440 likes | 574 Views
Public-Key Infrastructures. Mary Horrigan. a quick outline (a.k.a. Bank of Nova Scotia or BNS). Established in 1832 in Halifax, Nova Scotia now based in Toronto Profitable, with sound Balance Sheet Operations in over 50 countries
E N D
Public-Key Infrastructures Mary Horrigan
a quick outline(a.k.a. Bank of Nova Scotia or BNS) • Established in 1832 in Halifax, Nova Scotia now based in Toronto • Profitable, with sound Balance Sheet • Operations in over 50 countries • Largest Bank in the Caribbean, extensive Latin America Network • Large syndication lender in the US (top 10) • Recently acquired National Trust and Mocatta Bullion (326 years old) • Scoitabank is “Strength, Integrity, Service”
JAPAN 2 Branches China Hong Kong Singapore Bangladesh India Indonesia Malaysia The Philippines Republic of Korea Sri Lanka Taiwan Vietnam Scotiabank in Asia
Service and Technology at SCOTIABANK • Alternate Delivery Channels • ABMs and Point-of-Sale • Wireless Devices • TeleScotia - Telephone Banking • Internet - ScotiaOnline • Customer Service/Call Centers • Smart Cards - VISA Cash and Mondex
The Highlights • Scotiabank is “pioneering” the use of PKI’s/digital certificates/CA’s to secure Internet-based business • This technology is viewed as essential for safe and efficient e-business/commerce • Partnered with Entrust Tech,. HP, IBM, ICL ect. • Implemented two PKI’s in 1997 + a test PKI • Scotia Online Security, an idea to reality in 7 mths • Customer acceptance exceeding our expectations • Real-World experience of operations.
Topics • Management of Risk • Demonstration of Scotia OnLine • Requirements & Potential Threats • Scotiabank’s PKI’s • Scotiabank’s Decisions and Acquisition • Critical Success Factors • The “Trust Model” • Real World Operational Experience
Electronic & Internet based Commerce Scotiabank’s Management of Risk • What Scotiabank didn’t want to do: • Offer disparate, stand-alone on-line services • Offer dial-up services • Force customers into a Branch to enroll • Send/mail digital Certificates to customers • require our customers to decide the risk they wanted to take through the Browser the chose to use • validate passwords at the centralized servers/mainframes • rely on Certificates issued by a third party
Electronic& Internet based Commerce Scotiabank’s Management of Risk • What Scotiabank wanted to do: • Offer an internet-based service, with state-of-the-art security to open standards • Provide a “best-of-breed” information security solution that will be the platform for the future • Partner with a reputable leader who’s core competency is information security • Automatic enrollment and Certificate issuance • Have minimal intrusion on the customers PC • Have an exportable solution
Electronic& Internet based Commerce Scotiabank’s Management of Risk • What Scotiabank wanted to do: • Offer services that “look and feel” alike • Provide Single sign-on and ease of navigation • Use customer controlled Passwords or pass-Phrases • Issue Scotiabank Certificates, that can be trusted • Use multiple and unique “anonymous” Certificates • Reduce risks of : • web-site spoofing • identity theft • session hijacking, and • insider attacks
Electronic& Internet based Commerce Scotiabank’s Management of Risk • What Scotiabank wanted to do: - maintain our brand identity - build on our position of trust - differentiate ourselves in the market place PUT AN ARMOURED CAR ON THE INTERNET
WHAT ARE THE BUSINESS REQUIREMENTS? • privacy/confidentiality • integrity • authentication • non-repudiation • access control • availability/continuity
Existing Customer Initialization • Contact the bank through 1-800-4-Scotia • Authentication by customer service rep. • Acquire a shared secret/temporary password from an IVR process • Go online to the Internet • Download and install Bank’s software • Establish personal password/pass-phrase (certificates are created and exchanged automatically and transparently) • Access the service
POTENTIAL THREATS Loss of confidentiality of information or privacy of customer information Unauthorized changes, duplication or deletion of information/transactions Malicious acts Human error Masquerading/spoofing Denial of service
POTENTIAL THREATSWhich have changed since 1832? • Loss of confidentiality of information or privacy of customer information • unauthorized changes, duplication or deletions of information/transactions • malicious acts • human error • masquerading/spoofing • denial of service ……………………………disintermediation
So what to Scotiabank is a Public Key Infrastructure? • Certificate Repository/Directory • Multiple Certificate types for different risks • Certificate Revocation (Lists = CRLs) • Automatic Key aging and update • Key Back-up and Recovery • Key Histories Certification Authority…that provides:
So what to Scotiabank is a... Public Key Infrastructure? Certification Authority….that supports: • Automated enrollment • “Cross-certification” with other trusted CA’s • Non-Repudiation System that includes client side “software”…including the generation of “keys”
Public Key Infrastructure (PKI) • Approval by Bank Executive in March 1997 • Two “production” infrastructures • External - Customers • Internal - Employees & other FIs • Based on proven platform (hardware/software) • Implemented within three months!
Public Key infrastructure (PKI) • Approval by Bank Executive in March 1997 • Licenses for Entrust products • Scotiabank group worldwide • Initial Priorities • Internet Banking & Scotia Discount Brokerage • Employee External Access
Public Key Infrastructure (PKI) • Approved by Bank Executive September 1998 • Acquisition of all Entrust client-side software • Desktop, Express, Unity, ICE etc. • Acquisition of SET software and licenses • Web and VPN connectors
? Why • Open System that has adopted standard • Endorsed by the Federal Government • FIPS 140-1 certified • Product suite…with more to come • Being adopted by major IT companies • Growing base of Entrust compatible products • 15 years experience within NORTEL • cryptography is a core competency Canadian Content….
Difficulties? • Adequate, knowledgeable resources • Immature supporting technologies at the client e.g. operating systems, browsers, ISPs • General acceptance that this is a business decision not a technology decision • The rotating
Critical Success Factors • Executive commitment not viewed as an ROI issue… ..rather a strategic investment “The best way to predict the future….. …..is to create it!”
Critical Success Factors • Executive commitment • Strong Champion • Partnering • Focus on business risk, policy matters… …not technical issues • Use of technology • Implemented within existing organization
Critical Success Factors • Executive commitment • Strong Champion • Partnering • Focus on business risk, policy matters… …not technical issues • Use of technology • Implemented within existing organization Strong highly motivated team We had some fun Commitment to……..
Scotiabank’s Commitment toPolicy, Standards & Best Practices ……Information Security Governance
Scotiabank’s Commitment toPolicy, Standards & Best Practices • Information Security Steering Committee • Current Portfolio of Policy and Standards • Certificate and Certification Practice Statement
Information Security Policy- first principle “Enabling Technology Secure information processing is an enabling technology that enhances the development of new products and services, and can support continuous improvements in the delivery of quality service. As such, Scotiabank promotes sound security practices in conducting its business and in interacting with customers, achieving a balance between customer service needs and the interests of the bank and its shareholders”
So What is "The Trust Model"? • Governance • Availability/Reliability • Accountability • Risk Management • User Registration/Authentication It encompasses:
Milestones • Approached Entrust December 17, 1996 • Submitted Business Case January 29, 1997 • Executive Approval March 13, 1997 • Commenced construction before April • First Server delivered April 12, 1997 • “Entrust Direct” client delivered May 12, 1997 • Commissioned two PKI’s May 31, 1997 • Rebuild of client started June 17, 1997 • First live Interent transactions July 25, 1997
Where are we now? • April 21, 1999 07:05hrs EST 90,026
Only Authentic Certificates & Keys Monthly Service Availability
Important to • Overall annual availability= 99.66%
Important to • Certificates Revoked = over 19, 000
Recent Accomplishments • Conversion to Entrust Manager REL. 4 • over 220,00 licenses • largest in the World • Release of direct 3.0 and MAC clients • Continued testing of Desk-top suite, Unity, ICE etc.. • Installation of UAT PKI (#5) • Approval of SET pilot (#6) • Finalizing plans for remote hot stand-by • Testing of Direct 4.0 client
Committed to: • PKI as an enabling technology • Being leaders in: • PKI • Governance • Cross-certification • e-commerce/e-business • Canada and International operations
Working together in the “Real World”… ...developing business solutions… ...and succeeding!
What’s on our mind? • Cost of Registration • Reliance on Browsers • Thinner clients and “light certs” • People-limited understanding • Cross-certification • Directories
What’s on Our Mind? • Portability/Roaming • PDA’s • Smart Cards • Hardware • Hot standby - remote • Compromise Contingency Planning • Conversion • Security Quality Assurance • Trust Model
What’s on our mind? Cross Certification Authentication and Registration Partnering Research Attribute Certificates Entrust
You have heard many messages... • “Industrial Strength” enterprise-wide security based on a core competency • Encryption • Digital Signatures • User Authentication • “Real-World” • Automated
You have heard many messages... • “Industrial Strength” enterprise-wide security based on a core competency • A platform for secure e-commerce/e-business • Management of Risk • Establishment of Trust • Productivity/efficiency