Documentation

NRDEX Security Principles

Security principles for NRDEX aligned to the control model used in X-Road-based exchange ecosystems.

Purpose

NRDEX is intended to support secure institutional data exchange across public agencies and authorized entities. Its security model should follow the core control pattern used in X-Road ecosystems: distributed data ownership, strong machine-to-machine trust, cryptographic protection of exchanges, and auditable operations.

This page summarizes the principles NRDEX should enforce at the exchange-layer level. It does not replace the official X-Road specifications or local agency security obligations.

For official source material, see:

Core security model

NRDEX should enforce the following baseline properties for every approved exchange:

  • confidentiality of data in transit
  • integrity of requests and responses
  • mutual authentication between participating security servers
  • non-repudiation for exchange events where policy requires evidentiary traceability
  • accountability through durable logs and operational monitoring

In an X-Road-style environment, trust is established through Public Key Infrastructure, approved certificates, and mutually authenticated encrypted channels between member security servers.

Purpose and core controls

Confidentiality and integrity

All service traffic should move through encrypted channels between trusted security servers. Message transport should protect both the confidentiality of exchanged data and the integrity of the request and response path.

Mutual authentication

Each participating security server should verify the identity of the other side before any exchange takes place. This is a machine-level trust control, not just an application login feature. Certificates should be issued by approved authorities and validated according to ecosystem policy.

Signed and traceable exchanges

Requests and responses should be digitally signed where required by the exchange profile and governance policy. Timestamping and signed logs should provide evidentiary value, support dispute resolution, and preserve traceability across organizational boundaries.

Logging and operational visibility

Although message logs are stored on distributed security servers, NRDEX should support centralized oversight through operational monitoring, metrics collection, and review workflows. The operator must be able to detect abuse, failures, unusual traffic patterns, and policy violations without taking ownership of the underlying business data.

Data protection principles

Data sovereignty

Data owners retain authority over the services they expose. NRDEX should not centralize source datasets merely to make exchange easier. In line with the X-Road model, the service provider remains the authority that decides who may consume a service and under what conditions.

Closed-by-default access

Access should be denied unless it has been explicitly granted. Service providers should authorize specific clients and business uses rather than relying on broad network trust or implicit institutional membership.

Data minimisation

Only the minimum data necessary for the approved purpose should be exchanged. Interface design, access approval, and operational review should all reinforce this principle.

Auditability

Exchange activity must be auditable after the fact. Logs should support technical investigation, regulatory review, and formal evidence where needed. Auditability is not optional metadata; it is part of the trust model.

Operational expectations

Certificate lifecycle management

Security certificates must be rotated on a controlled schedule and renewed before expiry. Where supported, automation such as ACME should be used to reduce operational risk and manual handling errors.

Access-rights governance

Access rights should be reviewed periodically and revoked when no longer justified. Approval records should map technical client permissions to a documented legal or operational purpose.

Incident escalation

Security events must be escalated through a defined incident response process. This includes certificate compromise, unauthorized access attempts, integrity failures, abnormal traffic, and security server health issues.

Onboarding and independent assessment

Before joining production, a member organization should complete identity verification, technical onboarding, and readiness checks defined by the governing authority. Major production changes should be subject to controlled review and, where necessary, independent assessment.

Local hardening and shared responsibility

NRDEX exchange-layer controls do not replace local security responsibilities.

Each participating organization remains responsible for:

  • hardening and patching its internal systems
  • securing the host environment of the security server
  • maintaining local firewalls and network segmentation
  • managing administrator access and credentials
  • authenticating and authorizing its own end users
  • protecting the business applications and databases behind exposed services

The security server should be treated as a strong boundary component and application-level firewall, but not as the only security control in the organization.

Implementation note

For NRDEX, the practical design implication is clear: the exchange layer can provide trusted transport, signed exchanges, controlled service exposure, and strong audit trails, but agencies still own the security of their internal applications, data, and operational environment.