Public-Key Infrastructures

44
Public-Key Infrastructures Mary Horrigan

description

Public-Key Infrastructures. Mary Horrigan. a quick outline (a.k.a. Bank of Nova Scotia or BNS). Established in 1832 in Halifax, Nova Scotia now based in Toronto Profitable, with sound Balance Sheet Operations in over 50 countries - PowerPoint PPT Presentation

Transcript of Public-Key Infrastructures

Page 1: Public-Key Infrastructures

Public-Key Infrastructures

Mary Horrigan

Page 2: Public-Key Infrastructures

a quick outline(a.k.a. Bank of Nova Scotia or BNS)

• Established in 1832 in Halifax, Nova Scotia now based in Toronto

• Profitable, with sound Balance Sheet

• Operations in over 50 countries

• Largest Bank in the Caribbean, extensive Latin America Network

• Large syndication lender in the US (top 10)

• Recently acquired National Trust and Mocatta Bullion (326 years old)

• Scoitabank is “Strength, Integrity, Service”

Page 3: Public-Key Infrastructures

Scotiabank in Asia

• JAPAN 2 Branches

• China

• Hong Kong

• Singapore

• Bangladesh

• India

• Indonesia

• Malaysia

• The Philippines

• Republic of Korea

• Sri Lanka

• Taiwan

• Vietnam

Page 4: Public-Key Infrastructures

Service and Technology at SCOTIABANK

• Alternate Delivery Channels

• ABMs and Point-of-Sale

• Wireless Devices

• TeleScotia - Telephone Banking

• Internet - ScotiaOnline

• Customer Service/Call Centers

• Smart Cards - VISA Cash and Mondex

Scotia OnLine.lnk

Page 5: Public-Key Infrastructures

• Scotiabank is “pioneering” the use of PKI’s/digital certificates/CA’s to secure Internet-based business

• This technology is viewed as essential for safe and efficient e-business/commerce

• Partnered with Entrust Tech,. HP, IBM, ICL ect.

• Implemented two PKI’s in 1997 + a test PKI

• Scotia Online Security, an idea to reality in 7 mths

• Customer acceptance exceeding our expectations

• Real-World experience of operations.

Page 6: Public-Key Infrastructures

• Management of Risk

• Demonstration of Scotia OnLine

• Requirements & Potential Threats

• Scotiabank’s PKI’s

• Scotiabank’s Decisions and Acquisition

• Critical Success Factors

• The “Trust Model”

• Real World Operational Experience

Page 7: Public-Key Infrastructures

Electronic & Internet based Commerce Scotiabank’s Management of Risk

• What Scotiabank didn’t want to do: – Offer disparate, stand-alone on-line services– Offer dial-up services– Force customers into a Branch to enroll– Send/mail digital Certificates to customers– require our customers to decide the risk they wanted

to take through the Browser the chose to use– validate passwords at the centralized

servers/mainframes– rely on Certificates issued by a third party

Page 8: Public-Key Infrastructures

Electronic& Internet based Commerce Scotiabank’s Management of Risk

• What Scotiabank wanted to do:– Offer an internet-based service, with state-of-the-art security

to open standards

– Provide a “best-of-breed” information security solution that will be the platform for the future

– Partner with a reputable leader who’s core competency is information security

– Automatic enrollment and Certificate issuance– Have minimal intrusion on the customers PC– Have an exportable solution

Page 9: Public-Key Infrastructures

Electronic& Internet based Commerce Scotiabank’s Management of Risk

• What Scotiabank wanted to do:– Offer services that “look and feel” alike– Provide Single sign-on and ease of navigation– Use customer controlled Passwords or pass-Phrases– Issue Scotiabank Certificates, that can be trusted– Use multiple and unique “anonymous” Certificates– Reduce risks of :

• web-site spoofing• identity theft• session hijacking, and• insider attacks

Page 10: Public-Key Infrastructures

Electronic& Internet based Commerce Scotiabank’s Management of Risk

• What Scotiabank wanted to do:

PUT AN ARMOURED CAR ON THE INTERNET

- maintain our brand identity- build on our position of trust- differentiate ourselves in the market place

Page 11: Public-Key Infrastructures

WHAT ARE THE BUSINESS REQUIREMENTS?

• privacy/confidentiality

• integrity

• authentication

• non-repudiation

• access control

• availability/continuity

Page 12: Public-Key Infrastructures

Existing Customer Initialization• Contact the bank through 1-800-4-Scotia• Authentication by customer service rep.• Acquire a shared secret/temporary password

from an IVR process• Go online to the Internet• Download and install Bank’s software• Establish personal password/pass-phrase

(certificates are created and exchanged automatically and transparently)

• Access the service

Page 13: Public-Key Infrastructures

POTENTIAL THREATS

Loss of confidentiality of information or privacy of customer information

Unauthorized changes, duplication or deletion of information/transactions

Malicious acts

Human errorMasquerading/spoofing

Denial of service

Page 14: Public-Key Infrastructures

POTENTIAL THREATSWhich have changed since 1832?

• Loss of confidentiality of information or privacy of customer information

• unauthorized changes, duplication or deletions of information/transactions

• malicious acts

• human error

• masquerading/spoofing

• denial of service

……………………………disintermediation

Page 15: Public-Key Infrastructures

So what to Scotiabank is a Public Key Infrastructure?

– Certificate Repository/Directory– Multiple Certificate types for different risks– Certificate Revocation (Lists = CRLs)– Automatic Key aging and update– Key Back-up and Recovery– Key Histories

Certification Authority…that provides:

Page 16: Public-Key Infrastructures

So what to Scotiabank is a... Public Key Infrastructure?

– Automated enrollment

– “Cross-certification” with other trusted CA’s

– Non-Repudiation

Certification Authority….that supports:

System that includes client side

“software”…including the generation of “keys”

Page 17: Public-Key Infrastructures

Public Key Infrastructure (PKI)

• Approval by Bank Executive in March 1997

• Two “production” infrastructures

• External - Customers

• Internal - Employees & other FIs

• Based on proven platform (hardware/software)

• Implemented within three months!

Page 18: Public-Key Infrastructures

Public Key infrastructure (PKI)

• Approval by Bank Executive in March 1997

• Licenses for Entrust products

• Scotiabank group worldwide

• Initial Priorities

• Internet Banking & Scotia Discount Brokerage

• Employee External Access

Page 19: Public-Key Infrastructures

Public Key Infrastructure (PKI)

• Approved by Bank Executive September 1998

• Acquisition of all Entrust client-side software

• Desktop, Express, Unity, ICE etc.

• Acquisition of SET software and licenses

• Web and VPN connectors

Page 20: Public-Key Infrastructures

• Open System that has adopted standard

• Endorsed by the Federal Government

• FIPS 140-1 certified

• Product suite…with more to come

• Being adopted by major IT companies

• Growing base of Entrust compatible products

• 15 years experience within NORTEL– cryptography is a core competency

Canadian Content….

Page 21: Public-Key Infrastructures

Difficulties?

• Adequate, knowledgeable resources

• Immature supporting technologies at the client e.g. operating systems, browsers, ISPs

• General acceptance that this is a business decision not a technology decision

• The rotating

Page 22: Public-Key Infrastructures

Critical Success Factors

• Executive commitment not viewed as an ROI issue… ..rather a strategic investment

“The best way to predict the future…..…..is to create it!”

Page 23: Public-Key Infrastructures

Critical Success Factors

• Executive commitment

• Strong Champion

• Partnering

• Focus on business risk, policy matters… …not technical issues

• Use of technology

• Implemented within existing organization

Page 24: Public-Key Infrastructures

Segregation of Function

P la tfo rmO p era tion s

E n tru s tA d m in is tra t ion

R isk E va lu a tion S ec u rity Q u a lity A ss u ran c e In fo .S ecG overn an c e

Inform ation Security

Page 25: Public-Key Infrastructures

Critical Success Factors• Executive commitment

• Strong Champion

• Partnering

• Focus on business risk, policy matters… …not technical issues

• Use of technology

• Implemented within existing organization

Strong highly motivated team

We had some funCommitment to……..

Page 26: Public-Key Infrastructures

Scotiabank’s Commitment toPolicy, Standards & Best Practices

……Information Security Governance

Page 27: Public-Key Infrastructures

Scotiabank’s Commitment toPolicy, Standards & Best Practices

• Information Security Steering Committee

• Current Portfolio of Policy and Standards

• Certificate and Certification Practice Statement

Page 28: Public-Key Infrastructures

Information Security Policy- first principle

“Enabling TechnologySecure information processing is an enabling technologythat enhances the development of new products and services, and can support continuous improvements in the delivery of quality service.

As such, Scotiabank promotes sound security practices inconducting its business and in interacting with customers, achieving a balance between customer service needs and the interests of the bank and its shareholders”

Page 29: Public-Key Infrastructures

So What is

• Governance

• Availability/Reliability

• Accountability

• Risk Management

• User Registration/Authentication

It encompasses:

Page 30: Public-Key Infrastructures

• Approached Entrust December 17, 1996

• Submitted Business Case January 29, 1997

• Executive Approval March 13, 1997

• Commenced construction before April

• First Server delivered April 12, 1997

• “Entrust Direct” client delivered May 12, 1997

• Commissioned two PKI’s May 31, 1997

• Rebuild of client started June 17, 1997

• First live Interent transactions July 25, 1997

Page 31: Public-Key Infrastructures

Where are we now?

• April 21, 1999 07:05hrs EST

90,026

Page 32: Public-Key Infrastructures

Only Authentic Certificates & Keys External infrastructure

29.50%

16.00%6.60%

0.90%

38.80%

Password reactivation discard Unregistered discardNegative Acknowledgement discard Free Licence PoolActive Users

Page 33: Public-Key Infrastructures

Only Authentic Certificates & Keys Monthly Service Availability

92

94

96

98

100

Jan-98

Feb-98

Mar-98

Apr-98

May-98

Jun-98

Jul-98 Aug-98

Sep-98

Oct-98

Nov-98

Dec-98

Jan-99

Feb-99

Mar-99

Customer Registration Customer Intialization

Sign On Application Average Overall

Average Overall Excluding Planned Outages

Page 34: Public-Key Infrastructures

Important to

• Overall annual availability = 99.66%

Page 35: Public-Key Infrastructures

Important to

• Certificates Revoked = over 19, 000

Page 36: Public-Key Infrastructures

Recennt Accomplishments• Conversion to Entrust Manager REL. 4

– over 220,00 licenses

– largest in the World

• Release of direct 3.0 and MAC clients

• Continued testing of Desk-top suite, Unity, ICE etc..

• Installation of UAT PKI (#5)

• Approval of SET pilot (#6)

• Finalizing plans for remote hot stand-by

• Testing of Direct 4.0 client

Page 37: Public-Key Infrastructures

Committed to:

• PKI as an enabling technology

• Being leaders in:– PKI– Governance– Cross-certification– e-commerce/e-business

• Canada and International operationsCanada and International operations

Page 38: Public-Key Infrastructures

Working together in the “Real World”…...developing business solutions…...and succeeding!

Page 39: Public-Key Infrastructures

What’s on our mind?

• Cost of Registration

• Reliance on Browsers

• Thinner clients and “light certs”

• People-limited understanding

• Cross-certification

• Directories

Page 40: Public-Key Infrastructures

What’s on Our Mind?• Portability/Roaming

– PDA’s– Smart Cards

• Hardware• Hot standby - remote• Compromise Contingency Planning• Conversion• Security Quality Assurance• Trust Model

Page 41: Public-Key Infrastructures

What’s on our mind?

Cross CertificationAuthentication and RegistrationPartneringResearchAttribute CertificatesEntrust

Page 42: Public-Key Infrastructures

You have heard many messages...

• “Industrial Strength” enterprise-wide security based on a core competency

• Encryption

• Digital Signatures

• User Authentication

• “Real-World”

• Automated

Page 43: Public-Key Infrastructures

You have heard many messages...

• “Industrial Strength” enterprise-wide security based on a core competency

• A platform for secure e-commerce/e-business

• Management of Risk

• Establishment of Trust

• Productivity/efficiency

Page 44: Public-Key Infrastructures