from Julius Njiraini Computer security and Forensic consultants 0724293490 my proposal to ICT Policy discussion *INTRODUCTION* Information technology architects must build applications, systems, and networks that match ordinary users' expectations of trust in terms of identity, authentication, service level agreements, and privacy. These will help in addressing every layer of business, technology, people, and process. The trust model relies on complete requirements that include business, technical, legal, regulatory, and fiduciary requirements. It does this by offering secure services, implemented within a secure component and which can be used at each level of a Chain of Trust: from the boot mechanism, to the device operating system(OS) and up to the application layer. A device OS is typically the main OS of the device that runs applications and/or services. In the case of smartphones, it can be an OS such as Android. On other Internet-of-Things (IoT) devices, examples may include a Linux-based OS or a real-time operating system (RTOS) *PROCESS.* Step 1: Root of Trust services to the device boot mechanism, including device identification and attestation services- Since the boot is assisted by the Root of Trust from the secure component, the integrity of the device boot chain process is assured and protection offered against various attacks and infections from malware. Step 2: Secure services to protect the device OS- A connection between the device OS and the secure component enables the device OS to access highly secure services within the secure component. These can be used to protect the assets of the OS, such as its certificates and update processes. Application assets, such as data and keys, and end-user authentication also need to be protected. Thanks to the secure component, they too can access the most advanced level of security services. Step 3: Dedicated security services for device applications - To offer most value-added services (VAS), device applications require more advanced security services that are optimized (in terms of security, performance etc.) and tailored for that particular application (e.g. providing specific algorithms). Dedicated security services can be loaded as needed into a secure component and made accessible to the device applications which require them. Digital service providers need to be confident that they can connect their business activities and back end systems with end-point devices which are trusted. This reassures them that they are interacting with, and serving, the right customers. While the trusted end-point is vital to their service delivery, so too is a secure communication channel between the service provider’s server and the end user device. A secure channel enables service providers to confidently use the secure services on the device, such as those which allow them to: · Enable or update digital services · Enroll end users / devices to the service provider platform; · Authenticate end users · Store private data · Authenticate data generated by the device; · Protect data generated by the device ahead of data transmission * exchange in the cloud. * For Cloud Platform Providers In today’s connected device ecosystem, the cloud platform provider has become firmly established as an actor which provides a platform that enables end-users and suppliers to interact and / or conduct transactions. There are different examples of this new ecosystem player: for example, app stores (e.g. the App Store, Play Store) for smartphone and tablet applications; online market places for consumers (e.g. Amazon, Alibaba); and IoT cloud platform providers (e.g. Azure, Google, Artik, etc.) for enterprise and M2M applications. All cloud platform providers need to remotely and securely enroll and manage connected devices; this enables the cloud provider to offer new services and send regular updates. Secure end user and device authentication is also commonly required, to ensure that the provider is interacting with the intended devices and audience. The key requirements of cloud platform providers are: Enrollment - Complexities arise with device enrollment when the cloud platform provider needs to enroll a variety of devices from heterogeneous domains (e.g. healthcare, energy, home automation, etc.) and from different manufacturers. Reliable device enrollment is critical for IoT cloud platform providers across M2M and enterprise use cases. The Chain of Trust established by the GlobalPlatform Device Trust Architecture supports device identification and offers a solution for the secure storage of identity credentials allocated by cloud platform providers. · Remote management - Cloud platform providers must always be able to remotely manage devices. To do this, the devices need to be trusted end-points and they need a secure channel which allows them to engage with the right devices and be sure that their update processes are not compromised. · Authentication - End user and device authentication are required across both consumer and M2M use cases, to allow the correct access to platform services and to ensure non-repudiation. The cloud platform provider needs to use the secure services available on the device for this purpose. WHY IS THE DEVICE TRUST ARCHITECTURE NEEDED? The connected device landscape is expanding rapidly. New devices and device types are being connected to a range of different cloud platforms, new device operating systems are being created and digital services are being developed. Yet not all devices are secure enough to protect against threats and attacks. Considering the sensitive nature of data being gathered and exchanged between many connected devices, the lack of standardized security poses a significant risk across the complete ecosystem. For digital services to be a success: · Service providers need to trust that the devices which are responsible for gathering and sending back service-related data are fully protected and updatable against future attack threats. · Device makers need to support a range of device OS, securely connect to multiple cloud platform providers and offer the right level of security services to service providers. · Cloud platform providers need to securely enroll many device types, running a wide range of different secure services. End to end data integrity, from verifiable devices, is fundamental to their business model; big data is useless if you cannot trust the source of that data. Collaboration between these key stakeholders on securing digital services must therefore be a priority or the IoT ecosystem will not realize its full potential and ‘big brand’ IoT data breaches could become the norm *SOLUTION* *1. **Digital Certificate* A *Digital Certificate* is used to encrypt online data/information communications between an end-users browser and a website. After verifying that a company owns a website, certificate authority will sign their certificate so it is trusted by internet browsers. Digital Certificates are a means by which consumers and businesses can utilise the security applications of *Public Key Infrastructure* (PKI). PKI comprises of the technology to enables secure e-commerce and Internet based communication by providing the following *Identification / Authentication:* The persons / entities with whom we are communicating are really who they say they are. *Confidentiality:* The information within the message or transaction is kept confidential. It may only be read and understood by the intended sender and receiver. *Integrity:* The information within the message or transaction is not tampered accidentally or deliberately with en route without all parties involved being aware of the tampering. *Non-Repudiation:* The sender cannot deny sending the message or transaction, and the receiver cannot deny receiving it. *Access Control:* Access to the protected information is only realized by the intended person or entity. 2. Digital Signature Digital Signature is a process that guarantees that the contents of a message have not been altered in transit. You need a digital certificate to digitally sign a document. However, if you create and use a self-signed certificate the recipients of your documents will not be able to verify the authenticity of your digital signature. They will have to manually trust your self-signed certificate. The policy should come with legislation of implanting Public Key infrastructure in Kenya. On Fri, Mar 15, 2019 at 8:15 AM Nanjira Sambuli via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Good day, Are we to assume that concerns raised here regarding today’s deadline for submitting comments have gone unheard?
Regards, Nanjira.
Sent on the move.
On 11 Mar 2019, at 19:18, info@elvisjonyo.co.ke wrote:
On 11 Mar 2019, at 07:29, Ali Hussein <ali@hussein.me.ke> wrote: Gimode Greetings. Seeing that you posted this email on Friday, 8th March, I'm curious to understand how the committee can expect to get substantive responses within a week on such a critical piece of document? I think it's time this country reviews what it means when the constitution talks about Public Participation. I know that there are members of the August House in this list. I challenge them to address this issue. I fear that government officials are taking us through a 'tick the box' exercise when it comes to public participation. Ali Hussein Principal AHK & Associates Tel: +254 713 601113 Twitter: @AliHKassim Skype: abu-jomo LinkedIn: http://ke.linkedin.com/in/alihkassim 13th Floor , Delta Towers, Oracle Wing, Chiromo Road, Westlands, Nairobi, Kenya. Any information of a personal nature expressed in this email are
On Fri, Mar 8, 2019 at 9:04 PM Gimode, Chiimbiru via kictanet < kictanet@lists.kictanet.or.ke> wrote: Dear Listers, You will recall the Ministry of Information, Communications and Technology (MoICT) constituted an inter-agency Steering Committee to review of Kenya’s first National Broadband Strategy (NBS) for the period 2013-2017. The Committee draws membership from the MoICT, Communications Authority of Kenya (CA), Vision 2030 Delivery Secretariat (VDS), National Communications Secretariat (NCS) and the ICT Authority (ICTA). The team is at the tail-end of the review of the NBS and is seeking views from the members of the public to enrich the NBS for the period 2018 – 2023 in line with Constitution of Kenya 2010. Attached is a public notice on the same. You can access the consultation paper on the Authority’s website on
The deadline for submission of comments is 15th March 2019. Best Regards, Chiimbiru Gimode, CMRP, MPRSK. Communications Officer Communications Authority of Kenya (CA) Head Office: CA Centre,Waiyaki Way,Westlands, Nairobi I P.O Box 14448 Nairobi 00800. Regional Offices: Mombasa I Nyeri I Kisumu I Eldoret Office Line : 0703-042-524 I Website : www.ca.go.ke I Twitter : @CA_Kenya Facebook : Communications Authority of Kenya I YouTube : CA Kenya I Instagram: CA Kenya Flickr : https://www.flickr.com/photos/cck-kenya Core Values: Integrity | Innovation| Excellence “Today is only one day in all the days that will ever be. But what will happen in all the other days that ever come can depend on what you do today’’-Ernest Hemingway Please be responsible, consider the environment before printing this e-mail. DISCLAIMER:- This email and any files transmitted with it are confidential and intended solely for the use by the individual(s) or entity to whom it is addressed to. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Additionally, if you have received this email in error please notify the sender immediately by a reply e-mail. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect
On 2019-03-11 13:51, Nanjira Sambuli via kictanet wrote: +1, Ali, Additionally, are there reflections on the successes and shortcomings for the 2013-17 period? For instance the goal on broadband speeds for rural vs urban areas, a very lofty goal therein? Regards, Nanjira. Sent on the move. purely mine and do not necessarily reflect the official positions of the organizations that I work with. this link: https://ca.go.ke/consumers/public-consultations/open-consultations/ transmission. platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. privacy, do not spam, do not market your wares or qualifications. _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. It is unreasonable and dishonorable to expect the public to peruse
https://lists.kictanet.or.ke/mailman/options/kictanet/info%40elvisjonyo.co.k... through a document and give comments in one week. You might as well promulgate it as is.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/njiraini2001%40gmail.c...
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.