Docstoc

Public-Key Infrastructures

Document Sample
Public-Key Infrastructures Powered By Docstoc
					Public-Key Infrastructures

       Mary Horrigan
                           a quick outline
      (a.k.a. Bank of Nova Scotia or BNS)
• Established in 1832 in Halifax, Nova Scotia now based in
  Toronto
• Profitable, with sound Balance Sheet
• Operations in over 50 countries
• Largest Bank in the Caribbean, extensive Latin America
  Network
• Large syndication lender in the US (top 10)
• Recently acquired National Trust and Mocatta Bullion
  (326 years old)
• Scoitabank is “Strength, Integrity, Service”
          Scotiabank in Asia
•   JAPAN 2 Branches   •   Indonesia
•   China              •   Malaysia
•   Hong Kong          •   The Philippines
•   Singapore          •   Republic of Korea
•   Bangladesh         •   Sri Lanka
•   India              •   Taiwan
                       •   Vietnam
      Service and Technology at
           SCOTIABANK
•   Alternate Delivery Channels
•   ABMs and Point-of-Sale
•   Wireless Devices
•   TeleScotia - Telephone Banking
•   Internet - ScotiaOnline
•   Customer Service/Call Centers
•   Smart Cards - VISA Cash and Mondex
• Scotiabank is “pioneering” the use of PKI’s/digital
  certificates/CA’s to secure Internet-based business
• This technology is viewed as essential for safe and
  efficient e-business/commerce
• Partnered with Entrust Tech,. HP, IBM, ICL ect.
• Implemented two PKI’s in 1997 + a test PKI
• Scotia Online Security, an idea to reality in 7 mths
• Customer acceptance exceeding our expectations
• Real-World experience of operations.
•   Management of Risk
•   Demonstration of Scotia OnLine
•   Requirements & Potential Threats
•   Scotiabank’s PKI’s
•   Scotiabank’s Decisions and Acquisition
•   Critical Success Factors
•   The “Trust Model”
•   Real World Operational Experience
 Electronic & Internet based Commerce
   Scotiabank’s Management of Risk
• What Scotiabank didn’t want to do:
  – Offer disparate, stand-alone on-line services
  – Offer dial-up services
  – Force customers into a Branch to enroll
  – Send/mail digital Certificates to customers
  – require our customers to decide the risk they
    wanted to take through the Browser the chose to use
  – validate passwords at the centralized
    servers/mainframes
  – rely on Certificates issued by a third party
   Electronic& Internet based Commerce
     Scotiabank’s Management of Risk

• What Scotiabank wanted to do:
  – Offer an internet-based service, with state-of-the-art
    security to open standards
  – Provide a “best-of-breed” information security solution
    that will be the platform for the future
  – Partner with a reputable leader who’s core competency
    is information security
  – Automatic enrollment and Certificate issuance
  – Have minimal intrusion on the customers PC
  – Have an exportable solution
      Electronic& Internet based Commerce
        Scotiabank’s Management of Risk

• What Scotiabank wanted to do:
  –   Offer services that “look and feel” alike
  –   Provide Single sign-on and ease of navigation
  –   Use customer controlled Passwords or pass-Phrases
  –   Issue Scotiabank Certificates, that can be trusted
  –   Use multiple and unique “anonymous” Certificates
  –   Reduce risks of :
       •   web-site spoofing
       •   identity theft
       •   session hijacking, and
       •   insider attacks
   Electronic& Internet based Commerce
     Scotiabank’s Management of Risk

• What Scotiabank wanted to do:
  - maintain our brand identity
  - build on our position of trust
  - differentiate ourselves in the market place

PUT AN ARMOURED CAR ON
THE INTERNET
    WHAT ARE THE BUSINESS
      REQUIREMENTS?
•   privacy/confidentiality
•   integrity
•   authentication
•   non-repudiation
•   access control
•   availability/continuity
   Existing Customer Initialization
• Contact the bank through 1-800-4-Scotia
• Authentication by customer service rep.
• Acquire a shared secret/temporary password
  from an IVR process
• Go online to the Internet
• Download and install Bank’s software
• Establish personal password/pass-phrase
  (certificates are created and exchanged
  automatically and transparently)
• Access the service
    POTENTIAL THREATS
Loss of confidentiality of information or
 privacy of customer information
Unauthorized changes, duplication or deletion
 of information/transactions
Malicious acts
Human error
Masquerading/spoofing
Denial of service
     POTENTIAL THREATS
  Which have changed since 1832?
• Loss of confidentiality of information or
  privacy of customer information
• unauthorized changes, duplication or
  deletions of information/transactions
• malicious acts
• human error
• masquerading/spoofing
• denial of service
        ……………………………disintermediation
So what to Scotiabank is a Public
      Key Infrastructure?
  Certification Authority…that provides:
 –   Certificate Repository/Directory
 –   Multiple Certificate types for different risks
 –   Certificate Revocation (Lists = CRLs)
 –   Automatic Key aging and update
 –   Key Back-up and Recovery
 –   Key Histories
 So what to Scotiabank is a...
  Public Key Infrastructure?
  Certification Authority….that supports:

– Automated enrollment

– “Cross-certification” with other trusted CA’s

– Non-Repudiation
         System that includes client side
  “software”…including the generation of “keys”
    Public Key Infrastructure (PKI)
•   Approval by Bank Executive in March 1997
•   Two “production” infrastructures
•   External - Customers
•   Internal - Employees & other FIs
•   Based on proven platform (hardware/software)
•   Implemented within three months!
    Public Key infrastructure (PKI)
•   Approval by Bank Executive in March 1997
•   Licenses for Entrust products
•   Scotiabank group worldwide
•   Initial Priorities
•   Internet Banking & Scotia Discount Brokerage
•   Employee External Access
     Public Key Infrastructure (PKI)
•   Approved by Bank Executive September 1998
•   Acquisition of all Entrust client-side software
•   Desktop, Express, Unity, ICE etc.
•   Acquisition of SET software and licenses
•   Web and VPN connectors
•   Open System that has adopted standard
•   Endorsed by the Federal Government
•   FIPS 140-1 certified
•   Product suite…with more to come
•   Being adopted by major IT companies
•   Growing base of Entrust compatible products
•   15 years experience within NORTEL
    – cryptography is a core competency
      Canadian Content….
              Difficulties?
• Adequate, knowledgeable resources
• Immature supporting technologies at the
  client e.g. operating systems, browsers, ISPs
• General acceptance that this is a business
  decision not a technology decision
• The rotating
       Critical Success Factors
• Executive commitment
  not viewed as an ROI issue…
  ..rather a strategic investment

  “The best way to predict the future…..
            …..is to create it!”
      Critical Success Factors
• Executive commitment
• Strong Champion
• Partnering
• Focus on business risk, policy matters…
  …not technical issues
• Use of technology
• Implemented within existing organization
             Segregation of Function

                                Information Security

 Platform        Entrust           Risk Evaluation     Security Quality Assurance    Info.Sec
Operations     Administration                                                       Governance
      Critical Success Factors
• Executive commitment
• Strong Champion
• Partnering
• Focus on business risk, policy matters…
  …not technical issues
• Use of technology
• Implemented within existing organization
    Strong highly motivated team
        We had some fun
       Commitment to……..
  Scotiabank’s Commitment to
Policy, Standards & Best Practices


 ……Information Security
 Governance
    Scotiabank’s Commitment to
  Policy, Standards & Best Practices
• Information Security Steering Committee

• Current Portfolio of Policy and Standards

• Certificate and Certification Practice Statement
      Information Security Policy
            - first principle
    “Enabling Technology
Secure information processing is an enabling technology
that enhances the development of new products and
services, and can support continuous improvements in the
delivery of quality service.
As such, Scotiabank promotes sound security practices in
conducting its business and in interacting with customers,
achieving a balance between customer service needs and
the interests of the bank and its shareholders”
                   So What is

     It encompasses:
•   Governance
•   Availability/Reliability
•   Accountability
•   Risk Management
•   User Registration/Authentication
•   Approached Entrust December 17, 1996
•   Submitted Business Case January 29, 1997
•   Executive Approval March 13, 1997
•   Commenced construction before April
•   First Server delivered April 12, 1997
•   “Entrust Direct” client delivered May 12, 1997
•   Commissioned two PKI’s May 31, 1997
•   Rebuild of client started June 17, 1997
•   First live Interent transactions July 25, 1997
        Where are we now?
• April 21, 1999 07:05hrs EST




   90,026
Only Authentic Certificates &
 Keys External infrastructure

                                                  29.50%
      38.80%




               0.90%
                                           16.00%
                    6.60%

Password reactivation discard      Unregistered discard
Negative Acknowledgement discard   Free Licence Pool
Active Users
        Only Authentic Certificates &
      Keys Monthly Service Availability
100

 98

 96

 94

 92
      Jan- Feb- Mar- Apr- May- Jun- Jul-98 Aug- Sep- Oct- Nov- Dec- Jan- Feb- Mar-
       98   98   98   98   98   98          98   98   98   98   98   99   99   99

      Customer Registration                       Customer Intialization

      Sign On Application                         Average Overall

      Average Overall Excluding Planned Outages
  Important to

• Overall annual availability =
 99.66%
Important to

• Certificates Revoked =
  over 19, 000
        Recent Accomplishments
• Conversion to Entrust Manager REL. 4
   – over 220,00 licenses
   – largest in the World
• Release of direct 3.0 and MAC clients
• Continued testing of Desk-top suite, Unity, ICE etc..
• Installation of UAT PKI (#5)
• Approval of SET pilot (#6)
• Finalizing plans for remote hot stand-by
• Testing of Direct 4.0 client
               Committed to:
• PKI as an enabling technology
• Being leaders in:
  –   PKI
  –   Governance
  –   Cross-certification
  –   e-commerce/e-business
• Canada and International operations
Working together in the “Real
World”…
...developing business solutions…
...and succeeding!
          What’s on our mind?
•   Cost of Registration
•   Reliance on Browsers
•   Thinner clients and “light certs”
•   People-limited understanding
•   Cross-certification
•   Directories
          What’s on Our Mind?
• Portability/Roaming
    – PDA’s
    – Smart Cards
•   Hardware
•   Hot standby - remote
•   Compromise Contingency Planning
•   Conversion
•   Security Quality Assurance
•   Trust Model
  What’s on our mind?
Cross Certification
Authentication and Registration
Partnering
Research
Attribute Certificates
Entrust
You have heard many messages...
• “Industrial Strength” enterprise-wide
  security based on a core competency
• Encryption
• Digital Signatures
• User Authentication
• “Real-World”
• Automated
You have heard many messages...
• “Industrial Strength” enterprise-wide
  security based on a core competency
• A platform for secure e-commerce/e-
  business
• Management of Risk
• Establishment of Trust
• Productivity/efficiency