1 / 44

Public-Key Infrastructures

Public-Key Infrastructures. Mary Horrigan. a quick outline (a.k.a. Bank of Nova Scotia or BNS). Established in 1832 in Halifax, Nova Scotia now based in Toronto Profitable, with sound Balance Sheet Operations in over 50 countries

edward
Download Presentation

Public-Key Infrastructures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Public-Key Infrastructures Mary Horrigan

  2. a quick outline(a.k.a. Bank of Nova Scotia or BNS) • Established in 1832 in Halifax, Nova Scotia now based in Toronto • Profitable, with sound Balance Sheet • Operations in over 50 countries • Largest Bank in the Caribbean, extensive Latin America Network • Large syndication lender in the US (top 10) • Recently acquired National Trust and Mocatta Bullion (326 years old) • Scoitabank is “Strength, Integrity, Service”

  3. JAPAN 2 Branches China Hong Kong Singapore Bangladesh India Indonesia Malaysia The Philippines Republic of Korea Sri Lanka Taiwan Vietnam Scotiabank in Asia

  4. Service and Technology at SCOTIABANK • Alternate Delivery Channels • ABMs and Point-of-Sale • Wireless Devices • TeleScotia - Telephone Banking • Internet - ScotiaOnline • Customer Service/Call Centers • Smart Cards - VISA Cash and Mondex

  5. The Highlights • Scotiabank is “pioneering” the use of PKI’s/digital certificates/CA’s to secure Internet-based business • This technology is viewed as essential for safe and efficient e-business/commerce • Partnered with Entrust Tech,. HP, IBM, ICL ect. • Implemented two PKI’s in 1997 + a test PKI • Scotia Online Security, an idea to reality in 7 mths • Customer acceptance exceeding our expectations • Real-World experience of operations.

  6. Topics • Management of Risk • Demonstration of Scotia OnLine • Requirements & Potential Threats • Scotiabank’s PKI’s • Scotiabank’s Decisions and Acquisition • Critical Success Factors • The “Trust Model” • Real World Operational Experience

  7. Electronic & Internet based Commerce Scotiabank’s Management of Risk • What Scotiabank didn’t want to do: • Offer disparate, stand-alone on-line services • Offer dial-up services • Force customers into a Branch to enroll • Send/mail digital Certificates to customers • require our customers to decide the risk they wanted to take through the Browser the chose to use • validate passwords at the centralized servers/mainframes • rely on Certificates issued by a third party

  8. Electronic& Internet based Commerce Scotiabank’s Management of Risk • What Scotiabank wanted to do: • Offer an internet-based service, with state-of-the-art security to open standards • Provide a “best-of-breed” information security solution that will be the platform for the future • Partner with a reputable leader who’s core competency is information security • Automatic enrollment and Certificate issuance • Have minimal intrusion on the customers PC • Have an exportable solution

  9. Electronic& Internet based Commerce Scotiabank’s Management of Risk • What Scotiabank wanted to do: • Offer services that “look and feel” alike • Provide Single sign-on and ease of navigation • Use customer controlled Passwords or pass-Phrases • Issue Scotiabank Certificates, that can be trusted • Use multiple and unique “anonymous” Certificates • Reduce risks of : • web-site spoofing • identity theft • session hijacking, and • insider attacks

  10. Electronic& Internet based Commerce Scotiabank’s Management of Risk • What Scotiabank wanted to do: - maintain our brand identity - build on our position of trust - differentiate ourselves in the market place PUT AN ARMOURED CAR ON THE INTERNET

  11. WHAT ARE THE BUSINESS REQUIREMENTS? • privacy/confidentiality • integrity • authentication • non-repudiation • access control • availability/continuity

  12. Existing Customer Initialization • Contact the bank through 1-800-4-Scotia • Authentication by customer service rep. • Acquire a shared secret/temporary password from an IVR process • Go online to the Internet • Download and install Bank’s software • Establish personal password/pass-phrase (certificates are created and exchanged automatically and transparently) • Access the service

  13. POTENTIAL THREATS Loss of confidentiality of information or privacy of customer information Unauthorized changes, duplication or deletion of information/transactions Malicious acts Human error Masquerading/spoofing Denial of service

  14. POTENTIAL THREATSWhich have changed since 1832? • Loss of confidentiality of information or privacy of customer information • unauthorized changes, duplication or deletions of information/transactions • malicious acts • human error • masquerading/spoofing • denial of service ……………………………disintermediation

  15. So what to Scotiabank is a Public Key Infrastructure? • Certificate Repository/Directory • Multiple Certificate types for different risks • Certificate Revocation (Lists = CRLs) • Automatic Key aging and update • Key Back-up and Recovery • Key Histories Certification Authority…that provides:

  16. So what to Scotiabank is a... Public Key Infrastructure? Certification Authority….that supports: • Automated enrollment • “Cross-certification” with other trusted CA’s • Non-Repudiation System that includes client side “software”…including the generation of “keys”

  17. Public Key Infrastructure (PKI) • Approval by Bank Executive in March 1997 • Two “production” infrastructures • External - Customers • Internal - Employees & other FIs • Based on proven platform (hardware/software) • Implemented within three months!

  18. Public Key infrastructure (PKI) • Approval by Bank Executive in March 1997 • Licenses for Entrust products • Scotiabank group worldwide • Initial Priorities • Internet Banking & Scotia Discount Brokerage • Employee External Access

  19. Public Key Infrastructure (PKI) • Approved by Bank Executive September 1998 • Acquisition of all Entrust client-side software • Desktop, Express, Unity, ICE etc. • Acquisition of SET software and licenses • Web and VPN connectors

  20. ? Why • Open System that has adopted standard • Endorsed by the Federal Government • FIPS 140-1 certified • Product suite…with more to come • Being adopted by major IT companies • Growing base of Entrust compatible products • 15 years experience within NORTEL • cryptography is a core competency Canadian Content….

  21. Difficulties? • Adequate, knowledgeable resources • Immature supporting technologies at the client e.g. operating systems, browsers, ISPs • General acceptance that this is a business decision not a technology decision • The rotating

  22. Critical Success Factors • Executive commitment not viewed as an ROI issue… ..rather a strategic investment “The best way to predict the future….. …..is to create it!”

  23. Critical Success Factors • Executive commitment • Strong Champion • Partnering • Focus on business risk, policy matters… …not technical issues • Use of technology • Implemented within existing organization

  24. Segregation of Function

  25. Critical Success Factors • Executive commitment • Strong Champion • Partnering • Focus on business risk, policy matters… …not technical issues • Use of technology • Implemented within existing organization Strong highly motivated team We had some fun Commitment to……..

  26. Scotiabank’s Commitment toPolicy, Standards & Best Practices ……Information Security Governance

  27. Scotiabank’s Commitment toPolicy, Standards & Best Practices • Information Security Steering Committee • Current Portfolio of Policy and Standards • Certificate and Certification Practice Statement

  28. Information Security Policy- first principle “Enabling Technology Secure information processing is an enabling technology that enhances the development of new products and services, and can support continuous improvements in the delivery of quality service. As such, Scotiabank promotes sound security practices in conducting its business and in interacting with customers, achieving a balance between customer service needs and the interests of the bank and its shareholders”

  29. So What is "The Trust Model"? • Governance • Availability/Reliability • Accountability • Risk Management • User Registration/Authentication It encompasses:

  30. Milestones • Approached Entrust December 17, 1996 • Submitted Business Case January 29, 1997 • Executive Approval March 13, 1997 • Commenced construction before April • First Server delivered April 12, 1997 • “Entrust Direct” client delivered May 12, 1997 • Commissioned two PKI’s May 31, 1997 • Rebuild of client started June 17, 1997 • First live Interent transactions July 25, 1997

  31. Where are we now? • April 21, 1999 07:05hrs EST 90,026

  32. Only Authentic Certificates & Keys External infrastructure

  33. Only Authentic Certificates & Keys Monthly Service Availability

  34. Important to • Overall annual availability= 99.66%

  35. Important to • Certificates Revoked = over 19, 000

  36. Recent Accomplishments • Conversion to Entrust Manager REL. 4 • over 220,00 licenses • largest in the World • Release of direct 3.0 and MAC clients • Continued testing of Desk-top suite, Unity, ICE etc.. • Installation of UAT PKI (#5) • Approval of SET pilot (#6) • Finalizing plans for remote hot stand-by • Testing of Direct 4.0 client

  37. Committed to: • PKI as an enabling technology • Being leaders in: • PKI • Governance • Cross-certification • e-commerce/e-business • Canada and International operations

  38. Working together in the “Real World”… ...developing business solutions… ...and succeeding!

  39. What’s on our mind? • Cost of Registration • Reliance on Browsers • Thinner clients and “light certs” • People-limited understanding • Cross-certification • Directories

  40. What’s on Our Mind? • Portability/Roaming • PDA’s • Smart Cards • Hardware • Hot standby - remote • Compromise Contingency Planning • Conversion • Security Quality Assurance • Trust Model

  41. What’s on our mind? Cross Certification Authentication and Registration Partnering Research Attribute Certificates Entrust

  42. You have heard many messages... • “Industrial Strength” enterprise-wide security based on a core competency • Encryption • Digital Signatures • User Authentication • “Real-World” • Automated

  43. You have heard many messages... • “Industrial Strength” enterprise-wide security based on a core competency • A platform for secure e-commerce/e-business • Management of Risk • Establishment of Trust • Productivity/efficiency

More Related