digital service provider architecture reference group (darg) › sites › default › files ›...

Presented by:

Paul Dwyer

Director, Digital Wholesale Services

Australian Taxation Office

03 April 2019

Digital Service Provider

Architecture Reference Group

(DARG)

Welcome and introductions

DARG change to traditional

scheduling and timings

Presented by:

Paul Dwyer



E-Commerce Platform Roadmap

How to use this slide pack

UNCLASSIFIED – Digital Architecture Reference Group – 03 April 2019 4

E-Commerce Platform| On-Going Tuning

Three key operational priorities were identified in preparation for Tax

Time 2019:

1. Stuck batches

2. Unexpected component failures

3. Leverage Cloud Capabilities & Scale

Three strategic areas of focus

1. Increasing Batch Record Size

2. Proactive Business Solutions to meet ATO’s Future Growth

3. Reducing the imposition on adopting and conforming to the

current Channel Ecosystem

Database Monitoring and Enhancements

Upgrading old infrastructure

Performance tuning (MAAS & MATS Focus)

Stuck Batches

Message Tracker

Throttling Solution

0

20

40

60

80

100

120

140

160

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Transactions Volume Growth (M) 2018 Actuals v 2019 Forecast

Inbound Outbound 2018 Actuals


6

E-Commerce Platform | Product Upgrades Future Design

Parameters of SBR2 The ATO has provided input and expectations directly with the product

developers.

Updates to the product suite are coming. Future enhancements we may wish to

implement but will need to make decisions around existing implementation.

Changes to implementation would be carried out in iteration so as to minimise

the risk to production use.

Option Cost Elastic Complexity Notes

Leverage Cloud Native

(PAAS) *

Shifting away from the current IAAS approach using cloud native

PAAS offerings where possible for the processing of messages.

Leverage Cloud Native

(Container)

*

Shifting away from the current IAAS approach using cloud native

containerisation offerings where possible for the processing of

messages.

Add an additional

gateway

Standing up an additional gateway for either specific DSPs or

specific market segments

Horizontally scale

Adding more nodes to the current solution in order to handle


E-Commerce Platform | Product Upgrades Future Design

Parameters of SBR2 The ATO has provided input and expectations directly with the product

developers.

Updates to the product suite are coming. Future enhancements we may wish to

implement but will need to make decisions around existing implementation.

Changes to implementation would be carried out in iteration so as to minimise

the risk to production use.


ATO Digital Services

Modernisation (ADSM)

Request for information

Presented by:

Paul Dwyer



WHAT IS ATO DIGITAL SERVICES MODERNISATION (ADSM)?

ATO Digital Services Modernisation Program

Digital Services Gateway

• Provide new light-touch and

lightweight messaging standards

• Service real time, digital event

single transactions

The ATO is seeking a new innovative solution

to deliver lightweight digital services. This

solution will enable clients to interact and

consume quick, small and data driven

services. This capability is referred to as the

Digital Services Gateway (DSG).

In addition, the ATO is seeking to modernise

an existing platform, which provides business

event, bulk and batch style digital services and

supports existing messaging capabilities. This

capability is referred to as the Digital

Reporting Channel (DRC).

The ATO requires a solution or solutions that

will service both capabilities (DSG and DRC)

and that can be deployed with minimal

disruption to the consumers of the current

services.

Single entry point

Internal ATO processing systems

A solution that achieves high service availability targets, is secure and efficient.

Digital Reporting Channel

• Continue to provide existing

services

• Provide backwards compatibility

• Service bulk and single

transactions

Service

Integration


COMMUNICATION TO DATE

Date Discussion Forum / Channel

20 Mar 2018 SBR Evolution and e-Invoicing: the Broader Context

• SBR Evolution

ABSIA Forum

31 May 2018 SBR System Evolution presentation to Governance and Committees ATO Executive & ABSIA Board

meeting

27 Jun 2018 Improving SBR2 Platform Super Industry Engagement Forum

• Digital Services Gateway – Simplifying ‘event based’ interactions Super Industry Engagement Forum

23 Aug 2018 ATO Digital Services Modernisation SBR2 Platform & Digital Services Gateway

• Digital Services Gateway and future SBR

Combined Strategic Working Group

and ABSIA Board meeting

24 Aug 2018 Standard Business Reporting Resilience & Future Tax Practitioner Stewardship Group

03 Sept 2018 ADSM Overview discussion - SBR Evolution Westpac and ATO Senior Executive

Round Table

18 Sept 2018

ATO’s Digital Delivery

• ATO Digital Services Modernisation

• Digital Services Gateway and Future SBR

SuperStream Reference Group

10 Oct 2018 DSP Operational Framework

• ATO Digital Services Modernisation – 2020 Vision Superannuation Fund administrators

03 Dec 2018 ATO Technology Enabling our digital business Vendor Briefing

IT Journalist

05 Dec 2018 News item advising of RFI 2227 – ATO Digital Services Modernisation DSPs Newsletter

13 Dec 2018 ADSM – Industry Brief ATO ADSM Industry Brief


ADSM SO FAR

2018

5 December Request for Information published on AusTender

12 December Email to Industry Leaders

13 December Industry Briefing held, 160 external attendees

2019

13 February

RFI closed

260 entities registered for updates and downloaded the AusTender documentation.

ATO responded to 118 questions from Industry.

ATO received 23 compliant responses.

14 February RFI Evaluation Plan signed off

01 March Evaluation of RFI responses commenced

Current update

The ATO is currently reviewing and evaluating the responses for RFI 2227. At this stage, the ATO is unable to provide a date of when the RFI

outcome will be finalised. The ATO will provide another update as the evaluation process is finalised.


Direction of Technology

Open discussion

Presented by:

Paul Dwyer



The drivers

• Are we on the right mission?

• How do we enable agility and the innovation that provides delightful user experience?

• What are the changes we can make to:

– Provide quality

– Contain costs

– Increase velocity

– Enable the exponential growth in demand

Putting a light on the hill

• Helps to determine the value of an idea.

How we’re moving forward

• Plans are only good if they can be executed


INTRODUCTION

CONCEPTUAL | Digital Decoupling to support Bimodal

Features for software

developers:

Independence

Tested and Operational

Quality of service

Features for the ATO:

Protection of core systems

‘Space’ to re-architect and

revolutionise the monoliths

− Real-time over batch

− Fit-for-purpose

“Software Developers”

DHS MYOB

ATOO ATO STAFF GOV - DHS MYOB DSP

PRODUCT LAYER

GST SUPER IT STP/Pay

Report +More

INNER API LAYER

CLIENT

ACCOUNT

INSIGHTS &

INTELLIGENCE

CLIENT

PROFILE

ENTERPRISE

ADMIN

ADVICE AND

SUPPORT

CASE & WORK

MANAGEMENT

EVENT

PROCESSING

API API

SOLUTION

API API

SOLUTION

API API

SOLUTION

API API

SOLUTION

API API

SOLUTION

API API

SOLUTION

API API

SOLUTION

Inner API are platform

based. Priority

determined by

operational needs.

Outward API Priority

determined by

service demand from

Software Developers

OUTER API LAYER

Reporting Informational Traditional

Digital Services Gateway Digital Reporting Channel


API

Core System

Master

Cache

Informational

Service

Informational

Service Cache for

performance,

availability and

resilience

Consumer

API

Core System

Master

Informational

Service

X

Providing innovative lightweight data driven digital services requires strengthening of the solutions that deliver them to meet growth and

modern service expectations


CONCEPTUAL | Managing new load and meeting service expectations

DARG focus groups

Presented by:

Paul Dwyer



Improving the test environment

Focus group



FOCUS GROUP | Improving the test environment

WHERE WE HAVE COME FROM

• EVTE is a stubbed environment to provide an efficient capability to test the transmission of

messages to the ATO

• EVTE offers unlimited testing of messages without resetting data and will prove the successful

transmission of a message to the ATO and includes verification of;

– Correct message format being used

– certificate installation correctly embedded into message

– error messages and exceptions generated from the ATO system are processed

correctly by the calling system

• A comprehensive conformance suite is provided. This includes test cases, associated

credentials and the request and response messages as templates.

• EVTE does not allow for load or performance testing to be carried out in the environment

• The use of EVTE and the conformance suite is expected to be part of a greater test process by

individual DSP’s

• The number of conformance test cases has been kept to a minimum to reduce impact to the

range of DSP’s



WHERE WE ARE NOW

• Improving conformance test cases by setting

– Realistic data

– End to end scenarios with single credential

• Updates to the Business Implementation Guide (BIG)

– More detailed descriptions of the business use of the service to

provide a greater context for the use of the service.

– Format changes to simplify the document

• Increasing automated testing in all environments



THE FUTURE

• Dev/Op practices to improve delivery turn around

– Continuous build could mean smaller and faster delivery to

EVTE.

• DSP gateway to improve the interaction between the ATO and DSP’s

– Access to information and feedback in order to reduce delivery

and testing timelines.

– Larger repository of test cases to consume as optional test to

assist in verifying quality of delivery.

• Improved tooling to assist;

– Creation and aging of test data

– Generate test cases to be consumed by specific DSP’s

BIG review

Focus group


FOCUS GROUP | BIG review


Purpose

A focus group has been formed through the DARG to provide initial feedback on the current structure and content of Business

Implementation Guides (BIGs). With the intent to improve future content and remove any redundant and/or duplicated information.

Items identified for review:

Proposed changes to BIG:

• Update to the purpose statement

• Removal of some information

For example: Removal of taxpayer declaration information as it is already in the Taxpayer Declaration Guide

• Intent to move some content to a common BIG:

o Audience

o Document context

o Channel availability for the interaction

o Intermediary relationship

o AUSkey and authentication information

o TFN and ABN algorithm validation

o Truncating amounts

More consultation will occur with industry

Machine to machine

credentials

Presented by:

Hoshedar Elavia and Claire Miller



What will replace AUSkey?

The ATO is building:

• myGovID: A way to prove who you are. You will be able to authenticate and access government online services using myGovID

• Relationship Authorisation Manager (RAM): Whole of government relationship and authorisation manager. RAM lets businesses and tax agents control who can act on their behalf across eligible government online services

• A new machine to machine (M2M) solution to support existing M2M arrangements – replacing device AUSkey

• Combined, these solutions will replace AUSkey

• ATO is also building a SAML service (Business Authentication Manager) to enable agencies to on-board with minimal impact

Why are we replacing AUSkey?

AUSkey has not kept pace with changes in technology and doesn’t meet the future needs of most businesses. AUSkey is:

• not supported on mobile devices

• not compatible with all internet browsers

• difficult to setup and maintain

• is restricted to online services and authorisations does not carry across channels (i.e. cannot be used to contact the ATO by phone)

• Unable to provide password reset functionality, forcing users to re-register when a password is forgotten

• difficult for users who want to view and manage multiple AUSkeys with some businesses having up to 200 AUSkeys

• reaching end of life in March 2020

AUSkey replacement

24 UNCLASSIFIED – Digital Architecture Reference Group April 2019

The AUSkey replacement will include a new machine credential, which will be issued and managed via RAM. • The new machine credential is backwards compatible with existing device AUSkeys, and DSPs will

only need to download new credential/s, then update the authentication endpoint in their software products

• During the transition period, existing device AUSkeys will work with the new ATO Secure Token Service (STS) endpoint

• The new machine credential is compatible with the existing Software Developer Kit

• A new Software Developer Kit will be issued later in the year with some new features, however this is not required for transition prior to March 2020

25

New Machine to Machine solution (replacing device AUSkey)

UNCLASSIFIED – Digital Architecture Reference Group April 2019


26

M2M Authentication │ DSP experience roadmap

Planned releases

March Jan

Initial meeting

16 Mar

Workshops x2

17 & 30 May

4th meet

7 Jun

5th meet

7 Aug

6th meet

11 Dec

EVTE

18 Apr 2019

Public Beta (TBC)

Sep 2019

- Developer introduction to the Digital Identity program of work

- Introduction to WofG Digital Identity program components including Exchange ecosystem

End to end encryption

2019 2020

Full implementation of M2M solution, including supply chain

visibility

Sep

2018 2019

Dec

ATO DSP engagement (DIWG)

Ap

r

- Provide Digital Identity Program of work update to DSP including solution rebranding, B2B position and MFA position

- Establish Core Design Principles for M2M solution

- Present M2M design plan

- Gather DSP M2M use cases

- Development of component requirements

- Endorse and accept design principles

- Complete component requirement draft

- Validate use cases and component requirements

- Develop M2M high level architecture design including server & client side diagrams

- Update on open source options

- Confirm use of Trusted Platform Module (TPM) is not mandated by DTA

- Endorse and accept M2M high level architecture design including server & client side diagrams

- Confirm the client side SDK will be open source

- Present draft M2M detail design for discussion

- M2M EVTE Private BETA (Phase 0)

- SBR / DSPs can install and test new key in test environment

- M2M Production Public BETA (Phase 1)

- Machine credential – I can create a machine credential to secure M2M transactions

MACHINE-TO-MACHINE AUTHENTICATION | Client Model


RAM

Business owner

Has Machine Credential

Administrator (MCA) role

but will generally delegate

this to another person

PREREQUISITES

All users have myGovID

All users are authorised for the

business In RAM

Must have SDK loaded

Must have credential

Principal Authority

When creating a machine

credential, they will be the

custodian. Machine

Credential

Administrator (MCA)

Request machine credential

Credential custodian

Server

Machine

credential

created in MAS

via RAM

Download (or install)

credential (different for

each DSP business)

PR

INC

IPA

L

AU

TH

OR

ISE

D A

FF

ILIA

TE

SDK installed

1

3

4

2 MAS

Now has ‘Machine

Credential Admin’ role

Role flow

Credential flow

Grant ‘Machine Credential

Admin’ role to authorised

person via RAM

RAM – Relationship Authorisation Manager

MAS – Machine Authentication Service

MCA requests

new credential

via RAM

27

MACHINE-TO-MACHINE AUTHENTICATION | Data Flow


Software sends valid

certificate to MAS

Software MAS Software

Validates that the

certificate is correct.

Provides a SAML token

back to software

M2M

SAML

Processes

the request

ATO

SBR Core

Verifies that

machine credential

ABN and reporting

party ABN match

Business

Business initiates a

transaction and signs the

information using their

machine credential stored

Attaches SAML and

related business

information to the SBR

payload. Submits a single

SBR payload to ATO

S B R

P A Y L O A D

28


MACHINE-TO-MACHINE AUTHENTICATION | Impacts

We are designing the machine credential to be backward compatible to limit the impact for DSPs

and their users.

DSPs that use CAA

• Will be required to generate and install the new machine credential as well as update their software to point

to the new STS endpoint address.

• There will be no impact to users.

DSPs that do not use CAA

• DSPs will be required to update their software to point to the new STS endpoint address and deploy the

updates to their users.

• Users will need to log into RAM to nominate a Machine Credential Administrator to generate a machine

credential. Users will then need to install the machine credential into their software.

Users who have updated their software can continue to use their AUSkey until 2020

29

Wrap up

digital service provider architecture reference group (darg) › sites › default › files ›...

Documents