VIEWS: 7 PAGES: 2 POSTED ON: 4/4/2012 Public Domain
Lowering costs through PCI-compliant SOA The Quebec Finance Ministry acts as a central organization that offers advice to the government in the budgetary, fiscal, economic, financial and accounting fields. The Ministry engaged leading systems integrator CGI to convert its application-based payment gateway solution to increase flexibility, maximize security and lower total cost of ownership.
CGI’s Finance Ministry Solution Lowering Costs with PCI-compliant SOA CGI, a 30 year old Systems Integrator with over 27,000 employees and more than 100 CGI by the Numbers offices worldwide, is used to repeat business. After all, with an 8.8 out of 10 Founded in 1976 satisfaction ranking in 2007 from CGI’s ISO 9001:2000-certified client management Revenue run rate of CDN$3.8B process, CGI has a history of helping clients achieve superior results. Backlog of CDN$12.03 billion In this case, a government finance ministry, which acts as a central organization that Approximately 27,000 employees offers advice to the government in the budgetary, fiscal, economic, financial and More than 100 offices serving accounting fields, wanted CGI to convert their original application-based payment clients in 16 countries gateway solution to a PCI-compliant, Web services-based one. There was just one 45 of 50 top banks in NA and EU problem – this would be the first SOA project undertaken by CGI’s Financial Services 11 of 15 largest insurers globally arm, and they were only being given 6 months to complete it. 7 of 10 largest global Telco’s The Business Challenge 100’s of government agencies Many government ministries offer some kind of fee-based service to the public, and encourage online payment for these services via credit card. For example, the public can access government web sites to pay speeding tickets, purchase recreational fishing licenses, or book national park campgrounds online. In CGI’s original solution, inputting a credit card number invoked their payment gateway at the finance ministry, which then acted as the central clearing house. Fundamentally, the payment gateway was technologically sound, but adding new “merchants” incurred a large IT overhead. To control costs while expanding their portfolio of fee-based services, the government required a more flexible way to add new Ministries and/or new Ministry services on an ad hoc basis. Additional criteria included support for encryption and digital signing that would be part of an overall push toward PCI compliance. Introducing SOA – Layer 7 Proves Key After consulting with their SOA Center of Excellence, CGI proposed migrating the existing application-based payment gateway to a Web services model with the goal of creating a more secure, standards-based, PCI compliant solution that would feature a lower total cost of ownership. For the security layer, CGI compared a number of commercial off-the-shelf vendors (as well as building a solution themselves) and decided that the Layer 7 SecureSpan Gateway (Gateway) provided the most robust solution, offering not only centralized enforcement of security policies but also an XML VPN Client that could be easily installed at each ministry to automatically negotiate the security and credentialing handshake between the client application and the SSG, eliminating the need to recode, test and deploy each client application. Because the existing IT infrastructure varied widely from ministry to The XML VPN Client ministry, this functionality would greatly reduce the time to deploy the overall could be easily installed solution. at each ministry to automatically negotiate The Solution the security and The greatest effort centered around re-creating the old API-based transaction credentialing handshake, application as a set of Web services. By carving up the monolithic application into eliminating the need to discrete pieces of functionality, CGI could institute a series of steps required to validate recode, test and deploy and process each transaction, as well as simplify the addition of new ministries as each client application. payees. For example, one Web service converts SOAP messages to an HTML format CGI and Finance Ministry Case Study based and submits it to the existing ASP-based Web interface, which in turn submits it to a handler behind several security zones. The handler sends the response, including a transaction ID, which the client must send back to he confirm the transaction, otherwise the transaction is rolled back. , The SecureSpan Gateway allows CGI to define and enforce security policies at run-time, as well as perform XML alidation protection. provi schema validation for threat protection The Gateway’s native X.509 capabilities are used to provide an inistry’s service authentication/authorization framework in conjunction with the finance ministry’s existing LDAP service. The cryptography, Gateway also provides message level cryptography including signature validation and decryption of incoming content. The Results advantage of the new PCI-compliant credit card payment system, with more Today, over 20 Ministries are taking ad system being added every month on an ad hoc basis. “We made a good decision two years ago in Centralized enforcement of security policies gave CGI consistent security across all choosing Layer 7’s applications, applications thereby eliminating the time and effort associated with coding and SecureSpan Gateway, and back-end application. maintaining security details in each back we are very satisfied with the results!” The XML VPN Client allowed CGI to essentially “drop in” a software solution that Marc Bourassa, Director, would handle all encryption, digital signing and other credentialing independent of Consulting Services, . the client application while ensuring PCI compliance. This allowed CGI to avoid Financial Services Sector, ) having to code (and subsequently test and deploy) security requirements in each of CGI Group, Inc. the Ministry’s client applications – a key capability in allowing CGI to meet project timelines. timelines 2011 © Copyright 201 by Layer 7 Technologies, Inc. (www.layer7tech.com). owners. All other trademarks are the property of their respective owners Layer 7 Internal Use Only
Pages to are hidden for
"Case Study: Quebec Finance Ministry - CGI Solution"Please download to view full document