dmitriy yanin kashif haider nnaemeka akabogu shen-jung pai robert wambura

• Dmitriy Yanin• Kashif Haider• Nnaemeka Akabogu• Shen-Jung Pai• Robert Wambura

IntroductionSecure Portal for Multinational Banking

Problem Definition, Virtual OrganizationOrganization Structure, Business Requirements,

Marketing and Customer SupportIntegrationSecurityMiddlewareInfrastructureConclusionQ & A

Problem Definition

Why VO?Easy way to organize and communicateCost efficient

Teleconferencing, Voice Chat over travellingSaves Time Virtual CapabilityEasy to Switch geographically

Organizational Structure

Business RequirementsTransactional Functions

Transfer (private, individual)Payment (credit card, mobile companies, or

public utility companies)Non- Transactional Functions

View statementChange their information (usernames,

passwords, pin numbers, and email addresses)Other services (ordering card reader, USB

finger print device, and cheque book)

Transaction Procedures

Yes

No

No

Yes

Transfer the Funds

Stop

Ask User to take amount from other account

Enough Funds Available

Login Correct Login Yes

No

•NatWest - customer number, pin, and Password•Lloyds TSB – Online ID, password, memorable data•e-banking portal – user name, password, and Biometrics

Marketing & Customer SupportGoal: all or majority of the national banks

are willing to corporate– the success depends on the number of cooperated banks and users

Main targets: BanksSub-targets: individual customers (achieve

customer satisfaction)Premium services: online assistant and 24-

hour telephone banking service

Integration

Data IntegrationInformation Integration

Increase Organization EfficiencyInformation Integrity maintenance across

multiple SystemsEase of Development and Scalability IssuesElimination of Inefficiencies

Security

Towards Client Side

Towards Bank Databases

Towards own Database

One of the main concerns of our virtual organization is to provide a robust security solution with limited vulnerabilities. To achieve this, the possible areas of attack were categorized in three perimeters:

• Perimeter 1 Protecting the customer and the web servers.• Perimeter 2 Preventing unauthorized access to the storage servers on local VO network.• Perimeter 3 Securing the data exchange between the VO’s DBMS and DBMS of the participating banks.

Securing The Web Portal

• A double factor authentication mechanism incorporating biometrics (fingerprint) and password encryption will be used for user authentication.

• Regular updates related to trend of attacks, their features and how to avoid them will be published on the portal.

• A security system cluster will be installed at the gateway . This cluster will incorporate an intrusion detection system based on artificial immunity and a web application firewall to provide robust security across the OSI layers.

The cluster framework will also provide constant backup/availability of the security system in event of failure of any of the servers.

Securing Perimeter 1

• Security here will be managed by the Extract Transform Load (ETL) tools which oversee the exchange of information between the data warehouse, knowledge base and the network administrators.

• Information exchange will be in an encrypted format and classified information and access control levels will be stored in separate tables in the data warehouse.

Securing Perimeter 2

• The security of the packet exchange between the portal and the bank will be provided by layer 2 tunneling protocol (L2TP) – a Virtual private network option. This will ensure improved confidentiality, integrity, encryption and authentication of data transferred.

Securing Perimeter 3

Middleware Characteristics Existing IT systems at the participating banks should

undergo as little modification as possible. So, the introduced middleware will need to link and work on top of a set of heterogeneous databases across networks.

The participating banks would have:Their own strategies and security policies for handling

customer dataDifferent database management system (DBMS)Different operating systems (OS)

Replacing the above – not possible or requires very high investments and may negate the financial benefits brought by the united e-banking portal.

Middleware Characteristics cont….

Bank

Data

Middleware

Bank

Data

Re

qu

es

ts &

d

ata

Da

ta

Da

ta

Re

qu

es

ts &

d

ata

Bank

Data

Re

qu

es

ts &

d

ata

Da

ta

E-Commerce Software

Da

ta

Re

qu

es

ts

Da

ta

Re

qu

es

ts

Heterogeneous data sources

Net-working

SecurityTransla-tion of

Requests

Customer Support Software

Decision-Support Software

Da

ta

Re

qu

es

ts

Data Integrity

Therefore, there is a need for a set of software tools (middleware) that would:•Access the dispersed data•Access the data across WAN•Be non-intrusive, i.e. not access the data directly but via the local DBMSs, honouring the local security policies •Ensure data integrity•Provide secure transmission of data between the banks and the portal•Work with different (heterogeneous) DBMSs and OS’s

Data Integration ApproachWe decide to use Federated approach to data integration.

Data from dispersed sources is kept at those sources, and not duplicated anywhere else

Middleware virtualises the view of the data and acts as a façade to the dispersed data sources

Applications that need access to the data utilize facilities provided by the middleware

Middleware translates requests from these applications, passes them to the data sources, retrieves the returned data, translates and formats it, and passes it back to the applications

Middleware also handles security and networkingApplications using the middleware see it as a local

database management system

Data Integration Approach cont…..The major advantages of the Federated approach:Access to the remote databases is transparent to users:

Location TransparencyInvocation TransparencyPhysical data independence and fragmentation Replication TransparencyNetwork Transparency

No need for data synchronisationTime-to-market advantage for newly-developed

applications Improved governanceReduced development and maintenance costsReusability

Concepts

Data-federating middleware utilizes five concepts:

WrapperServerCatalogueNicknameUser Mapping

Wrappers Software modules within the federated system

Are used to communicate with remote data sources

Contain characteristics about their corresponding data sources, such as their relational models

Are designed to support query processing by sending sub-queries to the data sources.

Servers and CataloguesServer: the representation of a

collection of data on the remote data source

must be registered on the system

contains appropriate information about it needs to be stored

includes the name of the database, its type and version

All this information is stored in Catalogues

Nickname Is used to access data Is a representation of

a data set, such as a table or a view

When a nickname is registered on the federated system, the name of the corresponding remote table, the names of its columns, their data types, indexes are stored in the catalogues.

User Mapping Controls access to remote data sources

Provides security:Each remote

database has at least one user account with sufficient privileges to access all the data necessary

These user IDs and passwords are stored on the federation system and used for DB transactions

Data IntegrityCases when data integrity is under threat:

Data sources going downData feeds interrupted because of hardware or network

problemsRemote data sources get manipulated or restructured

Identifying potential problems and taking corrective actions early.

Solutions:

Autonomic features - capability to dynamically adapt to changes in structures.

Two-phase SQL commit - all SQL statements in a transaction spread across more than one remote database are either committed or rolled back as an atomic unit.

CommunicationUse connectors:

software agents installed on top of each remote data source and acting as interfaces

Each connector speaks natively to its corresponding database and passes data to and from it.

CommunicationConnectors used to work on proprietary protocols; however,

there has been a shift towards Web Services.

The Web Services:

Application components that communicate using open protocols

Self-contained and self-describing and can be used by other applications.

Simple, interoperable, messaging frameworkUse XML as data exchange format

The main advantages of using the Web Services:

Reduced cost of development and maintenance because of consolidation and standardization of system interfaces

Faster time to market because of the re-usable interface elements

Custom-Built Vs ExistingAgainst a custom-built solution:

No real advantage over existing offers

Very lengthy development time

Likely lack of expertise of developers if the system is to be developed in-house

High probability of lengthy debugging due to the software complexity

Existing solutions are provided by companies with years of experience of developing the heterogeneous distributed database solutions

Major Market Players

Choice: IBM Information Integrator

Advantages over Sybase offer:

Proper metadata management

Data quality functions

Data profiling/analysis

Advantages over Oracle offer:

Company size and worldwide presence

Experience in collaborative software (important for organisations)

Market strategy to promote and support software from other vendors that works with IBM products instead of insisting on using their own software

InfrastructureNetworking Based

Towards Client SideTowards Bank SideTowards own Database of System

Web Portal HostingSingle Sign InApache as a Web Server

Cluster Management

Why Apache?Apache contains Load BalancerAvoidance of Single Point of FailureLoad Balancer vs Round Robin DNS

Load Balancer takes care of Load on server nodes

Session Management in Load BalancerFailure Transparency is practically

implementable in Load Balancer over Round Robin DNS

Cluster ManagementCondor as a Solution

Supports most of platforms like UNIX, Windows, and MAC etc

Best choice for High throughput Computing Supports MPI and PVM“DAGman” which supports the functionality to

highlight job dependencies

ConclusionPurpose of this online e-Banking is to make

transactions Smoother and FasterSecureCommercial Software

References TekPlus Ltd., 2001: The Emergence of Virtual Organisations. A White Paper.

http://www.tekplus.com/TP0033R02V01.pdf: accessed on 23/10/08 McClure, Steve, 2003: Oracle's Solution for Heterogeneous Data Integration.

http://www.oracle.com/technology/products/dataint/pdf/idc_integration_wp.pdf: accessed on 24/10/08

Wikipedia, 2004: Enterprise application integration. http://en.wikipedia.org/wiki/Enterprise_application_integration: accessed on 25/10/08

H. P. Luhn. "A Business Intelligence System." 1958. IBM Journal. 05 Nov. 2008 <www.research.ibm.com/journal/rd/024/ibmrd0204H.pdf>.

Wüeest, C. (2005). Threats to online banking. In: Symantec security response. Curpertino: Symantec.

Stuttard, D. and Pinto, M. (2008). The web application hacker’s handbook. Discovering and exploiting security flaws. 1st edition. Indianapolis: Wiley publishing Inc.

Greensmith, J., Aickelin, U. and Cayzer, S. (2008). Detecting danger: The dendritic cell algorithm. In: Robust intelligent systems. (A. Schuster ed.) New York: Springer.

Rietta, F. S. (2006). Application layer intrusion detection for SQL injection. In: Association for computer machinery. (1st ed). New York: ACM Press.