dec. 5th., 2000 pki & symmetric key encryption system pki forum
TRANSCRIPT
Dec. 5th., 2000Dec. 5th., 2000
PKI & Symmetric Key Encryption System
PKI Forum
Agenda E-Sign legislation effective Oct. 1, 2000 Implication of the legislation and what
organization (Wells Fargo) needs to protect (and How) in order to mitigate risks and liabilities
System we have implemented (since 1997) to mitigate risks & deployment status
System we are undertaking today to further reduce risks & deployment status
Future Plans Q & A
Wells Processing Environment and What Do We need to Protect
End-user Middle Ware Back-End Processing
TCP/IP traffic’s vulnerabilities - next slide
TCP/IP vulnerabilities
Lack of Authentication Lack of Confidentiality Lack of Integrity Check Subject to Re-Play Attack Lack of Non-Repudiation
How does Wells Fargo mitigate risks
Risks\Systems MsgSecure PKI
Authentication Yes - KerberosPrincipal, efficient
Yes - Certificate, lessefficient/strongerauthentication
Confidentiality Yes - DES/3DES,efficient
Yes - utility certificate,less efficient
Integrity Yes - MD5, efficient Yes - MD5, efficient
Replay Attack Yes - Seq #, TimeStamp
Yes - Time Stamp
Non-Repudiation
No Yes - digitally signeddoc, not efficient but is thestrongest proof of intent
MsgSecure - In production since 1997
Vendor Software ( based on MIT Kerberos V.5) Custom Designed Software to Enhance the
Capability (Key Distribution) Add on Performance Accelerator (Hardware
Encryption Engine on HDS and IBM Systems) Support Infrastructure (H/A, 7/24, etc) Bundle the Services as if you are a Security Vendor Gain Support from the Organization (Policy) Deployment Status (11.5 million trans/day, 3000 servers,
200 human principal, cross platform sign-on for UNIX/NT/MVS in pilot)
System we are undertaking today- Public Key Infrastructure (PKI)
Organizational Commitment Define Trust Model Project Organization and Responsibilities Physical Environment Certificate Practice Statement/Policies Root Key Creation Deployment Strategy & Status Future Opportunities within Wells Fargo
Organizational Commitment
A project truly requires the support of all levels within the organization
Business need vs technology Industry analysis shows 20% of effort relies on
technology and 80% on buy-in and support from others
Requires active participation from legal, enterprise architecture, HR, Audit, Network Engineering, Business Proponent, Security Administration, Security Consulting, Physical Security,Corporate Property and other support organizations.
Trust Model
Wells Fargo Root
Wells FargoBusiness CA
EnterpriseCA
Other PurposeCA
Identrus Root
Wells FargoIdentrus CA
Project Organization
CISO
Project Manager
Project Coordinator
Technical Manager QA Process Manager
Bus Application Identrus Liaison
CPS/CP/Procedures
Audit, Legal
Security Consulting
PKI
Review Board
Roles and Responsibilities
CISO
Project Manager
PKI
Review Board
Project Coordinator
Technical Manager
QA Process Manager
Bus Application
Liaison Identrus Liaison
Legal, Audit
Security Consulting
CPS/CP/Procedures
•Project Proponent
•Funding Source
•See Next Slide
•Project budget and resources
•Deliverables, timeline and quality
•Communications and future growth
•Project documentation
•Meeting coordination
•Meeting minutes
•Reporting
•Facility Build
•Hardware components
•Software components
•Vendor selection
•Testing & training
•Build QA environment
•QA testing
•Implementation of CPS, CP, etc.
•Administration & help services
•Training
•Application development
•RA functions
•Appl related procedures
• Appl help services
•Identrus Integration
•Identrus CPS and CPs
•Identrus procedures
•Identrus support
•Validate requirements
•WF CPS and CP development
•WF Root Operational procedures
•Project participant
•Functional expertise
•CPS,CP reviews
•Security Plan
PKI Review Board
ObjectiveA 9 member board to provide the oversight of Wells Fargo PKI practice.
Responsibilities Review and approve
Certificate Practice Statement and Policies
Review and approve on-going changes to CPS and CPs
Review and approve Registration Authority and level of Authentication
Board MembersCISO
PKI ManagerNetwork Engineering2 Business Unit RepresentativesCorporate legalCorporate HR Internal AuditCTO - Application Development
Physical Environment
Site Selection Environment For Housing the Root Key and
Master CA/RA Level of Security Requirements including the
utilization of Token and multiple Biometrics devices
Dual Access Control Camera, Alarm, Automated logging devices
Certificate Practice Statement (CPS) and Policies (CP)
A set of agreed upon rules to guide the usage of Digital Certificates
CPS covers the life-cycle of the certificates and the associated process/procedures
CP address the applicability, usability and the community boundary specific to that certificate
True cooperative effort in the development process, involves all stakeholders in early stage
An item that could impact production schedule
Root Key Generation
Multi-day efforts Plan step by step script Internal, external and specialized
personnel Conduct multiple dry runs Expert staff on-site Record and log all tasks and deviations Secure storage of key parts and all
records
Deployment Strategy
Pilot with low volume, low risk application Choose simple RA method Gain quick Successes and users confidence Support infrastructure need to be in place to
handle the growth Back Up Facility and fail-over is fully
functional Market the product - capabilities and
benefits Educate the users at large
Deployment Status
Secured physical environment completed in Oct. 2000
Performed Root key Generation in Oct. 2000 Performed Business Sub-Master Generation Nov.,
2000 Enabling first B-to-B application Dec., 2000 Perform Identrus Sub-Master Generation Feb., 2001 Enabling first Identrus application Feb.,2001 Perform Enterprise Sub-Master Generation Mar.,
2001 Enabling enterprise application Mar., 2001
Future Opportunities
Enterprise CA supporting end user authentication and secured email
Integrate to support MsgSecure Other e-business related initiatives Support Wireless and Appliance
related applications Public Use of Digital-Certificates Others
Questions??
Thanks for your time