Digital Administration– the process-driven future Mastering the challenges of the Digital Administration 2020 in a secure and easy way.

25.08.2016

Safety is innovative! Since the founding of our company in 1999, safety and confidentiality in electronic communication have been key to our work, taking into consideration both national and international legislation.

About us

Consistent dialogue with customers and associates has made us what we are today. Legal compliance and legal security take centre stage in developing our solutions. In addition to that, innovation as well as interoperability and security of investment are the driving forces behind our work. Innovation and motivation of our 120 employees form both basis and drive for our success that reaches beyond Germany‘s borders. We highly value close proximity to our customers and partners. Together we discuss further developments of our products based on new technologies and customer demands. In this way we provide for a secure future and sustainable investment.

Facts & Figures

Governikus GmbH & Co. KG at a glance Location

Governikus GmbH & Co. KG Am Fallturm 9, 28359 Bremen

Foundation

July 1999 (as bremen online services GmbH & Co. KG)

Unlimited Partner

Governikus Bremen GmbH ( 100,0 % ownership by the Free Hanseatic City of Bremen)

Limited Partners

Free Hanseatic City of Bremen : 55,1 % Telekom Deutschland GmbH: 15,0 % Die Sparkasse Bremen: 15,0 % BREKOM GmbH (EWE Gruppe): 14,9 %

General Manager

Dr. Stephan Klein

Head of Supervisory Board Work Force

Dr. Martin Hagen

roughly 120 employees

Digital Administration

Change by digitalisation The implementation of activities within the scope of the Digital Agenda, such as the E-Government Act, the National E-Government Strategy and in the future also the eIDAS Regulation by the European Commission, presents a challenge to the public sector. Our solutions provide important components for the implementation of a process-driven future.

 General conditions for our solutions  Process-driven future  E-Government Acts  E-Justice Act  eIDAS Regulation

General conditions

Digital administration – general conditions for our solutions

(Digital administration)

Scope of activities

Digital Agenda National E-Government Strategy

E-Government Act Federal Government. Federal States E-Justice Act eIDAS Regulation

Legal framework

Process-driven future

Outline of the process-driven future As the leading provider of IT solutions for secure communication with and among authorities in administration and judiciary we are your central point of contact concerning the digitalisation of your administrative processes.

Required implementation of federal and state E-Government Act

Implementation requirements of the E-Justice Act

eIDAS Regulation

Consistent and mandatory regulations for secure business processes and traceability of electronic transactions eIDAS Regulation of the European Commission effective in EU and EFTA countries Electronic Identification (eID) Means of electronic identification (in Germany: national identity card)

Trust Services

Electronic signatures Electronic time stamps Electronic registered mail / delivery services Electronic seals Electronic preservation services Website authentication

Implementation requirements of the eIDAS Regulation

Timeline eIDAS Regulation 2014

2015

2016

2017

2018

2019

17.09.2014: eIDAS Regulation becomes effective

eID

Trust services

29.09.2015: Optional recognition of notified eIDs and authentication services

01.07.2016: Recognition of notified trust service providers and trust services according to eIDAS

18.09.2018: Mandatory recognition of notified eIDs and authentication services

Governikus Solutions Suite

Governikus Portfolio – powerful, performant & reliable Governikus is the solution to central problems related to electronic communication: security of transmitted data, integrity and authenticity as well as long-term storage. The Governikus Portfolio is of modular build and easy to administrate.

 Governikus Solutions Suite

 Governikus Product Portfolio  Modular Components Build  How our partners integrate the Governikus Portfolio

Governikus Solutions Suite

Governikus Solutions Suite With five main topics, our solutions are divided into three suites Identity, Communication and Data which have been developed within the context of national and international laws and regulations.

eID

Secure Identity Suite

Long term storage Secure Data Suite

Signature and verification

Secure data transmission

Secure Communication Suite

Encryption and decryption

Governikus Solutions Suite

Governikus Product Portfolio Security for the entire life cycle of electronic data and documents. Our server and client applications can be easily integrated with existing IT environments.

Part of the application of the IT Planning Council Some components are included in the application of the IT Planning Council

Secure Identity Suite

Secure Communication Suite

Secure Data Suite

Authentication

Data transport

Probative value

Governikus Components

Modular Components Build Security for the entire life cycle of electronic data and documents. Our server and client applications can be easily integrated with existing IT environments.

Secure Identity

Secure Communication

Authentication Clients

Communication Framework

AutentApp

AusweisApp2

Communicator Justice Edition

Secure Data

Signer Framework

Signer Framework Authentication Services

OSCI Server ArchiSig Module

Directory Services

Krypto Server Verification Server

Application of IT Planning Council

Server components

User interfaces

Communication Gateway Multi Channel Processor

Archive Gateway

Add-In

LZA Frontend

Partner references – Software AG

Einbindung des GMM oder des GCGs

Partner references – Bechtle

Partner references – T-Systems

Partner references – Atos

Partner references – PDV

Governikus Autent at a glance

Challenges

§§ Acts

Benefit

Product Architecture Governikus Autent

Scenarios

References

Features

Challenges: Protection, legal security and federation of electronic identities The security of electronic identities is gaining increasing importance. The course of digitalisation is unimaginable without them.

Simplification in accordance with E-Government Act > Electronic identity card / residence permit

Interoperability > National and international eID > SAFE

Substitute for the written form

Federation

Integration Existing IT environments > Application process > Inquiry proceedings > Web portal login

Open industry standards > SAML > WS-Trust

Several acts and regulations deal with electronic identities

Germany and Europe

Act on Identity Act on Identity Cards Cards and and Electronic Electronic Identification Identification

Act on Fight Act on Fight against against Money Money Laundering Laundering

Act Government ActtotoPromote Promote Electronic Electronic Government : : EGovG

Act on Act on Administrative Administrative Proceedings Proceedings

…

ActAct totoPromote Justice: : EPromote Electronic Electronic Justice E-Justice-G Justice-G

eIDAS Regulation

Flexible yet secure handling of identities Governikus Autent offers all functionalities necessary for modern identity management.

 Flexible handling of different means of identification (electronic identity card, electronic residence permit, certificates, user name / password)  Secure access to web portals

Benefit

 Legal certainty  Interoperability  Profitability

 Demand-driven development

Autent Server and Autent ID Connect eIDAS ready Management of Card Verifiable Certificates (CVC)

Procured identities via IdP Proxy / support of active directory

Autent ID Connect > Process cards > Multiple services with one Card Verifiable Certificate (CVC)

Easy to extend > Business delegates > Customised authentication processes

Accounting / Monitoring

Federated scenarios > SAFE > Service accounts

Extensive user administration

Multi-client capability

High availability (including HSM)

Server architecture for identity management EVA

Input / Output

Processing

Persistence

Functional requirements

ID Transmissions

Identity Assesment

Identity Database

Component

ID interfaces

Core module

WS (Sec Token Service) WS (TR-3130)

Implementation

Autent Server

Validators Locally: • Username / password • Certificates • Electronic ID Cards

Database

Support for various database systems

SAML

Procured: • IdP-Proxy

ID Connect

Explanations

Logs e.g.: Browser log fpr transport Encryption log Signing log Substitute for the written form

General workflow of authentication, configuration

Special workflow of authentication, call of specific authentication

Administration of specialist user data, e.g. related to service accounts

Scenario interoperable service accounts

Interoperable service accounts

Germany

Federal State

User case beA Bar Council Bar council software

Lawyer

Customised search

Find-a-lawyer

SAFE-Connector

Browser

Client

Lawyer‘s computer

Autent Server (conforming to SAFE)

Trust

SAFE justice Intermediary justice

beA application

beA system

EGVP client justice Legal system

A few references …  Elster (service of the Inland Revenue Office)

Autent Server

 ITDZ  IT.N (IdP-Proxy)  RZ Ravensberg-Lippe

 United Internet  Cosmos Direkt  Techniker Krankenkasse

eID Service

 Bundesagentur für Arbeit  Citeq  AKDB

 … Totalling 105 Card Verifiable Certificates (CVC)

The federal eID client: AusweisApp2  User-friendly

Features

 Lean  Secure and certified  Cross-platform development

 Usability

Academic support Extensive usability tests

 Acceptance  Range of functionality  Barrier-low accessibility

Available here: www.ausweisapp.bund.de

 Windows 7, 8 and 10  Mac OS X 10.9 and above

AusweisApp2 goes mobile Current design study and proof of concept for Android without additional card reader The NFC interface of the following devices works with AusweisApp2:  Samsung Galaxy S5  Sony Xperia Z1, Z2, Z3, Z4, Z5  HTC One M8 and M9  LG G3 and G4  Samsung Galaxy Active Tablet  Sony Xperia Z3 and Z4 Tablet  Vodafone Smart 4G (formerly known as: Yulong Coolpad 8860U)

Note: All iOS devices still require a Bluetooth card reader.

Main topics for further development in 2016 AusweisApp2 for mobile devices

Smartphone acting as card reader

SDK

 Android

 iOS

Sign up for the field test: [email protected] (Please indicate your operating system)

The additionally required card reader is often perceived as an impediment to using the online identification function. It is therefore planned to use NFC-capable mobile devices as card readers.

A software development kit is planned for the integration of AusweisApp2 with mobile applications.

Governikus SC at a glance Outlook 2016/2017

Benefit Nutzen

Productarchitecture

Governikus Service Components

Components

Features

Central security infrastructure for secure electronic communication •

Governikus Service Components is the serverbased infrastructure for OSCI

Secure Identity

Secure Communication

Secure Data

communication. •

It is the main component of the application „Governikus“ of the IT Planning Council.

•

Signer Framework Authentication Services

ArchiSig Module

Outline agreements make Directory Services

Governikus available to the Federal Government and 15 Consistent and demand-

Application of the IT Planning Council

driven development in close contact with our customers.

Krypto Server Verification Server

states and their municipalities. •

OSCI Server

Server components

Communication Gateway

Powerful, high-performance, reliable, multi-client capable eIDAS ready Simultaneous operation of OSCI 1.2 and OSCI 2 scenarios

Krypto Module and ArchiSig according to TR-ESOR Strong end-to-end encryption

Integrated eID services Signature and validation

XTA Server

Time stamp request and validation

Process cards, logging, acknowledgement, monitoring

Modular and SOA-oriented

Evaluated according to Common Criteria

About 500 Mio. OSCI messages are sent each year

Administration (DVDV)

• • • •

Registration (registration offices, communication of registration data between registration and revenue offices, German statutory pension insurance scheme, licence fee collection, churches, etc.) Civil status registration Foreigner administration Transmission of data to the Federal Printing Office Trade registration

Legal relations (SAFE)

•

Communication within and with the justice system

Other OSCI scenarios

• • • • • • • •

German Emissions Trading Authority VEMAGS (Online-Genehmigungsverfahren für Großraum- und Schwertransporte) German Patent and Trade Mark Office DEMIS (Meldesystem für Infektionsschutz) Krebsregister, Mammografie Künstlersozialkasse Federal Aviation Office …

•

Main topics for further development in 2016/2017 in coordination with the Governikus steering committee

eIDAS regulation

 From release 3.20.0.0 onwards

Governikus SC 4.0

 The major release 4.0 features

Miscellaneous topics

 Transmission of Big Data

(30.06.2016), components to

a newly designed administrator

validate signatures in line with

interface and will be available

communication structures (GCG

eIDAS regulation will be

as of the end of 2016 /

for XTA implementations)

available.

beginning of 2017.

 2016/2017 gradual

 Further development of Autent

implementation of the required

components for use with service

standardisation.

accounts

 Standardised access to XÖV

 Conformity with requirements of electronic legal relations.

Product architecture (as of July 2016) Backend / Application

Governikus Core System

OSCI inbox OSCI 2 Message box

Client Applications OSCI2 Starterkit OSCI2 Enabler

External directory services

Document Interface (DI) (JMS, SOAP/HTTP, RMI)

OSCI 2 Backend OSCI2 Library OSCI Backend Enabler

OSCI2 Client Enabler

OSCI Manager External time stamp service

eCard/DSS interface

OSCI2 inbox SOAP / HTTP

Time server (NTP)

LTAS pre-processor

Autent Server

e.g. AutentApp / AusweisApp2

ArchiSig Module

e.g. LZA

NetSigner

NetSigner Client e.g. Signer

To be implemented by service provider:

Crypto Server eIDAS

OCSP/CRL Relay

1. 2.

eCard/DSS interface (validate only)

Certificate Validation Server (eIDAS)

Adaptor for business process application Authentication: business delegate

Trustcenter, Certificate Authority

GMM at a glance Screenshots

Challenges References

Benefit Nutzen

Product architecture

Scenarios

Technology

Governikus MultiMessenger (GMM)

Features

Challenges: constantly changing electronic channels of communication

Customers Users

E-mail

EGVP

Browser

De-Mail

E-Post

… collect

Organisation Administration

Virtual Inbox

check

forward

Processing

Business process application

E-mail

Intelligent electronic post office GMM is a comprehensive and legally secure solution for electronic communication with authorities and business organisations. • Main solution for multi-channel communication • Standardised handling of encrypted and non-encrypted communication • Opt-in e-mail • Profitability • Usability / Acceptance • Legal certainty • Future-oriented • Demand-driven development

Benefit

Governikus MultiMessenger is the central, organised and homogeneous communication platform Governikus MultiMessenger is a central platform for communication – based on Microsoft technologies, such as .NET and MS-SQL-Server. GMM accepts all messages, organises them and forwards them to a system defined by the recipient.

 Multi-channel communication including virus protection  Opt-in e-mail / Provisioning via SPML  Management of certificates  Post office log

 Dashboard

Features (extract)

 Multi-client capability  Receipts  S4 interface (TR-ESOR interface for long term storage)  Standardized interfaces / XTA web service  SOA

Product architecture

E-mail

E-mail Infrastructure

eAkte system

EGVP

Browser

OCSP/CRL certificate verification

Application Server

De-Mail

Antivirus system

MS-SQL database

SPML (Provisioning)

E-Post

-Mail Connector

Long term storage

Integration Scalable IT infrastructure

Network load balancer

Single MultiMessenger application server

Administration repository server

MS-SQL cluster

Single SQL server nodes

Central connection of antivirus systems Option A

NLB Antivirus system

Option B

NLB

AV instance

AV instance

AV instance

AV instance

Technology Micro services architecture MultiMessenger core workflow management

Part of application of the IT Planning Council

Governikus verification components

Open standards and interfaces

SOA

SOAP

SPML

Dashboard

Post office log

Management of certificates

Scenarios

eAkte (electronic file)

Service accounts/ web portals / gateways

GMM combines all functionalities

With its functionalities for inboxes

required to transmit the entire

and opt-in for receiving formal

electronic communication into the

documents, GMM is suited to act as

eAkte systems while at the same

a building block for service accounts,

time enabling long term storage.

web portals and gateways.

Asylum and refugee procedure

In the context of asylum procedures the administration communicates with numerous partners and associates. In order to maintain a high level of confidentiality, those partners and associates can use the Governikus Communicator. The administration can conveniently use the GMM.

A few references …

 Rhineland-Palatinate (LDI)  Hamburg (Government Gateway)  Hannover IT

References

 Free Hanseatic City of Bremen  Mecklenburg-Western Pomerania  Saarland  Justice system in Justiz Thuringia

At a glance

Challenges

Benefit Nutzen

Product architecture

Scenarios

Technology

Governikus Communicator

Features

Secure electronic communication Electronic communication has become part of everyday life. It is quick, it is easy. But is it also secure?

Confidentiality

Legal certainty

Integrity and authenticity

Client application for sending and receiving OSCI messages

Authenticity, integrity, confidentiality Compliance with the written form and evidence in case of deadlines

Benefit

 Strong end-to-end encryption using the OSCI transport protocol  Handling of electronic signatures and time stamps  OSCI receipts (processcards)

Client application for sending and receiving OSCI messages

Registration server, SAFE, DVDV, authenticated addresses

Open, change, close and delete a P.O. box

Messages with single or multiple signatures

Generation of inspection sheets

Connection to Governikus Connection to business process applications

Features

Certificate creation and verification Generic application for various OSCI scenarios

Product architecture

Governikus Communicator Directory Service OSCI Manager Verification Server

Directory service Download server

(Registration server, SAFE, DVDV, authenticated addresses)

Database

Trustcenter

Database

Technical interfaces Client

Server

Backend

Trustcenter

OSCI Manager Directory Service OSCI / HTTP

OSCP/CRL Relay

OSCI / HTTP

HTTPS / HTTP

Directory service

HTTPS / HTTP

HTTP

Download server

HTTP

Various application scenarios …

DVDV

Justiz Edition

SKA

OSCI transport for XÖV-specific

The alternative to the EGVP Classic

The project Governikus SKA

content data (e.g. XMeld,

Client for citizens is a registered

provides the Governikus

XPersonenstand, XAusländer,

third-party product in the EGVP

Communicator free of charge to all

Gewerbeanzeigenverordnung, …)

network.

authorities involved with refugees in

connected to DVDV.

Germany in order to manage the various kinds of communication surrounding the asylum procedure.

At a glance

Benefit Nutzen

Product architecture

Governikus Add-In for MS Office

System integration

Features

Easy integration of OSCI with the Microsoft Office environment The Governikus Add-In for Microsoft Office allows for the integration of OSCI P.O. boxes with the familiar Microsoft environment.

 A single program to  generate  send  receive  manage both e-mails and OSCI messages

Benefit

 No additional client application required  Functions can be selected directly from the context menu  Easy to use within the familiar Microsoft environment  OSCI messages can be forwarded as ordinary e-mails  Approved as an EGVP third-party product

Excerpt…

Messages are received centrally in a separate OSCI P.O. box in MS Outlook

Connection to existing directory services

Alternative P.O. box folder to allow cover in case of absence

Forwarding of OSCI messages by e-mail User-friendly handling in Microsoft style

Clear presentation of message components

Features

Generation of log files and inspection sheets

Product architecture Server

Communication partners (authority/court/…)

Trustcenter

OSCI / HTTP

HTTPS

OSCI Manager / Verification Server

Registration server

Download server

XML

Configuration server

OSCI / HTTP

HTTPS / HTTP

HTTP

System integration

Word OSCI Manager Excel PowerPoint Directory service

Personal OSCI P.O. Box Windows Explorer

IMAP / POP3 / SMTP

E-mail accounts

At a glance Acts

Challenges References

Benefit Nutzen

Product architecture

Scenarios

Technology

Governikus LZA

Features

Electronic documents and data

Challenges

        

Solutions

 

Retention periods – acts, regulations Validity in court Protection of integrity Protection of authenticity Short innovation cycles in IT Algorithms get weaker Readability of old documents and data media Trafficability performance Renewal signature / Re-computing of hash values Self-sufficient data objects (XAIP) Simple migration / Independence from data media

Integration with existing IT environments  eAkte  Business process applications  DMS/ECM  De-Mail  Storage Technical standards  TR-ESOR  TR-RESISCAN  European signature formats (eIDAS)

Scope of activities Government programme Digital Administration 2020 (eAkte)

Legal requirements EGovG, eIDAS-VO

Technical guidelines TR-ESOR, TR-RESISCAN DIN, OAIS

AO, BDSG, BetrVG, BGB, HBG, GDPdU, SigG, SigV, ZPO, federal and state archives acts…

Guidelines, recommendations Guideline electronic communication and long term storage of electronic data (BVA) Recommendation for the protection of ecclesiastical data…

State of the art Excerpt from the Act to E-Government Act (EGovG)

§§ Section6 Electronic record-keeping The federal authorities should keep their records in electronic form. The first sentence shall not apply to authorities for whom keeping electronic records is not economical in the long term. Where records are kept in electronic form, appropriate technical and organizational measures are to be undertaken in accordance with the state of the art to ensure that the principles of orderly recordkeeping are observed.

State of the art

Reference architecture TR-ESOR

Product architecture

Advantages

 Adherence to all compliance requirements  Highest validity in court and international recognition  Evidence independent of format and solution  User-friendly automatic signature handling  Easy implementation based on SOA

Benefit

 Connection to all leading ECM/DMS and storage systems

 High degree of investment protection due to open standards  Cloud-capable due to secure data encryption  Hardware independence  …

Excerpt… Format converter Modular build in accordance with TR-ESOR Certificate management

Search and display service Flexible search for meta data and full-text indexing

Easy, flexible, independent storage connection (SDK)

Full-text indexing

Connection to cloud storages NetApp / EMC

Import Agent

Open interfaces Multi-client capability

Handling of eIDAS signatures

Scenario eAkte Filing plan File

Standardised, self-sufficient package

Container + meta data

Meta data + content + probative data

Records

Phase 1 Processing

Process

Meta data

Document

Meta data + data objects

Phase 2 Long term storage

Phase 3 Selection

Archive

Integration Communication (E-mail, De-Mail, OSCI, etc.)

Scanner

Business software (ERP, CRMM, etc.)

Databases

Export option §§ TR-ESOR Standardised, self-sufficient package File

DMS

ECM

Databases

Cloud

Storage

SAN

etc.

Meta data + content + probative data

Technology

Architecture

  

Based on WS technologies Scalable Modular build

System requirements

    

Java JBoss EAP Oracle, MS SQL, MySQL Windows Server Linux: SLES, RH, Ubuntu LTS

A few references…

 BImA  State archive Brandenburg  IKS Saarbrücken

References

 Seestadt Bremerhaven

 Immobilien Bremen  Dataport  Justice system in Baden-Württemberg  Kanton St. Gallen

 Dreamrobot  LH Dresden  Bavarian State Tax Office  Health insurance for civil servants at German Federal Railways  University hospital Saarland  University hospital Tübingen  Securepoint UMA  …

At a glance

Benefit Nutzen

Product architecture

Governikus Signer

Features

Legally binding and confidential – across all borders Governikus Signer complies with all legal requirements and supports different signature formats based on international standards. Governikus Signer conforms to national legislation and allows for the verification of European signatures in accordance with the eIDAS Regulation of the European Commission. Governikus Signer has been approved for handling classified information.

Recommended for use with classified information

Authenticity and integrity

Verification of eIDAS and De-Mail signatures

Confidentiality

One application – several editions

Basic Edition

•

Professional Edition

• • • •

Generate signatures at all signature levels with all common single, batch, and mass signature cards, national identity card and software certificates Signature verification of national and international signatures (eIDAS) Encryption and decryption (certificate-based and via password) View and export certificates Start follow-up processes (e.g. e-mail forwarding)

Integrated Edition

•

Integration with business process applications

Web Edition

•

Integration with web-based applications and online forms

Part of the application of the IT Planning Council

Architecture

Workstation

Card reader with (batch) signature card

.

Governikus * Verification Server

Connection Trustcenter

Optional: Online verification

Business process application

Governikus Signer

Governikus time stamp service

Connection Accredited time stamp services

Optional: Generation of time stamps

Server or additional workstation Business process application

Governikus NetSigner

Card reader with multi signature card

Optional: Multisign operation (without local card reader)

Integrated Signer Integration via web services

*

Governikus‘ own server or a verification server provided by Governikus KG

Electronic legal relations

Communication applications in the EGVP network

EGVP Classic Client application for the justice system

EGVP Enterprise Server-based solution for the justice system

beA Client application of BRAK (German Federal Bar)

beN / beBPo

EGVP system

Governikus MultiMessenger Server-based solution for multichannel communication

Governikus Communicator Justiz Edition Client application

Governikus Add-In for Microsoft Office Integrated solution

Other third-party products

Electronic legal relations

Technical components for electronic legal relations EGVP (OSCI) infrastructure

Business process application

SAFE domain IT.NRW 1 Open P.O. box

Message transferred via WSDL

2 Search addressee 3 Encrypt message

EGVP Enterprise

Virtual attribute service

SAFE domain XY

4 Send in encrypted form

TASL

Intermediary

Electronic legal relations

EGVP Classic

Governikus Communicator JE

Electronic legal relations

EGVP Enterprise

Thank you for your attention! Mastering the challenges of the Digital Administration 2020 in a secure and easy way.

Bremen, 25.08.2016