Controls for Digital Signature (e-Sign)
Cloud Network
&
eCommerce Application
Mufaddal Nullwala
SemV- MIM
15-I-131
2015-2018

General Management Controls within IT
Application controls are manual or automated control procedures that typically
operate at a detailed business process (cycle or transaction) level.

IT Process Controls

Signed Messages
Message
+
Signature
Hash
Decrypt
Signature
With Sender’s
Public Key
SIGN hash
With Sender’s
Private key
Message
+
signature
COMPARE
Calculated
Hash
Message
Sender Receiver
Hash
Sent thru’ Internet
if
OK
Signatures
verified
DIGITAL SIGNATURES

Information Technology (IT)
Act, 2000
• The Information Technology Act 2000 facilitates acceptance of electronic records and
Digital Signatures through a legal framework for establishing trust in e-Commerce
and e-Governance.
• Controller of Certifying Authorities (CCA) appointed under Section 17 of the IT Act,
2000 to promote the use of Digital Signatures for e-Governance & e-Commerce.
– Functions of CCA
 Licensing Certifying Authorities (CAs) under section 21 of the IT Act and exercising
supervision over their activities.
 Controller of Certifying Authorities as the “Root” Authority certifies the technologies and
practices of all the Certifying Authorities licensed to issue Digital Signature Certificates
– Regulation of Certifying Authorities
 CCA promotes the growth of E-Commerce and E-Governance through the wide use of
Electronic (Digital) signatures

 There are seven licensed Certifying Authorities issuing Digital signature Certificates (DSC)
1. Sify
2. IDRBT
3. NIC
4. TCS ( Not now)
5. (n)Code Solutions
6. eMudhra
7. IAF
Assuranc
e Level
Assurance Applicability
Class 0 This certificate shall be issued only for
demonstration / test purposes
This is to be used only for demonstration
/ test purposes.
Class 1 This certificates shall be issued for both
business personnel & private individuals use.
This provides a basic level of assurance,
These are given on soft tokens.
Class 2 This certificates will confirm that the
information in the application. Address proof
and Identity Proof are required along with the
application form.
This level is relevant to environments
where risks and consequences of data
compromise are moderate. These are
issued on hardware tokens.
Class 3 As these are high assurance certificates,
primarily intended for ecommerce
applications, they shall be issued to
individuals only on their personal (physical)
appearance before the Certifying Authorities.
This level is relevant to environments
where threats to data are high or the
consequences of the failure of security
services are high. This may include very
high value transactions or high levels of
fraud risk.
Classes of Certificates

Digital Signature Enabled Applications
• Ministry of Corporate Affairs MCA21 for e-filing
• Income Tax e-filing
• Indian Railway Catering & Tourism Corporation (IRCTC)
• Director General of Foreign Trade (DGFT)
• Reserve Bank of India (SFMS & RTGS)
• Indian Farmers Fertiliser Cooperative Limited (IFFCO)
• Directorate General of Supplies & Disposals (DGS&D)
• Oil and Natural Gas Corporation (ONGC)
• Gas Authority of India Ltd (GAIL)

Enabling Digital Signatures on
Mobile phones
Hardware based
– Cryptographic SIM cards
Software based
– Through APPs incorporating cryptographic algorithms
Time Stamping Service
• The IT (CA) Regulations mandate provisioning of Time Stamping Services
by Certifying Authorities (CA) who issue Digital Signature Certificates(DSC)
under the Information Technology (IT) Act, 2000
• Digitally signed Time stamps are based on time derived from National time
source
• Time stamps can be verified to establish the time when a document or
transaction was created.

Time Stamping

Time Stamping Service - Benefits
• Accurate time in conformance with Government Guidelines
• Digitally signed time stamps – verifiable in future
• Assured Integrity
• Electronic Notary
• Fraud detection
• Time Stamped content is protected from public exposure
• The only legally acceptable time stamping service

Challenges in scaling up usage of
electronic Signatures
• Personal digital signature requires person’s identity verification and
issuance of USB dongle having private key, secured with a password/pin.
• Current scheme of physical verification, document based identity validation,
and issuance of physical dongles does not scale to a billion people.
• The major cost of the DSC is found to be the verification cost. Certifying
Authorities engage Registration Authorities to carry out the verification of
verification of credentials prior to issuance of certificate.
• Physical USB Dongle compliant to mandated standards also adds to the
cost.
• Relying on the DSC applicant's information already available on the public
database is an alternate to Manual verification. UIDAI provides one such
alternative.

eSign
• Aadhaar id is mandatory for availing eSign Service.
• The Unique Identification Authority of India (UIDAI) has been established
with the mandate of providing a Unique Identification Number (Aadhaar
Number) to all residents.
• During enrolment, the following data is collected:
– Demographic details such as the name of the resident, address, date of birth, and gender.
– Biometric details such as the fingerprints, iris scans, and photograph; and
– Optional fields for communication of such as the mobile number and email address.
• eSign facilitates electronically signing a document by an Aadhaar holder
using an Online Service.
• Electronic Signature is created using authentication of consumer through
Aadhaar eKyc service.
• eSign is an integrated service that facilitates issuing a Digital Signature
Certificate and performing Signing of requested data by authenticating
Aadhaar holder.

eSign - Benefits

Cloud security controls
• Cloud computing security or, more simply, cloud security refers to a
broad set of policies, technologies, and controls deployed to protect data,
applications, and the associated infrastructure of cloud computing. It is a
sub-domain of computer security, network security, and, more broadly,
information security.
• Cloud security architecture is effective only if the correct defensive
implementations are in place. An efficient cloud security architecture should
recognize the issues that will arise with security management.
• The security management addresses these issues with security controls.
These controls are put in place to safeguard any weaknesses in the system
and reduce the effect of an attack.

• While there are many types of controls behind a cloud security architecture,
they can usually be found in one of the following categories:
Deterrent controls :
These controls are intended to reduce attacks on a cloud system.
Much like a warning sign on a fence or a property, deterrent controls typically
reduce the threat level by informing potential attackers that there will be
adverse consequences for them if they proceed.
Preventive controls :
Preventive controls strengthen the system against incidents, generally
by reducing if not actually eliminating vulnerabilities. Strong authentication of
cloud users, for instance, makes it less likely that unauthorized users can
access cloud systems, and more likely that cloud users are positively identified.

Detective controls :
Detective controls are intended to detect and react appropriately to
any incidents that occur. In the event of an attack, a detective control will signal
the preventative or corrective controls to address the issue.[8] System and
network security monitoring, including intrusion detection and prevention
arrangements, are typically employed to detect attacks on cloud systems and
the supporting communications infrastructure.
Corrective controls :
Corrective controls reduce the consequences of an incident, normally
by limiting the damage. They come into effect during or after an incident.
Restoring system backups in order to rebuild a compromised system is an
example of a corrective control.

• Security Architecture
• Indentify and Access Management
• Data Protection
• Governance
• Risk Management
• Compliance
• Availability
7 Must-Have Security Controls
for Any Cloud Environment

Cloud Security Alliance (CSA)
• World’s leading organization dedicated to defining and raising
awareness of best practices to help ensure a secure cloud
computing environment.
• CSA’s comprehensive research program works in
collaboration with industry, higher education and
government on a global basis.
• CSA’s activities, knowledge and extensive network
benefit the entire community impacted by cloud.

eCommerce Application
e-commerce application consists of the act of rendering effective
commercial transaction, one that links two entities (customer and
supplier), using the Internet as a technological platform to establish the
information and communication channel between those two entities.
 Authentication - guarantee of the legal entity, singular or plural, with
whom we are working
 Integrity - guarantee that the contents of the communication between
both parts is not modified
 Confidentiality - guarantee that no one, non-authorized, either
intentionally or not, has access to the contents of the communication.

Application Controls
Application control is a security practice that blocks or
restricts unauthorized applications from executing in
ways that put data at risk. The control functions vary
based on the business purpose of the specific
application, but the main objective is to help ensure the
privacy and security of data used by and transmitted
between applications.
• Completeness checks – controls ensure records processing from initiation to
completion
• Validity checks – controls ensure only valid data is input or processed
• Identification – controls ensure unique, irrefutable identification of all users
• Authentication – controls provide an application system authentication
mechanism
• Authorization – controls ensure access to the application system by approved
business users only
• Input controls – controls ensure data integrity feeds into the application system
from upstream sources

Benefits of Application Controls
• Reliability
– Reduces likelihood of errors due to manual intervention
• Benchmarking
– Reliance on IT general controls can lead to concluding the application
controls are effective year to year without re-testing
• Time and cost savings
– Typically application controls take less time to test and only require
testing once as long as the IT general controls are effective

Types of Application Controls.
• Inherent controls are delivered with the application and do not need to
be added to it
• Configurable controls are automated controls to be defined at the time
of system/application configuration
• Security controls are generally user access, segregation of duties
controls, roles and process rules
• Reporting controls are those that rely on standard or ad-hoc reports
from the application
• Work flow controls are used to notify application users that a
transaction or process is awaiting their action

Application (Internal) Control Model
• It is commonly designated by internal control system the set of rules, policies
and procedures (control mechanisms), involved in the management of
business risk.
• A control mechanism helps an operational process to reach its aim without
being, necessarily, part of the process.
• Control can be an excellent tool
to achieve organization aims.
However, its implementation
should be supported by a
coherent and consistent
framework

• The single nature of electronic commercial transactions, transverse both to
the intra-organizational environment and the inter-organizational
environment, is responsible for the non-restriction of the internal control
system. Thus, it is applied not only to the intra-organizational control but
also to the inter-organizational control.
• The intra-organizational control, when dealt with separately in the traditional
commercial transactions, is extended in order to include the inter-
organizational controls, which were taken in consideration separately in the
traditionally transactions.

Should the organizations think of cleaving to electronic commerce
strategies, two main principles of internal control should be taken in consideration:
the type of controls in the e-commerce sphere of action and the availability of the
mentioned organizations on what regards having a specific framework which will
help them in the implementation of an adequate internal control system.
One of the primary aims of the implementation of risk based internal
control systems, dealing with the intra-organizational and inter-organizational
controls in a holistic fashion, is the global management of auditing risk, according
to three of its components:
• Inherent risk – the risk of an existing error, material or important when
combined with other errors; inherent risks exists, even though an auditing is
done, due to the business nature
• Control risk – the risk that there is a material risk, which is not prevented or
quickly detected by the internal control system, according to the organization’s
desire of risk and to the defined risk management criteria.
• Detection risk – the risk that the information systems auditor should use
inadequate test procedures and could, thus say that there are no existing
material errors,

The framework released by the COSO (Committee of Sponsoring
Organizations of the Treadway Commission) entitled “Enterprise Risk
Management Framework” establishes a sequence of events for the enterprise
risk management in control environment Consists:
1. Defining the organizations aims
2. Risk evaluation (identify it, measure it, prioritize it)
3. Risk Management (control it, avoid it, share it)
The COSO ERM framework divides the organizational aims into four categories:
1. Strategic aims, aligned with and supported by the entity’s mission
2. Operational aims, related to the effective and efficient usage of the entity’s
resources
3. Reporting aims, related to every organization’s needs of internally and
externally reporting their performance
4. Conformity aims, related to the conformity with laws and suitable regulations

The COSO ERM Framework defines the enterprise risk management as a
process, effected by an entity’s board of directors, management and other
personnel, and manage risks to be within its risk appetite,to provide reasonable
assurance regarding the achievement of entity objectives.
The eight sub-processes that constitute it are (COSO 2003):
1. Internal Environment – Management sets a philosophy regarding risk and
establishes a risk appetite.
2. Objective Setting – Objectives must exist before management can identify
events potentially affecting their achievement.
3. Event Identification – Potential events that might have an impact on the entity
must be identified.
4. Risk Assessment – Identified risks are analyzed in order to form a basis for
determining how they should be managed.
5. Risk Response – Management selects an approach or set of actions to align
assessed risks with the entity’s risk appetite,

6. Control Activities – Policies and procedures are established and executed to
help ensure that the risk responses management selected are effectively
carried out
7. Information and communication – Relevant information is identified,
captured and communicated in a form and timeframe that enable people to
carry out their responsibilities.
8. Monitoring – The entire enterprise risk management process must be
monitored, and modifications made as necessary.
REAL-TIME E-COMMERCE AUDITING
The electronic commercial transactions real-time auditing should be
backed up by a strong theoretical component, which will enable its
conceptualization from an epistemological point of view, making it thus easier
the design of an adequate organizational and technological architecture. As we
have previously mentioned this theoretic component is mainly based on the
fusion of intra-organizational controls and inter-organizational controls,
supported by a coherent and consistent framework, which will allow one to
manage the business risk in a holistic perspective.