Public-Key Infrastructures
44
Public-Key Infrastructures Mary Horrigan
description
Public-Key Infrastructures. Mary Horrigan. a quick outline (a.k.a. Bank of Nova Scotia or BNS). Established in 1832 in Halifax, Nova Scotia now based in Toronto Profitable, with sound Balance Sheet Operations in over 50 countries - PowerPoint PPT Presentation
Transcript of Public-Key Infrastructures
Public-Key Infrastructures
Mary Horrigan
a quick outline(a.k.a. Bank of Nova Scotia or BNS)
• Established in 1832 in Halifax, Nova Scotia now based in Toronto
• Profitable, with sound Balance Sheet
• Operations in over 50 countries
• Largest Bank in the Caribbean, extensive Latin America Network
• Large syndication lender in the US (top 10)
• Recently acquired National Trust and Mocatta Bullion (326 years old)
• Scoitabank is “Strength, Integrity, Service”
Scotiabank in Asia
• JAPAN 2 Branches
• China
• Hong Kong
• Singapore
• Bangladesh
• India
• Indonesia
• Malaysia
• The Philippines
• Republic of Korea
• Sri Lanka
• Taiwan
• Vietnam
Service and Technology at SCOTIABANK
• Alternate Delivery Channels
• ABMs and Point-of-Sale
• Wireless Devices
• TeleScotia - Telephone Banking
• Internet - ScotiaOnline
• Customer Service/Call Centers
• Smart Cards - VISA Cash and Mondex
Scotia OnLine.lnk
• Scotiabank is “pioneering” the use of PKI’s/digital certificates/CA’s to secure Internet-based business
• This technology is viewed as essential for safe and efficient e-business/commerce
• Partnered with Entrust Tech,. HP, IBM, ICL ect.
• Implemented two PKI’s in 1997 + a test PKI
• Scotia Online Security, an idea to reality in 7 mths
• Customer acceptance exceeding our expectations
• Real-World experience of operations.
• Management of Risk
• Demonstration of Scotia OnLine
• Requirements & Potential Threats
• Scotiabank’s PKI’s
• Scotiabank’s Decisions and Acquisition
• Critical Success Factors
• The “Trust Model”
• Real World Operational Experience
Electronic & Internet based Commerce Scotiabank’s Management of Risk
• What Scotiabank didn’t want to do: – Offer disparate, stand-alone on-line services– Offer dial-up services– Force customers into a Branch to enroll– Send/mail digital Certificates to customers– require our customers to decide the risk they wanted
to take through the Browser the chose to use– validate passwords at the centralized
servers/mainframes– rely on Certificates issued by a third party
Electronic& Internet based Commerce Scotiabank’s Management of Risk
• What Scotiabank wanted to do:– Offer an internet-based service, with state-of-the-art security
to open standards
– Provide a “best-of-breed” information security solution that will be the platform for the future
– Partner with a reputable leader who’s core competency is information security
– Automatic enrollment and Certificate issuance– Have minimal intrusion on the customers PC– Have an exportable solution
Electronic& Internet based Commerce Scotiabank’s Management of Risk
• What Scotiabank wanted to do:– Offer services that “look and feel” alike– Provide Single sign-on and ease of navigation– Use customer controlled Passwords or pass-Phrases– Issue Scotiabank Certificates, that can be trusted– Use multiple and unique “anonymous” Certificates– Reduce risks of :
• web-site spoofing• identity theft• session hijacking, and• insider attacks
Electronic& Internet based Commerce Scotiabank’s Management of Risk
• What Scotiabank wanted to do:
PUT AN ARMOURED CAR ON THE INTERNET
- maintain our brand identity- build on our position of trust- differentiate ourselves in the market place
WHAT ARE THE BUSINESS REQUIREMENTS?
• privacy/confidentiality
• integrity
• authentication
• non-repudiation
• access control
• availability/continuity
Existing Customer Initialization• Contact the bank through 1-800-4-Scotia• Authentication by customer service rep.• Acquire a shared secret/temporary password
from an IVR process• Go online to the Internet• Download and install Bank’s software• Establish personal password/pass-phrase
(certificates are created and exchanged automatically and transparently)
• Access the service
POTENTIAL THREATS
Loss of confidentiality of information or privacy of customer information
Unauthorized changes, duplication or deletion of information/transactions
Malicious acts
Human errorMasquerading/spoofing
Denial of service
POTENTIAL THREATSWhich have changed since 1832?
• Loss of confidentiality of information or privacy of customer information
• unauthorized changes, duplication or deletions of information/transactions
• malicious acts
• human error
• masquerading/spoofing
• denial of service
……………………………disintermediation
So what to Scotiabank is a Public Key Infrastructure?
– Certificate Repository/Directory– Multiple Certificate types for different risks– Certificate Revocation (Lists = CRLs)– Automatic Key aging and update– Key Back-up and Recovery– Key Histories
Certification Authority…that provides:
So what to Scotiabank is a... Public Key Infrastructure?
– Automated enrollment
– “Cross-certification” with other trusted CA’s
– Non-Repudiation
Certification Authority….that supports:
System that includes client side
“software”…including the generation of “keys”
Public Key Infrastructure (PKI)
• Approval by Bank Executive in March 1997
• Two “production” infrastructures
• External - Customers
• Internal - Employees & other FIs
• Based on proven platform (hardware/software)
• Implemented within three months!
Public Key infrastructure (PKI)
• Approval by Bank Executive in March 1997
• Licenses for Entrust products
• Scotiabank group worldwide
• Initial Priorities
• Internet Banking & Scotia Discount Brokerage
• Employee External Access
Public Key Infrastructure (PKI)
• Approved by Bank Executive September 1998
• Acquisition of all Entrust client-side software
• Desktop, Express, Unity, ICE etc.
• Acquisition of SET software and licenses
• Web and VPN connectors
• Open System that has adopted standard
• Endorsed by the Federal Government
• FIPS 140-1 certified
• Product suite…with more to come
• Being adopted by major IT companies
• Growing base of Entrust compatible products
• 15 years experience within NORTEL– cryptography is a core competency
Canadian Content….
Difficulties?
• Adequate, knowledgeable resources
• Immature supporting technologies at the client e.g. operating systems, browsers, ISPs
• General acceptance that this is a business decision not a technology decision
• The rotating
Critical Success Factors
• Executive commitment not viewed as an ROI issue… ..rather a strategic investment
“The best way to predict the future…..…..is to create it!”
Critical Success Factors
• Executive commitment
• Strong Champion
• Partnering
• Focus on business risk, policy matters… …not technical issues
• Use of technology
• Implemented within existing organization
Segregation of Function
P la tfo rmO p era tion s
E n tru s tA d m in is tra t ion
R isk E va lu a tion S ec u rity Q u a lity A ss u ran c e In fo .S ecG overn an c e
Inform ation Security
Critical Success Factors• Executive commitment
• Strong Champion
• Partnering
• Focus on business risk, policy matters… …not technical issues
• Use of technology
• Implemented within existing organization
Strong highly motivated team
We had some funCommitment to……..
Scotiabank’s Commitment toPolicy, Standards & Best Practices
……Information Security Governance
Scotiabank’s Commitment toPolicy, Standards & Best Practices
• Information Security Steering Committee
• Current Portfolio of Policy and Standards
• Certificate and Certification Practice Statement
Information Security Policy- first principle
“Enabling TechnologySecure information processing is an enabling technologythat enhances the development of new products and services, and can support continuous improvements in the delivery of quality service.
As such, Scotiabank promotes sound security practices inconducting its business and in interacting with customers, achieving a balance between customer service needs and the interests of the bank and its shareholders”
So What is
• Governance
• Availability/Reliability
• Accountability
• Risk Management
• User Registration/Authentication
It encompasses:
• Approached Entrust December 17, 1996
• Submitted Business Case January 29, 1997
• Executive Approval March 13, 1997
• Commenced construction before April
• First Server delivered April 12, 1997
• “Entrust Direct” client delivered May 12, 1997
• Commissioned two PKI’s May 31, 1997
• Rebuild of client started June 17, 1997
• First live Interent transactions July 25, 1997
Where are we now?
• April 21, 1999 07:05hrs EST
90,026
Only Authentic Certificates & Keys External infrastructure
29.50%
16.00%6.60%
0.90%
38.80%
Password reactivation discard Unregistered discardNegative Acknowledgement discard Free Licence PoolActive Users
Only Authentic Certificates & Keys Monthly Service Availability
92
94
96
98
100
Jan-98
Feb-98
Mar-98
Apr-98
May-98
Jun-98
Jul-98 Aug-98
Sep-98
Oct-98
Nov-98
Dec-98
Jan-99
Feb-99
Mar-99
Customer Registration Customer Intialization
Sign On Application Average Overall
Average Overall Excluding Planned Outages
Important to
• Overall annual availability = 99.66%
Important to
• Certificates Revoked = over 19, 000
Recennt Accomplishments• Conversion to Entrust Manager REL. 4
– over 220,00 licenses
– largest in the World
• Release of direct 3.0 and MAC clients
• Continued testing of Desk-top suite, Unity, ICE etc..
• Installation of UAT PKI (#5)
• Approval of SET pilot (#6)
• Finalizing plans for remote hot stand-by
• Testing of Direct 4.0 client
Committed to:
• PKI as an enabling technology
• Being leaders in:– PKI– Governance– Cross-certification– e-commerce/e-business
• Canada and International operationsCanada and International operations
Working together in the “Real World”…...developing business solutions…...and succeeding!
What’s on our mind?
• Cost of Registration
• Reliance on Browsers
• Thinner clients and “light certs”
• People-limited understanding
• Cross-certification
• Directories
What’s on Our Mind?• Portability/Roaming
– PDA’s– Smart Cards
• Hardware• Hot standby - remote• Compromise Contingency Planning• Conversion• Security Quality Assurance• Trust Model
What’s on our mind?
Cross CertificationAuthentication and RegistrationPartneringResearchAttribute CertificatesEntrust
You have heard many messages...
• “Industrial Strength” enterprise-wide security based on a core competency
• Encryption
• Digital Signatures
• User Authentication
• “Real-World”
• Automated
You have heard many messages...
• “Industrial Strength” enterprise-wide security based on a core competency
• A platform for secure e-commerce/e-business
• Management of Risk
• Establishment of Trust
• Productivity/efficiency
