Security

Every release of the OpenCRVS application and infrastructure has been security penetration tested by an independent, CREST and CyberEssentials certified 3rd party to UK government standards.

Penetration tests of OpenCRVS have been performed by MDSec, The Guardian Project on behalf of UNICEF, and GoFore - NORAD's preferred security testing provider.

As an example, GoFore Plc conducts security assessments for public and private organisations in the form of white hat penetration testing (aka ethical hacking) to simulate an adversary attacking the system and identifying vulnerabilities that may be exploited to compromise data confidentiality, integrity and availability.

Gofore pentesters utilise proven pentesting methods of code review, automated enumeration scans via the public internet, fuzzing with diverse input, and manual tests. The security assessment was conducted in two rounds, first to identify and report vulnerabilities, and then reassessed to ensure reported vulnerabilities were resolved.

"Already from the results of the first assessment, it was evident that the OpenCRVS web application had a good security posture. The web application security fundamentals were sound."

GoFore Cyber Security Consultant

Key security points

Two factor authentication

Our server SSH access, mobile application and microservices are secure, protected by 2-Factor Authentication utilising OAuth JWT best practices. 2FA codes are sent to the user's mobile device in order log in either via SMS or Google Authenticator. These codes ensure that only users with access to authenticated hardware can access OpenCRVS.

Access controls and audit trail

User types and access controls are managed in order to segregate personally identifiable data to only to the users who need it. These user types can be set up in the Team GUI accessible by National and Local System Administrators. Every access to a specific declaration or registration is audited in order to track who viewed the data thus protecting citizen rights. All access to OpenCRVS servers and infrastructure health is logged and monitored in Kibana. SSH access to servers requires Google Authenticator 2FA.

Ansible provisioned firewall & SSH 2FA (VPN requirement)

OpenCRVS automatically provisions a secure firewall to OpenCRVS on each node. SSH users are configured to use Google Authenticator 2FA when connecting via a Terminal. Every SSH access prompts an automated alert to technical teams via Slack. Note: OpenCRVS should only be installed behind a separately configured and managed, government owned VPN.

TLS certificate

OpenCRVS data is encrypted in transit via an SSL certificate that can be automatically provisioned and rotated by Traefik signed by LetsEncrypt, depending on DNS and VPN configuration.

Database encryption

Encryption keys to the databases, API keys and sensitive environment secrets are never stored in .env files but instead are stored in RAM in inaccessible Docker Secrets and provided to deployment by inaccessible Github Secrets.

Rate limiting

OpenCRVS authentication and API gateway is rate limited to prevent abusive attacks such as "DoS Denial of service" and "Brute Force". Rate limiting is a technique used to control the number of requests a user or system can make to an API or service within a specified timeframe, preventing abuse and ensuring fair resource distribution.

Data security framework

OpenCRVS is software to digitally enable civil registration processes and as such is designed to digitally store and process personally identifiable information (PII) and also create copies of official documentation including unique identifiers for citizens. It is a technical solution that is regularly penetration tested to industry standards, and where technically possible, OpenCRVS provides solutions to mitigate against common threats.

However, OpenCRVS is used within the context of human day-to-day work and interaction with the outside world. This is a world where we should expect criminals to continually adapt and attempt to gain access to valuable citizen data. The constantly evolving cyber-security landscape includes social engineering methods, machine learning and artificial intelligence. Criminals may adopt these techniques to exploit staff who use OpenCRVS and attack the servers and networks on which it is installed.

Reacting to such threats often falls outside the scope of what a technical system is capable of independently defending against. Therefore data security policies and procedures must be developed and adhered to by implementing project teams and operational staff when setting up and using OpenCRVS.

We provide a "Data Security Framework" document explained further with a video in this section. The purpose of this document is to provide organisations with:

• An understanding of data security and privacy risks.

• An understanding of the technical steps taken in OpenCRVS to mitigate against these risks.

• A guidance framework for the development of context-specific data security policies and procedures that should be designed and introduced by a government that has chosen to install OpenCRVS and digitise their civil registration system.

• Security guidance for project managers and all staff involved on a temporary or continual basis in the following stages of an OpenCRVS project: a) design & implementation b) monitoring & maintenance and c) day-to-day usage of OpenCRVS.

Data security policies and procedures must be defined, implemented and updated by governments appropriate to their own contextual needs and should be informed by publicly available content specific to the subject of data security and not exclusively from this document. Some example reference links are provided in the appendix, which may prove useful for developing such policies.