, RMI)
OSCI 2 Backend OSCI2 Library OSCI Backend Enabler
OSCI2 Client Enabler
OSCI Manager External time stamp service
eCard/DSS interface
OSCI2 inbox SOAP / HTTP
Time server (NTP)
LTAS pre-processor
Autent Server
e.g. AutentApp / AusweisApp2
ArchiSig Module
e.g. LZA
NetSigner
NetSigner Client e.g. Signer
To be implemented by service provider:
Crypto Server eIDAS
OCSP/CRL Relay
1. 2.
eCard/DSS interface (validate only)
Certificate Validation Server (eIDAS)
Adaptor for business process application Authentication: business delegate
Trustcenter, Certificate Authority
GMM at a glance Screenshots
Challenges References
Benefit Nutzen
Product architecture
Scenarios
Technology
Governikus MultiMessenger (GMM)
Features
Challenges: constantly changing electronic channels of communication
Customers Users
E-mail
EGVP
Browser
De-Mail
E-Post
… collect
Organisation Administration
Virtual Inbox
check
forward
Processing
Business process application
E-mail
Intelligent electronic post office GMM is a comprehensive and legally secure solution for electronic communication with authorities and business organisations. • Main solution for multi-channel communication • Standardised handling of encrypted and non-encrypted communication • Opt-in e-mail • Profitability • Usability / Acceptance • Legal certainty • Future-oriented • Demand-driven development
Benefit
Governikus MultiMessenger is the central, organised and homogeneous communication platform Governikus MultiMessenger is a central platform for communication – based on Microsoft technologies, such as .NET and MS-SQL-Server. GMM accepts all messages, organises them and forwards them to a system defined by the recipient.
Multi-channel communication including virus protection Opt-in e-mail / Provisioning via SPML Management of certificates Post office log
Dashboard
Features (extract)
Multi-client capability Receipts S4 interface (TR-ESOR interface for long term storage) Standardized interfaces / XTA web service SOA
Product architecture
E-mail
E-mail Infrastructure
eAkte system
EGVP
Browser
OCSP/CRL certificate verification
Application Server
De-Mail
Antivirus system
MS-SQL database
SPML (Provisioning)
E-Post
-Mail Connector
Long term storage
Integration Scalable IT infrastructure
Network load balancer
Single MultiMessenger application server
Administration repository server
MS-SQL cluster
Single SQL server nodes
Central connection of antivirus systems Option A
NLB Antivirus system
Option B
NLB
AV instance
AV instance
AV instance
AV instance
Technology Micro services architecture MultiMessenger core workflow management
Part of application of the IT Planning Council
Governikus verification components
Open standards and interfaces
SOA
SOAP
SPML
Dashboard
Post office log
Management of certificates
Scenarios
eAkte (electronic file)
Service accounts/ web portals / gateways
GMM combines all functionalities
With its functionalities for inboxes
required to transmit the entire
and opt-in for receiving formal
electronic communication into the
documents, GMM is suited to act as
eAkte systems while at the same
a building block for service accounts,
time enabling long term storage.
web portals and gateways.
Asylum and refugee procedure
In the context of asylum procedures the administration communicates with numerous partners and associates. In order to maintain a high level of confidentiality, those partners and associates can use the Governikus Communicator. The administration can conveniently use the GMM.
A few references …
Rhineland-Palatinate (LDI) Hamburg (Government Gateway) Hannover IT
References
Free Hanseatic City of Bremen Mecklenburg-Western Pomerania Saarland Justice system in Justiz Thuringia
At a glance
Challenges
Benefit Nutzen
Product architecture
Scenarios
Technology
Governikus Communicator
Features
Secure electronic communication Electronic communication has become part of everyday life. It is quick, it is easy. But is it also secure?
Confidentiality
Legal certainty
Integrity and authenticity
Client application for sending and receiving OSCI messages
Authenticity, integrity, confidentiality Compliance with the written form and evidence in case of deadlines
Benefit
Strong end-to-end encryption using the OSCI transport protocol Handling of electronic signatures and time stamps OSCI receipts (processcards)
Client application for sending and receiving OSCI messages
Registration server, SAFE, DVDV, authenticated addresses
Open, change, close and delete a P.O. box
Messages with single or multiple signatures
Generation of inspection sheets
Connection to Governikus Connection to business process applications
Features
Certificate creation and verification Generic application for various OSCI scenarios
Product architecture
Governikus Communicator Directory Service OSCI Manager Verification Server
Directory service Download server
(Registration server, SAFE, DVDV, authenticated addresses)
Database
Trustcenter
Database
Technical interfaces Client
Server
Backend
Trustcenter
OSCI Manager Directory Service OSCI / HTTP
OSCP/CRL Relay
OSCI / HTTP
HTTPS / HTTP
Directory service
HTTPS / HTTP
HTTP
Download server
HTTP
Various application scenarios …
DVDV
Justiz Edition
SKA
OSCI transport for XÖV-specific
The alternative to the EGVP Classic
The project Governikus SKA
content data (e.g. XMeld,
Client for citizens is a registered
provides the Governikus
XPersonenstand, XAusländer,
third-party product in the EGVP
Communicator free of charge to all
Gewerbeanzeigenverordnung, …)
network.
authorities involved with refugees in
connected to DVDV.
Germany in order to manage the various kinds of communication surrounding the asylum procedure.
At a glance
Benefit Nutzen
Product architecture
Governikus Add-In for MS Office
System integration
Features
Easy integration of OSCI with the Microsoft Office environment The Governikus Add-In for Microsoft Office allows for the integration of OSCI P.O. boxes with the familiar Microsoft environment.
A single program to generate send receive manage both e-mails and OSCI messages
Benefit
No additional client application required Functions can be selected directly from the context menu Easy to use within the familiar Microsoft environment OSCI messages can be forwarded as ordinary e-mails Approved as an EGVP third-party product
Excerpt…
Messages are received centrally in a separate OSCI P.O. box in MS Outlook
Connection to existing directory services
Alternative P.O. box folder to allow cover in case of absence
Forwarding of OSCI messages by e-mail User-friendly handling in Microsoft style
Clear presentation of message components
Features
Generation of log files and inspection sheets
Product architecture Server
Communication partners (authority/court/…)
Trustcenter
OSCI / HTTP
HTTPS
OSCI Manager / Verification Server
Registration server
Download server
XML
Configuration server
OSCI / HTTP
HTTPS / HTTP
HTTP
System integration
Word OSCI Manager Excel PowerPoint Directory service
Personal OSCI P.O. Box Windows Explorer
IMAP / POP3 / SMTP
E-mail accounts
At a glance Acts
Challenges References
Benefit Nutzen
Product architecture
Scenarios
Technology
Governikus LZA
Features
Electronic documents and data
Challenges
Solutions
Retention periods – acts, regulations Validity in court Protection of integrity Protection of authenticity Short innovation cycles in IT Algorithms get weaker Readability of old documents and data media Trafficability performance Renewal signature / Re-computing of hash values Self-sufficient data objects (XAIP) Simple migration / Independence from data media
Integration with existing IT environments eAkte Business process applications DMS/ECM De-Mail Storage Technical standards TR-ESOR TR-RESISCAN European signature formats (eIDAS)
Scope of activities Government programme Digital Administration 2020 (eAkte)
Legal requirements EGovG, eIDAS-VO
Technical guidelines TR-ESOR, TR-RESISCAN DIN, OAIS
AO, BDSG, BetrVG, BGB, HBG, GDPdU, SigG, SigV, ZPO, federal and state archives acts…
Guidelines, recommendations Guideline electronic communication and long term storage of electronic data (BVA) Recommendation for the protection of ecclesiastical data…
State of the art Excerpt from the Act to E-Government Act (EGovG)
§§ Section6 Electronic record-keeping The federal authorities should keep their records in electronic form. The first sentence shall not apply to authorities for whom keeping electronic records is not economical in the long term. Where records are kept in electronic form, appropriate technical and organizational measures are to be undertaken in accordance with the state of the art to ensure that the principles of orderly recordkeeping are observed.
State of the art
Reference architecture TR-ESOR
Product architecture
Advantages
Adherence to all compliance requirements Highest validity in court and international recognition Evidence independent of format and solution User-friendly automatic signature handling Easy implementation based on SOA
Benefit
Connection to all leading ECM/DMS and storage systems
High degree of investment protection due to open standards Cloud-capable due to secure data encryption Hardware independence …
Excerpt… Format converter Modular build in accordance with TR-ESOR Certificate management
Search and display service Flexible search for meta data and full-text indexing
Easy, flexible, independent storage connection (SDK)
Full-text indexing
Connection to cloud storages NetApp / EMC
Import Agent
Open interfaces Multi-client capability
Handling of eIDAS signatures
Scenario eAkte Filing plan File
Standardised, self-sufficient package
Container + meta data
Meta data + content + probative data
Records
Phase 1 Processing
Process
Meta data
Document
Meta data + data objects
Phase 2 Long term storage
Phase 3 Selection
Archive
Integration Communication (E-mail, De-Mail, OSCI, etc.)
Scanner
Business software (ERP, CRMM, etc.)
Databases
Export option §§ TR-ESOR Standardised, self-sufficient package File
DMS
ECM
Databases
Cloud
Storage
SAN
etc.
Meta data + content + probative data
Technology
Architecture
Based on WS technologies Scalable Modular build
System requirements
Java JBoss EAP Oracle, MS SQL, MySQL Windows Server Linux: SLES, RH, Ubuntu LTS
A few references…
BImA State archive Brandenburg IKS Saarbrücken
References
Seestadt Bremerhaven
Immobilien Bremen Dataport Justice system in Baden-Württemberg Kanton St. Gallen
Dreamrobot LH Dresden Bavarian State Tax Office Health insurance for civil servants at German Federal Railways University hospital Saarland University hospital Tübingen Securepoint UMA …
At a glance
Benefit Nutzen
Product architecture
Governikus Signer
Features
Legally binding and confidential – across all borders Governikus Signer complies with all legal requirements and supports different signature formats based on international standards. Governikus Signer conforms to national legislation and allows for the verification of European signatures in accordance with the eIDAS Regulation of the European Commission. Governikus Signer has been approved for handling classified information.
Recommended for use with classified information
Authenticity and integrity
Verification of eIDAS and De-Mail signatures
Confidentiality
One application – several editions
Basic Edition
•
Professional Edition
• • • •
Generate signatures at all signature levels with all common single, batch, and mass signature cards, national identity card and software certificates Signature verification of national and international signatures (eIDAS) Encryption and decryption (certificate-based and via password) View and export certificates Start follow-up processes (e.g. e-mail forwarding)
Integrated Edition
•
Integration with business process applications
Web Edition
•
Integration with web-based applications and online forms
Part of the application of the IT Planning Council
Architecture
Workstation
Card reader with (batch) signature card
.
Governikus * Verification Server
Connection Trustcenter
Optional: Online verification
Business process application
Governikus Signer
Governikus time stamp service
Connection Accredited time stamp services
Optional: Generation of time stamps
Server or additional workstation Business process application
Governikus NetSigner
Card reader with multi signature card
Optional: Multisign operation (without local card reader)
Integrated Signer Integration via web services
*
Governikus‘ own server or a verification server provided by Governikus KG
Electronic legal relations
Communication applications in the EGVP network
EGVP Classic Client application for the justice system
EGVP Enterprise Server-based solution for the justice system
beA Client application of BRAK (German Federal Bar)
beN / beBPo
EGVP system
Governikus MultiMessenger Server-based solution for multichannel communication
Governikus Communicator Justiz Edition Client application
Governikus Add-In for Microsoft Office Integrated solution
Other third-party products
Electronic legal relations
Technical components for electronic legal relations EGVP (OSCI) infrastructure
Business process application
SAFE domain IT.NRW 1 Open P.O. box
Message transferred via WSDL
2 Search addressee 3 Encrypt message
EGVP Enterprise
Virtual attribute service
SAFE domain XY
4 Send in encrypted form
TASL
Intermediary
Electronic legal relations
EGVP Classic
Governikus Communicator JE
Electronic legal relations
EGVP Enterprise
Thank you for your attention! Mastering the challenges of the Digital Administration 2020 in a secure and easy way.
Bremen, 25.08.2016