(FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C...
-
Upload
amazon-web-services -
Category
Technology
-
view
335 -
download
2
description
Transcript of (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C...
![Page 1: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/1.jpg)
November 14, 2014 | Las Vegas, NV
Travell Perkins, Fidelity
![Page 2: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/2.jpg)
![Page 3: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/3.jpg)
![Page 4: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/4.jpg)
![Page 5: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/5.jpg)
![Page 6: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/6.jpg)
![Page 7: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/7.jpg)
![Page 8: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/8.jpg)
•
•
•Virtual asset transfer (inheritance)
![Page 9: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/9.jpg)
![Page 10: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/10.jpg)
![Page 11: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/11.jpg)
Amazon
Amazon ELB
Twilio Server
DSM DSMCloudant Cloudant
CloudFiles Twilio Server
S3 S3
EC2 Auto Scaling Group
Application Server
Application Server
Application Server
![Page 12: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/12.jpg)
![Page 13: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/13.jpg)
Generates encryption keys using AES-256 Cipher. The keys are used to
encrypt/decrypt files.
(DynamicSecurityModule - PHP Service/FidelityVDC)
Documents and data are encrypted for persistent storage and decrypted for
presentation layer
(Core Service/Node.JS/AWS EC2)
Customer facing interface to upload/
download documents
(Javascript, EC2)
Sends emails for Account Signup,
Password Resets, File Sharing Notices etc.
(Simple Email Service)
Register new users, password resets, user profile management
(Core Service/Node.JS/AWS EC2)
Get Encryption Key
Encrypted documents
(S3)
Store Encrypted Documents and meta- Data
Notify users
Redundant document
storage
(CloudFiles)
Document Meta-data is stored. Customer accounts info is also
stored.(Cloudant)
Add a new user, manage users
Register User, Authenticate users
Admin interface to manage system users
(Javascript, EC2)
SMS/Voice for multi-factor authentication
(Twilio)
Authenticate & Authorize
(Core Service/Node.JS/AWS EC2)
Is the user a valid user?
Manage Users/Admins
Customers Admins
Encrypt and Store Documents, Get Customer Documents
Send Email to users
Send Email to users
Upload/DownloadDocuments
Manage Admin Users
![Page 14: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/14.jpg)
![Page 15: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/15.jpg)
![Page 16: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/16.jpg)
![Page 17: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/17.jpg)
![Page 18: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/18.jpg)
![Page 19: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/19.jpg)
![Page 20: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/20.jpg)
![Page 21: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/21.jpg)
![Page 22: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/22.jpg)
![Page 23: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/23.jpg)
![Page 24: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/24.jpg)
![Page 25: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/25.jpg)
![Page 26: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/26.jpg)
![Page 27: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/27.jpg)
![Page 28: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/28.jpg)
![Page 29: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/29.jpg)
Component Threat Protocol A.S. Mitigation
All data flows TID HTTPS Various SSL/TLS everywhere
![Page 30: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/30.jpg)
Component Threat Mitigation
EndUser S Form Authentication; Multi-factor Authentication
RD Not Applicable
Admin (Jump
Box)
S SSH UserName/Password; Multi-factor Authentication
RD Not Applicable
Twilio S Shared Access Key
RD No fallback SMS service. But Fidsafe Auth falls back to
Security Questions.
SES (Email) S Shared Access Key
RD No fallback. Messages are sent async.
![Page 31: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/31.jpg)
Component Threat Mitigation
DSM S HTTPS SSL Server Authentication
E Low Privileged Account
TRID All PHP files are read only (for non-root) and owned by root
Core Service S HTTPS SSL/TLS Server Authentication
E Low Privileged Account, Node (Non-root user)
TRID Permissions on Node.JS application files 644
Web UI S Forms Authentication over HTTPS; SMS or Preference Based Security Question
E Running as logged-in user
TRID Default permissions (User has no permissions to Framework binaries)
Mobile App S Digital Signature provides authenticity and tamper detection
E Default container defenses provide least privilege
TRID Digital Signature provides authenticity and tamper detection
![Page 32: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/32.jpg)
Component Threat Mitigation
Cloudant TID Database Permission (Read, Write, Delete) for CRUD
operations.
CloudFiles TID Shared Access Key; All data bits are encrypted; Hashes
stored separately in Cloudant
S3 TID Shared Access Key; All data bits are encrypted; Hashes
stored separately in Cloudant
![Page 33: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/33.jpg)
![Page 34: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/34.jpg)
Request Processing Stack
HTTPS Transport
IP Filtering
HMAC SHA256 Signing
JSON XSS Filtering
Authentication
Authorization
Exception Handling
Execution
![Page 35: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/35.jpg)
![Page 36: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/36.jpg)
![Page 37: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/37.jpg)
![Page 38: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/38.jpg)
![Page 39: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/39.jpg)
![Page 40: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/40.jpg)
![Page 41: (FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014](https://reader034.fdocuments.us/reader034/viewer/2022052622/55908c0a1a28abaa548b45d8/html5/thumbnails/41.jpg)