A Proposed Strategy for Secure and Trusted ...

Download PDF
24 downloads 14695 Views 262KB Size Report
Comment
the emergence of various types of threat and vulnerability. This becomes an ... computing, defense-in-depth strategy and human factor. 1. Introduction ..... [9] N. Paladi, “Trusted Computing and Secure Virtualization in Cloud Computing,”.
A Proposed Strategy for Secure and Trusted Environment in eGovernment Lecture Notes in Tri Kuntoro Priyambodo1, Yudi Prayudi2 1

Department of Computer Science and Electronics, Gadjah Mada University, Indonesia [email protected] 2 Department of Informatics, Universitas Islam Indonesia, Yogyakarta, Indonesia [email protected]

Abstract. The Internet as a primary means of the implementation of eGovernment is an insecure channel and can provide a loophole, which allows the emergence of various types of threat and vulnerability. This becomes an obstacle in the efforts to increase the participation of the community and gives impacts in decreasing the trust in the system. Therefore, a strategy that involves technological as well as conceptual aspects needs to be carried to realize a secure and trusted environment on eGovernment. This paper gives an overview of the strategy that can be applied to achieve the goal through the integration of five components, namely: security and standard, security policy, trusted computing, defense-in-depth strategy and human factor.

1

Introduction

eGovernment is the form of implementation of public services based on the utilization of information and communication technologies. There are many definitions of eGovernment [1], one of the short definitions of eGovernment is as proposed by Heeks (2002) in [2], that is "the use of information and communication technologies to improve the activities of public sector organizations". When the implementation of eGovernment is run properly, there will be some benefits obtained, as reported by Seifert & Bonham (2003) and Deloitte (2003) in [3], such as saving resources, increasing service levels, and reducing the amount of time, money and effort that businesses and citizens must spend to comply with rules and regulations. However, there are also a number of obstacles and challenges in the implementation of eGovernment. In this case, according to [3], there are 9 factors which generally become the constraints and challenges in the implementation of eGovernment; one of which is a problem of security and privacy. It is in line with the opinion of Stephen Smith and Rodger Jamieson in [2] that the key factors in eGovernment is a security system. This is a consequence of the use of the Internet as the main medium in eGovernment in which the Internet itself is very susceptible to threats and vulnerability. The Internet is an insecure channel. Regarding

this issue, [2] and [4] specifically have discussed a wide range of potential vulnerability that is often found in the implementation of eGovernment. In the meantime, [4] mention that most of the implementations of eGovernment are utilizing a web-based application, and it turns out 80% of web-based eGovernment applications were found to have vulnerability to web application attacks especially against Cross-site Scripting and SQL injection. In their research, [4] gave the conclusion that the industrialized countries were found to be more vulnerable than under-developed countries. Furthermore, according to [5], in line with the change in society’s perspective about the value of information asset where information becomes a very valuable thing and should be protected, it is believed that the information is more valuable than the physical form of the infrastructure. In the context of eGovernment, based on [5], without proper security, the information system owned by the government becomes susceptible particularly to any assault against their information asset.Thus, the loss or damage of valuable information can cause great harm. This is in line with the new trend of the Internet architecture, known as information centric networking (ICN), which is an Internet architecture that is content-focused networking paradigm rather than host-to-host communication. According [5], ICN architecture secures the contents itself instead of securing the communication links. Although the future ICN concept would be more appropriate in the interest of securing information within the scope of eGovernment, but in the discussion of this paper is to use the security paradigm host to host. In addition to security issues, the other important thing to note in the implementation of eGovernment is building the trust to the system, so that it will enhance public participation in utilizing all of the services provided in eGovernment, including the transaction of confidential data. [6] argue that in a society, trust is a basic requirement of the technology adoption process. Users tend to avoid using a particular technology in a perceived lack of concern when the demand for security in the technology is not met. The lack of participation of the citizens in employing eGovernment system is because of lack of trust towards the eGovernment system. Nevertheless, the data from Security Document [7], eGovernment services in the future are used for the benefit of healthcare claims, to vote or sign a digital transaction, pay taxes or services, where the digital identity will become ever more significant, for that reasons, the trust in eGovernment environment becomes a determinant of the success of the system. Also, [8] reveal that trust makes citizens comfortable when sharing personal information, making online government transactions, and acting on eGovernment advices. According to [9], trust is not just merely received from a document that contains claims of guarantee given by eGovernment service providers, but must also be proven and verified by a third party. In this regard, Ideler [10] mentioned that the main problem for increasing the participation of users of information service is the way to make the degree of trust reach an acceptable level. The existence of a number of threats and vulnerabilities on eGovernment system certainly will lower the degree of

trust from the society to the eGovernment system. In principle, citizens expected high-quality eGovernment services and full access to information with a possible security and trusted system that can be offered. Hence, a strategy to build an eGovernment environment which is secure and trusted is demanded, so that the function and goals of eGovernment can be achieved through maximum participation from citizens to take advantage of all available eGovernment services. Issues about security and trust environment for eGovernment have not yet reviewed by early researchers. Initial researches are focused more on the security issue. According to [8], most of the existing publications on trust in eGovernment focus on technical perspectives such as PKI. The author has previously been doing research about information security strategy on eGovernment based mobile device [12]. The result is a solution to information security strategy to keep a balance between security and convenience, namely: selection of data and services, appropriate policy, adoption of technology and human education aspect. The review is limited only to a number of issues about security in mobile eGovernment. For this reason, to extend the previous study, a broader study is conducted regarding the issue of secure and trusted environment on eGovernment. This paper will further explore the issue of security and trust environment in eGovernment as well as propose a strategy to make it happen. This paper does not discuss the implementation of technology for the benefit of a secure system and the society's perspective toward trust in eGovernment system, but rather discusses the general strategy that could be applied to ease the realization of a secure and trust environment to support the implementation of eGovernment.

2

Vulnerability on eGovernment System Paper

According to [11], services provided by eGovernment to citizens, enterprise, a public officer, government administration and agencies via the Internet and mobile connections are vulnerable to a variety of threats. Meanwhile, [12] argues that vulnerability refers to flaws or weaknesses in system security procedures, design, implementation, and internal controls that could be exploited by threat-sources. Once exploited, it could result in a security breach, consequently causing harm to eGovernment information assets and services. In any system, including the system of eGovernment, it is known there are four main regions of threat in any given system: programs, peripherals, communications, input and output. According to Ali (2007) in [15], there are many factors that trigger the occurrence of vulnerability. Among those factors are Technical and Technology, Human, Social, Political factors of the Countries, Economic, and Networking. Technically, a general overview of vulnerability of eGovernment system is illustrated in Figure 1.

Figure 1. Illustration on Vulnerability on eGovernment Source: [14]

Mazumdar (2008) in [5] mention that the assets that must be protected to ensure secure eGovernment include client computers, the messages traveling on the communication channel, and the Web and eGovernment servers – including any hardware attached to the servers. The threats of a system can be divided into three types, namely: Client End Threats, Communication Channel Threat, and Server end Threats. Next, to further give an idea of the mechanism of threat and vulnerability occurs in a system of eGovernment, [15] try to discuss it with a number of threat models proposed by Nath previously, namely: Broadcasting/Wider-Dissemination Model, Critical Flow Model, Comparative Analysis Model, eAdvocacy/Lobbying and Pressure Group Model, and Interactive-Service Model.

3

Secure and Trusted Issue

The online version of the volume will be available in LNCS Online. Members of institutes subscribing to the Lecture Notes in Computer Science series have access to all the pdfs of all the online publications. Non-subscribers can only read as far as the abstracts. If they try to go beyond this point, they are automatically asked, whether they would like to order the pdf, and are given instructions as to how to do so. Hadi [2] explained the importance of security in eGovernment. There are three aspects of data security: Confidentiality, Integrity and Availability. Confidentiality refers to protection of information from unauthorized disclosure; Integrity refers to protecting information from unauthorized modification, and ensuring that information, such as a beneficiary list, can be relied upon and is accurate and complete; Availability refers to ensuring that the information is available when it is required. According to [4], eCommerce is one example of the application of a good security system. However, the use of The Public Key Infrastructure (PKI) that is applies to eCommerce is not fully applicable within the scope of eGovernment without a thorough analysis of what the new trust model should be. The trust calculation for commerce is based on monetary issues, while government solutions involve important infrastructure, society, and privacy issues.

According to [16], a system is considered to be secure if it can anticipate four categories of computer threats, namely:  Interception, the availability of information to external parties that do not have authority to obtain it. External parties here can be a person, program or system.  Interruption, the loss of connection to the main service system, either physical factor (e.g. breaks in connection cable) or non-physical factor (loss of connection to the main resource).  Modifications, referring to a modification to the system that is visible either directly or indirectly.  Fabrication, the addition of objects from the party that is not authorized. Meanwhile according to [17], a system is categorized as a trust if it meets three criteria, namely:  Protected capabilities, the presence of a set of orders having exclusive permission to access a specific location where sensitive data are stored or a location where a particular activity can be run.  Integrity measurement, the existence of metrics from the platform characteristics that contain things affecting the integrity of the platform.  Integrity reporting serves as informing the specific storage location of integrity measurements as well as providing a legal authentication from the stored value based on trusted platform identities. Trust is part of humanity and social interaction. There are a lot of principles and definitions of trust. In this case [18] has made a list of definitions of trust from a number of sources. While according to [8], trust is defined as an individual's belief or expectation that another party (eGovernment) will perform a particular action important to trustor in the absence of trustor's control over trustee's performance. Furthermore, Santos [19], adds that the solutions to improve trust is through two aspects, namely:  Enforcing the security properties required by the users, that is to provide protection against data users, as well as security of the computing platforms used.  Giving users guarantees that the desired security properties are being enforced. Considering users are not directly involved in the control process of security and do not know how power computing platforms are used, the users need to be given guarantees that the infrastructure being run is completely safe. In this case, the guarantees that can be given are through trusted computing hardware and trusted certifier that is offline. Trust in the government agency has a strong impact on the adoption of a technology. Colesca [18] reveals that a high level of trust in the government’s ability, motivation and commitment to the eGovernment programs coupled with a high level of trust on enabling technologies leads to a synergy between the government and citizens. In addition, [20] mention that in an eGovernment system, trusting believes an eGovernment website will act responsibly when a citizen visits or transacts with it. The existence of threat and vulnerability especially malware would be a factor that can eliminate trust from the system.

4

A Proposed Stratgey

To make information available to those who need it and who can be trusted with it, a robust defense requires a flexible strategy that allows adaptation to the changing environment, well-defined policies and procedures, the use of robust tools, and constant vigilance. Thus, it is helpful to begin a security improvement program by determining the current state of security at the site. A number of researchers have proposed some solutions to address the problem of security and trust in eGovernment. Among the researchers are [21] who give a strategy solution to strengthen security through security policy, security practices, security procedure and security technology. Other solutions are delivered by [8] that trust on eGovernment is built by employing nine theoretical constructs that delineate the concept of citizens’ trust in eGovernment. While [18] has conducted research on identifying the relation between trust and eGovernment services, as well as the main factors affecting the attitude of trust in eGovernment. In this case, the research findings indicated that citizen’s higher perception of technological and organizational trustworthiness, the quality and usefulness of eGovernment services, the Internet experience and propensity to trust, directly enhanced the trust in eGovernment. Age and privacy concerns have a negative influence on trust. The other study about trust in eGovernment was done by [20] who examined the extent to which the effect of information quality, system quality and service quality contribute to building trust towards eGovernment system. Unfortunately, those studies did not address the issue of security and trust in one comprehensive solution. The studies also did not include how to improve the strategy and realize a secure and trusted environment in eGovernment. A strategy is important because it will give an idea of how the unity in point of view and components can be arranged from the beginning or gradually so that the requirements of a secure and trusted environment can be met. The strategy will also provide an overview of the linkages between components that affect the attainment of the goal expected. To realize a secure and trusted environment, several approaches from a variety of viewpoints need to be adopted. In the previous research, [11] have discussed specifically the security aspect with a mobile apps-based solution. Using the base of the proposed model on the research, this study proposes the inclusion of five components as a strategy to realize a secure and trusted environment on eGovernment. The five components are security standard, security model and trust management, defense strategy, trusted computing and human factor. An explanation of the five components is given in the following description. 4.1 Security and Trust Standard According to [22], ideally every institution has a policy as the guideline to communicate their goal that contains a set of basic principles to be a reference for

technical and operational levels. Policy will provide an overview of culture and value built into the institution. Although policy is solely a guideline, given the development of a more advanced technology as well as feedback from the operational experiences and practices on a daily basis, the policy must also be responsive to follow such developments. Standard is the highest level of policy that shows transparency to the public that all the processes carried out in an institution have been in accordance with the provisions. This is certainly going to higher the level of trust in a system and its environment. In principle, there are two types of standards, certification standard and practice standard. ISO 27001 is known by the public as Information Security Management Standard (ISMS), while ISO 27002 is described as Code of Practice Standard [23]. The use of standard will ensure secure and trust from digital forensics environment because it includes procedures, control and evaluation of each stage and the parties involved in digital forensics activities. In addition to ISO-oriented standard, there are a number of standards that can be used as a reference, such as: evaluation list of Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP) from the Information Systems Audit and Control Association (ISACA). Security and trust standard that can be applied in eGovernment is using the approach of Information Security Governance, that is governance of organizations/institutions that provides a guiding strategy, ensures that the goal of the company is attained, manages risk, utilizes resources of the organization responsibly, and oversees the success or failure of security programs. 4.2 Security Policy, Model and Trust System A secure environment is strongly influenced by the application of security policy, security model as well as trust management system.  Security Policy. According to Bishop (2004) in [23], security policy is a statement that clearly specifies what should and what should not be in the field of security. In the lower level, security policy will contain a set of policies regarding authorization and secure states. In general, security policy is a set of statements and requirements of system behavior that will ensure the realization of a secure system. Meanwhile, Clark and Wilson (1987) in [24] stated that in the coverage of law enforcement, security policy must also include policies about confidentiality of classified data. In this case, all classified data/information should be protected and only users with a certain level who have the right to access such data and information. In addition, there must be rules and obligations that bind users who utilize the classified data.  Security Model is an abstraction that provides a conceptual language that will be used by the administrator to implement the security policy. Security model will define the hierarchy of access or modification of rights that can be owned by users from the institution.



Trust Management System is a framework to determine whether the security policy expressed through logic and abstraction as well as implemented through programming or system setting has completely complied with the policy that should be followed. Trust management system is applied to policy language and compliance checker.

4.3 Defense-In-Depth Strategy Based on the idea of [5], a common security system is currently designed and developed based on Defense-In-Depth (DID) model. The system refers to the unification of management and technology used. This model differs from the layered defense that has only one layer of defense to cope with all threats. The DID model itself consists of the prevention, detection and tolerance, where the threats continue to decrease in each phase. Furthermore, [5] argues that on the implementation, this system is divided into three classifications i.e. prevention technologies in order to protect the system from any intruder and threat at the level of system or storage. Cryptographic engineering, one-time passwords, firewall, and vulnerability assessment tools are the form of implementation of this prevention technology. The next is a detection technology to detect and track the condition of information system when abnormal and the other interruptions in the network or system. Anti-virus, Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) are among the detection technologies. The last is an integrated technology that is to integrate important functions for information security of core assets, such as prediction, detection and tracking interruptions. Enterprise Technology Management (ESM) and Enterprise Risk Management (ERM) are included in this type of technology. 4.4 Trusted Computing Trusted Computing is a set of technical specifications and guidelines issued by TCPA that includes secure input and output, memory, sealed storage, and remote attestation. Trusted Computing is a technology built by the Trusted Computing Group. Through Trusted Computing, computer system will always be running consistently as expected and can operate activities that security is guaranteed through the support for hardware and software. Currently, an infrastructure security solution uses software-based approach. In fact, software based approach to handling security still brings a number of gaps for certain parties [25]. One of the problems encountered is the inability of the software to do preventive actions when apparently the attacker performs assault directly on the hardware. If this approach is done, it will cause changes in the integrity or even modification on the security application itself. If the endpoint/client is connected in an open system, such as the Internet, it is very difficult to determine the security level of endpoint/client, when only relying on the software based security mechanism. One

drawback of software is, when there is an increase in security level; it will decrease the comfort and ease in using the computer. The vendors of the software have been aware of it. According to [26], to implement trusted platform, TCG describes three main components, i.e. Trusted Platform Module (TPM), Core Root Trust for Measurement (CRTM), and TCG Software Stack (TSS). The approach undertaken by the TCG begins with introducing the concept of "chain of trust" from the system. In this concept, when the system starts booting, the uninterrupted module chain of trust is activated and performs its functions to check a stable security reference. If there is no problem found, activities of the system will continue on the next level, and so on. Thus, each data transaction and communication is trusted, reliable, secure and protected. 4.5 Human Factor In any environment, there is a human between internal and external system. Nikolakopoulos [16] calls it as linking the human factor. Human factor contributes to the emergence of vulnerability that causes the decline in security of an environment. Human error, bad behavior in interacting with the system, a low level of skill, knowledge and education open the possibility for human factor vulnerability. That is why Mitnick and Simon (2002) in [27] mention that "humans are the weakest connection in information security". Unfortunately, all attempts conducted by any institution to increase security are concentrated on the hardware and software rather than on peopleware. Therefore, there must be a mechanism in the institution to focus on the handling of peopleware as unity in the attempts to increase security and trust from the environment. In this case, [28] mention the efforts to improve security must be followed by increasing feedback from the human factor. The feedback is obtained through various methods, such as through modeling to determine the characteristics of human factor in a security system. The five components are proposed as one unified strategy to realize a secure and trusted environment on eGovernment. The linkage between those five components is illustrated in Figure 2.

Figure 2 Secure and Trusted Environment for eGovernment

5

Discussion

One of the illustrations of security solution for eGovernment is a secure eGovernment architecture proposed by [29]. Another solution is given by [12] in the form of a framework for securing eGovernment services that integrate IT security services into eGovernment maturity models. In this regard, the proposed framework addresses both the quantity of offered eGovernment services and the quality of security services by aligning strategic objectives between eGovernment services and security services. Both alternative solutions are more likely as a technological framework that becomes the basic architecture of eGovernment system. Whereas, Maria Wimmer and Bianca von Bredow in [2] reveal that security aspects on eGovernment do not solely concern with technical aspects. In this case, eGovernment must be established from a non-technical viewpoint as well. That is why, this paper proposes a more comprehensive concept as a solution to provide secure and trust through the incorporation of technical and nontechnical aspects. Solution and discussion regarding trust in an eGovernment focus more on the user’s perspective toward trust in the eGovernment system as done by [2] and [8]. Security standard features a high-level concept. When security standards are followed and implemented, particularly ISO 27001:2013, then there are 14 domain groups, including Policy Organization, Human Resource, Asset Management, Access Control, Cryptography, Physical Security, Operations Communications, System Acquisition, Development and Maintenance, Supplier Relationships, Incident Management, Business Continuity, Compliance that will be the focus of security controls. Statistics shows that the number of institutions that have implemented security standard ISO increases year to year. The large number of institutions shows

awareness that security is a corporate commitment that is no longer the responsibility of a specific unit only. The application of this standard will enhance the credibility of the institution as well as the confidence to get in touch with external parties. According to [30], for a simple environment, the use of several security models are adequate. Those security models are Discretionary Access Control (DAC) where the owner can control the access but only on the original file, not in the copies; Mandatory Access Control (MAC) or almost the same as Lattice-Based Access Control (LBAC) where access is based on security labels and the copy can be disseminated, and Role-Based Access Control (RBAC) where access is based on the role that enables configuration according to the DAC and MAC. However, for the conditions under which the system and user behaviors become more complex, then the proposed security models have a number of limitations. Thus, [30] proposes an upgrade on the security models, known as UCON (Usage Control Model) or also known as the Attribute-Based Access Control (ABAC). For future development, [30] predicts that a security model will be increasingly complex, and the approaches that can be done as solutions are Application-Centric Access Control Models and Technology-Centric Access Control Models. Even according to [7], additionally the issue security and convenience will be more balanced, one of which is through applying the concept of a context-aware authentication. Trusted computing is selected as the hardware component to support the strategy to build secure and trusted environment. One of the modules from the trusted computing is trusted platform module (TPM), which becomes one of the keys to the application of trusted computing. In this case, [31] argue that implementing TPM in fact could be the solution to the problems of a computer system security. Mohaideen [31] also mention that TPM guarantees 10 security solutions including: Multi-factor authentication, Strong login authentication, Machine binding, Digital signatures, Password vaults, File and folder encryption, Strong client/server authentication, Trusted Network access control, Endpoint integrity, Trusted client/server security. Although trusted computing has a number of benefits, it turns out this solution is not fully implemented. Sprague (2010) in [32] mentions that up to the year 2011, more than 250 million TPM modules have been installed in various types of PC, even according to [26], the figure totals 600 million units, but unfortunately among those TPM modules, only 1% which can be activated and exploited. One of the barriers is limited application that supports the implementation of trusted computing, including the lack of support from major operating systems like Windows and Linux to implement platform from TCG. However, given the basic idea and concept of trusted computing is a hardware based solution to increase computer security, and then the application of trusted computing concept continues to serve as the primary solution. To anticipate problems encountered during the application of trusted computing, several alternative implementation are given, particularly through the use of Virtual Machine Monitor (VMM) or better known as the hypervisor.

In addition to technical problems, [31] also identify non-technical problems related to the application of trusted computing, such as concerning the dependability on the vendor. In this case, users are worried that tight data protection and system through trusted computing will allow monopoly of the products that will inhibit the continuity of the product support. According to [31], the reasons why users do not implement trusted computing is due to doubt that there are bugs or corrupt on trusted computing applications during the process of handling, whereas the handling and recovery is far more difficult. The non-technical problems are caused by lack of understanding and socialization of users regarding the basic concept of trusted computing. Still according to [31], Germany’s government is the one that has a high commitment to implement trusted computing in a variety of strategic infrastructures owned by the government. Trusted computing can also provide solutions regarding the authenticity and integrity through the ability to perform verification toward an infrastructure platform. For example, in a banking application, it must be ensured that only clients legitimated by system conduct all financial transactions, and the transactions are not performed by malware application that runs on the client’s computer. The same mechanism also applies to other critical infrastructures. Schellekens [26] mentions that there is a condition called as remote attestation, which is the ability to detect the presence of tampering with the system; when the tampering is detected, the system will automatically attempt to disconnect the network connection, stop the service or even force the client to stop the running of certain applications. Defense-in-depth strategy, includes three basic technologies to secure eGovernment system namely prevention technology, detection technology, and integrated technology become an important part of technical aspects to satisfy the requirements of secure and trusted environment. The Internet as a public channel is the most effective medium that can be used to reach out all walks of life. Therefore, technically a system must have a good security standard, so that threat and vulnerability issues on eGovernment can be prevented. Applying defense-in-depth strategy technically becomes the standard solution in a secure and trusted environment. According to [33], a human factor will form a group and eventually become the organization's culture. Therefore, human factor in security issue is a complex and dynamic issue because it could be related to various aspects of human. However, all scholars agree that in any security system, a human factor remains as a crucial part. Even according to [28] in the field of security, all technology based solutions can be easily designed and implemented, but not for a solution to the human factor. Soltanmohammadi [27] explain that, broadly speaking, there are three components in the human factor that draw more attention, namely the organizational factor (including components of culture and policy), motivational factor (including components of management support, reward/penalty and appraisal) and learning (including the components of individual learning and organizational learning). Among those five components, the two components, which are technology-based, are trusted computing and defense-in-depth strategy while the other three components

are conceptually based, namely standard, security policy, and human factor. The five components of the strategy proposed in this paper are only recommendation. Ideally, those strategy components can be implemented to realize the concept of a secure and trusted environment in eGovernment. However, if all the components are not met, there must be at least one of the technology-based components and conceptually based components, which can be implemented. Components of a defense-in-depth strategy and human factor are recommended as a strategy to satisfy at least the minimum level of secure and trusted environment of eGovernment.

6

Conclusion and Future Research

The Internet as the main medium for the implementation of eGovernment turns out to have a number of threats and vulnerability. It is becoming an obstacle for the implementation of eGovernment especially in terms of public participation. One of the solutions is to set up a secure and trusted environment on eGovernment system in order to increase the adoption of a technology toward the synergy between the government and citizens through eGovernment services. The solution proposed in this paper is the development of the concept of secure eGovernment proposed earlier by [11] with the extension of trusted environment issue. The proposed strategy contains five components, namely: standard, security policy, trusted computing, defense-in-depth strategy as well as a human factor. The five components of the strategy proposed in this paper are for a recommendation. Principally, those strategy components must be implemented to realize the concept of a secure and trusted environment in eGovernment. However, if all of those components cannot be met, their have to be at least one of the hardware/software based components and conceptually based components that can be realized. Components of defense strategy and human factor are recommended as a strategy to achieve the minimum level of secure and trusted environment of eGovernment. The description in this paper is still in the high conceptual level. To determine whether the proposed strategy has met the expectations for a secure and trust environment of eGovernment, there must be further researches up to the implementation level. Each strategy component proposed in this paper requires further study on the low-level aspects of implementation

References [1]

United Nations, E-GOVERNMENT SURVEY 2014. New York, USA., 2014.

[2]

F. Hadi and F. T. Bin Muhaya, “Essentials for the E-Govemment Security,” in International Conference on Information Society (i-Society), 2011, pp. 237–240.

[3]

M. Alshehri and S. Drew, “E-Government Fundamentals,” in International Conference ICT, Society and Human Beings (IADIS), 2010, no. 2001, pp. 35–42.

[4]

V. Moen, N. Klingsheim, K. Inge, F. Simonsen, and K. J. Hole, “Vulnerabilities in E-Government Web portals,” Int. J. Electron. Secur. Digit. Forensics, vol. 1, no. 1, pp. 89–100, 2007.

[5]

A. B. Setiawan, “Implementasi Tata Kelola Keamanan Informasi Nasional Dalam Kerangka e-Government,” Jakarta, 2011.

[6]

S. Hassan, Z. Aziz, and K. Nisar, “On the cache performance of the information centric network,” Proc. - 2013 Int. Conf. Comput. Electr. Electron. Eng. ’Research Makes a Differ. ICCEEE 2013, pp. 477–481, 2013.

[7]

Security Document World, “The role of trusted digital identity in enabling the eGovernment 2020 vision,” 2014.

[8]

H. Alsaghier and M. Ford, “Conceptualising Citizen’s Trust in e-Government: Application of Q Methodology.,” Electron. J. e-Government, vol. 7, no. 4, pp. 295–310, 2009.

[9]

N. Paladi, “Trusted Computing and Secure Virtualization in Cloud Computing,” Lulea University Of Technology, 2012.

[10] H. A. W. Ideler, “Cryptography as a service in a cloud computing environment,” Eindhoven University of Technology, 2012. [11] T. K. Priyambodo and Y. Prayudi, “Information Security Strategy on Mobile Device Based eGovernment,” ARPN J. Eng. Appl. Sci., vol. 10, no. 2, pp. 652– 660, 2015. [12] G. R. Karokola, “A Framework for Securing e-Government Services The Case of Tanzania,” Stockholm University, 2012. [13] G. R. Karokola, “A Framework for Securing e-Government Services The Case of Tanzania,” Stockholm University, Sweden, 2012. [14] R. Alshboul, “Security and Vulnerability in the E-Government Society,” Contemp. Eng. Sci., vol. 5, no. 5, pp. 215–226, 2012. [15] S. Saha, D. Bhattacharyya, T. Kim, and S. K. Bandyopadhyay, “Model Based Threat and Vulnerability Analysis of E-Governance Systems,” Int. J. u- e- Serv. Sci. Technol., vol. 3, no. 2, pp. 7–22, 2010. [16] T. Nikolakopoulos, “Evaluating the Human Factor in Information Security,” University of Oslo, 2009. [17] M. Burmester and J. Mulholland, “The Advent of Trusted Computing : Implications for Digital Forensics,” in SAC, 2006, pp. 23–27.

[18] S. E. Colesca, “Understanding Trust in e-Government,” Inz. Ekon. Econ., no. 3, pp. 7–15, 2009. [19] N. M. C. Santos, “Improving Trust in Cloud , Enterprise , and Mobile Computing Platforms,” Universitat de Saarlandes, 2013. [20] T. S. H. Teo, S. C. Srivastava, and L. Jiang, “Trust and Electronic Government Success : An Empirical Study,” J. Manag. Inf. Syst., vol. 25, no. 3, pp. 99–131, 2009. [21] S. Singh and D. S. Karaulia, “E-Governance : Information Security Issues,” in International Conference on Computer Science and Information Technology (ICCSIT), 2011, pp. 120–124. [22] K. Wada and P. King, “IT Policy: An Essential Element of IT Infrastructure,” Educause Review, no. June, pp. 14–15, Jul-2001. [23] C. Gikas, “Information Systems Security : A General Comparison of FISMA , HIPAA , ISO 27000,” 2010. [24] C. Taylor, B. Endicott-Popovsky, and D. a. Frincke, “Specifying digital forensics: A forensics policy approach,” Digit. Investig., vol. 4, pp. 101–104, Sep. 2007. [25] M. Amin, S. Khan, T. Ali, and S. Gul, “Trends and Directions in Trusted Computing : Models , Architectures and Technologies,” in International Multiconference Of Engineers and Computer Scientist, 2008, vol. I, pp. 19–21. [26] D. Schellekens, “Design and Analysis of Trusted Computing Platforms,” Katholieke Universiteit Leuven, 2012. [27] S. Soltanmohammadi, S. Asadi, and N. Ithnin, “Main Human Factors Affecting Information System Security S,” Int. J. Contemp. Res. Bus., vol. 5, no. 7, pp. 329–354, 2013. [28] J. J. Gonzalez and A. Sawicka, “A Framework for Human Factors in Information Security,” in WSEAS International Conference on Information Security, Hardware/Software Codesign, E-Commerce and Computer Networks, 2002, pp. 1871–1877. [29] I. Z. Dlamini, S. J. Ngobeni, and Murimo B Mutanga, “South African EGov: Secure E-Service,” in eChalange e-2010 Conference, 2010. [30] R. Sandhu, “Security Models : Past , Present and Future,” no. August. Institute for Cyber Security, UTSA USA, San Antonio, TX, USA, pp. 1–28, 2010. [31] Z. Mohaideen, M. F. Mubarak, and Z. Ahmad, “Advisory Paper for Trusted Computing Technology,” 2013.

[32] D. A. Fisher, J. M. Mccune, and A. D. Andrews, “Trust and Trusted Computing Platforms,” 2011. [33] K. Parsons, A. Mccormac, M. Butavicius, and L. Ferguson, “Human Factors and Information Security : Individual , Culture and Security Environment,” Edinburgh, 2010.