Case Study: Quebec Finance Ministry - CGI Solution by Layer7Tech


More Info
									  CGI’s Finance Ministry Solution
  Lowering Costs with PCI-compliant SOA

                                     CGI, a 30 year old Systems Integrator with over 27,000 employees and more than 100
  CGI by the Numbers                 offices worldwide, is used to repeat business. After all, with an 8.8 out of 10
Founded in 1976                      satisfaction ranking in 2007 from CGI’s ISO 9001:2000-certified client management
Revenue run rate of CDN$3.8B
                                     process, CGI has a history of helping clients achieve superior results.

Backlog of CDN$12.03 billion         In this case, a government finance ministry, which acts as a central organization that
Approximately 27,000 employees       offers advice to the government in the budgetary, fiscal, economic, financial and
More than 100 offices serving        accounting fields, wanted CGI to convert their original application-based payment
clients in 16 countries              gateway solution to a PCI-compliant, Web services-based one. There was just one
45 of 50 top banks in NA and EU      problem – this would be the first SOA project undertaken by CGI’s Financial Services
11 of 15 largest insurers globally   arm, and they were only being given 6 months to complete it.

7 of 10 largest global Telco’s
                                     The Business Challenge
100’s of government agencies        Many government ministries offer some kind of fee-based service to the public, and
                                    encourage online payment for these services via credit card. For example, the public
      can access government web sites to pay speeding tickets, purchase recreational fishing licenses, or book national
      park campgrounds online. In CGI’s original solution, inputting a credit card number invoked their payment gateway
      at the finance ministry, which then acted as the central clearing house.

      Fundamentally, the payment gateway was technologically sound, but adding new “merchants” incurred a large IT
      overhead. To control costs while expanding their portfolio of fee-based services, the government required a more
      flexible way to add new Ministries and/or new Ministry services on an ad hoc basis. Additional criteria included
      support for encryption and digital signing that would be part of an overall push toward PCI compliance.

      Introducing SOA – Layer 7 Proves Key
      After consulting with their SOA Center of Excellence, CGI proposed migrating the existing application-based
      payment gateway to a Web services model with the goal of creating a more secure, standards-based, PCI
      compliant solution that would feature a lower total cost of ownership.

      For the security layer, CGI compared a number of commercial off-the-shelf vendors (as well as building a solution
      themselves) and decided that the Layer 7 SecureSpan Gateway (Gateway) provided the most robust solution,
      offering not only centralized enforcement of security policies but also an XML VPN Client that could be easily
      installed at each ministry to automatically negotiate the security and credentialing handshake between the client
      application and the SSG, eliminating the need to recode, test and deploy each client
      application. Because the existing IT infrastructure varied widely from ministry to
                                                                                                   The XML VPN Client
      ministry, this functionality would greatly reduce the time to deploy the overall
                                                                                                   could be easily installed
                                                                                                   at each ministry to
                                                                                                   automatically negotiate
      The Solution
                                                                                                   the security and
      The greatest effort centered around re-creating the old API-based transaction
                                                                                                   credentialing handshake,
      application as a set of Web services. By carving up the monolithic application into
                                                                                                   eliminating the need to
      discrete pieces of functionality, CGI could institute a series of steps required to validate
                                                                                                   recode, test and deploy
      and process each transaction, as well as simplify the addition of new ministries as          each client application.
      payees. For example, one Web service converts SOAP messages to an HTML format
    CGI and Finance Ministry Case Study

    and submits it to the existing ASP-based Web interface, which in turn submits it to a handler behind several
    security zones. The handler sends the response, including a transaction ID, which the client must send back to
    confirm the transaction, otherwise the transaction is rolled back.

    The SecureSpan Gateway allows CGI to define and enforce security policies at run-time, as well as perform XML
             alidation           protection.                                                    provi
    schema validation for threat protection The Gateway’s native X.509 capabilities are used to provide an
                                                                             inistry’s               service
    authentication/authorization framework in conjunction with the finance ministry’s existing LDAP service. The
    Gateway also provides message level cryptography including signature validation and decryption of incoming

    The Results
                                         advantage of the new PCI-compliant credit card payment system, with more
    Today, over 20 Ministries are taking ad                                                           system
                                   being added every month on an ad hoc basis.
 “We made a good
decision two years ago in          Centralized enforcement of security policies gave CGI consistent security across all
choosing Layer 7’s                 applications,
                                   applications thereby eliminating the time and effort associated with coding and
SecureSpan Gateway, and                                                  back-end application.
                                   maintaining security details in each back
we are very satisfied with
the results!”                      The XML VPN Client allowed CGI to essentially “drop in” a software solution that
Marc Bourassa, Director,
                                   would handle all encryption, digital signing and other credentialing independent of
Consulting Services,                                                                       .
                                   the client application while ensuring PCI compliance. This allowed CGI to avoid
Financial Services Sector,                                                              )
                                   having to code (and subsequently test and deploy) security requirements in each of
CGI Group, Inc.                    the Ministry’s client applications – a key capability in allowing CGI to meet project

                                 © Copyright 201 by Layer 7 Technologies, Inc. (
                      All other trademarks are the property of their respective owners Layer 7 Internal Use Only

To top