jaana porra, m.sc., mba, ph.d. 280g mh, 713 743 45 83
DESCRIPTION
Jaana Porra, M.Sc., MBA, Ph.D. 280G MH, 713 743 45 83. Electronic Commerce in Practice -- Bank of America Lecture 13. Case 1 Segev, Porra, Roldan, 1998. Bank of America : Replacing the Corporate Network with the Internet for Critical Business Transactions -- What Happens to Security?. - PowerPoint PPT PresentationTRANSCRIPT
Jaana Porra, Jaana Porra, M.Sc., MBA, Ph.D.M.Sc., MBA, Ph.D.
280G MH, 713 743 45 83280G MH, 713 743 45 83
Electronic Commerce in Practice
-- Bank of America
Lecture 13
Case 1Case 1Segev, Porra, Roldan, 1998Segev, Porra, Roldan, 1998
Bank of America:Replacing the Corporate Network with the Internet for Critical Business Transactions -- What Happens to Security?
Bank of America (BofA)Bank of America (BofA)
• at the time the second largest banking company (assets more than $227 billion)
• in the United States and 36 other countries• supported all major electronic payment options
– FedWire
– ACH (capable of FEDI)
– SWIFT(capable of FEDI)
– CHIPS
Financial Transactions Financial Transactions and FEDIand FEDI
ACHSWIFTCHIPS
FedWire
BofA
Customer
Bank X
Customer
FEDI FEDI
Figure 2. Financial transactions and FEDI.
FEDI transactions over FEDI transactions over the Internetthe Internet
The Pilot ProjectThe Pilot Project• The purpose of the Pilot project was to test security,
reliability and speed of exchanging FEDI transactions over the Internet under actual circumstances and with real transactions
• In 1994, BofA teamed up with the Lawrence Livermore National Laboratories to start the twelve month long Pilot
• At the BofA, the project organization included experts from the Global Payment Services, Interactive Banking unit, project management unit, telecommunications, information systems services unit, security and marketing.
• At the LLNL side the corresponding areas were represented in the Pilot
• Additionally SW/HW vendors and outside consultants were employed
The Technical SystemThe Technical System
• reviewing the available sw and hw options for the Internet security system
• integrating the chosen Privacy Enhanced Mail (PEM); Multi Purpose Internet Mail (MIME) and Sun workstation based solution with the existing BofA FEDI system (ECS) for encryption/decryption of the FEDI messages exchanged with LLNL over the Internet
• LLNL’s already had a PEM/MIME server. At their side the project was a part of improving the accounts payable system
Designing and implementing the technical
system consisted of:
Automated Data Flow Automated Data Flow with EDIwith EDI
Organization 1
BusinessApplication
EDI Translator
Organization 2
BusinessApplication
EDI TranslatorTransport
Mechanism
Figure 1. Automated Interorganizational Data Flow with EDI.
EDI Translator Business
Application
BofA Interim FEDI BofA Interim FEDI System System
Internet
T1 Routers
Gatekeeper
ECS Host
Lawrence Livermore National Labs
Mail Hub
PEM/MIME
PEM/MIME PEM/MIME Backup
Location: Concord, California Location: San Francisco, California
Bank of America
BofA Firewall
Figure 3. BofA Interim FEDI System (Based on Attachment G of the LLNL white paper: FEDI Pilot Project, 5/1/96)
Dedicated Line
BofA Intranet
(LLNL’s white paper: FEDI Pilot Project, 5/1/96)
Proposed Full-Scale Proposed Full-Scale Production System for Production System for BofA FEDI ServicesBofA FEDI Services
Internet
T1 Routers
Gatekeeper
Tandem System
Lawrence Livermore National Labs
Mail Hub
Certificate Server
Security Server
Location: Concord, California Location: San Francisco, California
Bank of America
BofA Firewall
Figure 4. Proposed Full-Scale Production System for BofA FEDI Services
Tandem System(Backup)
ECS Host
Ethernet
BofA Intranet
(Based on the LLNL white paper: FEDI Pilot Project, 5/1/96)
Diagram of the FEDI Diagram of the FEDI transaction exchange transaction exchange
processprocess
Internet
Oracle A/PSystem
LLNLSecure PEM/EDI
Server
BofASecure PEM
Server
ECS Host
AutomatedClearinghouseVendor's Bank
820
Payment
824
Application Advice
827
Financial ReturnNotice
997
FunctionalAcknowledgement
997
FunctionalAcknowledgement
Tabulate, Translate,Encrypt, Sign and Mail820
Authenticate, DecryptTranslate, andTabulate 997
Authenticate, DecryptTranslate, andTabulate 824
Translate, Encrypt, Signand Mail 997
Authenticate, Decrypt,Transfer 820
Authenticate, Decrypt,Transfer 997
Encrypt, Sign, Mail 997
Encrypt, Sign, Mail 824
Encrypt, Sign, Mail 827
Translate820
820
997
824
Generate andTransfer 997
Generate andTransfer 824
Transfer 827
997
824
820 (CTX)
Encrypted & Signed EDIDocuments Transmitted
Over the Internet:
820
827
Figure 5. Diagram of the Pilot Process (Based on Attachment G of the LLNL white paper: FEDI Pilot Project, 5/1/96)
(Based on the LLNL white paper: FEDI Pilot Project, 5/1/96)
The FEDI -Management The FEDI -Management SystemSystem
• In addition to the technical security system, transactions were carefully monitored by the key participants in both organizations using– automatically generated email messages– telephones– faxes– beepers– paper reports– weekly meetings for solving recurring problems
• Throughout the project the security of the network was additionally monitored using standard security procedures of both organizations.
• The groups managing the firewalls of each organization conducted their own independent tests
Results of the first phaseResults of the first phase
• During the seven months of the Pilot project all payments were received by the vendor banks within two days of the generation of the payment instructions
• No messages were lost• No evidence of tampering with the transactions was
discovered
Problem SummaryProblem Summary
• Table C. Problem Summary BofA/LLNL FEDI Pilot (Based on BofA’s daily trackinglog)Type of Error Aug
.1995
Sept.1995
Oct.1995
Nov.1995
Dec.1995
Jan.1996
Feb.1996
Mar.1996
% oftotalproblems
Applications,Operating Systemincompatibilities
2 1 4 17%
Systems going downor off-line
7 6 1 2 1 2 1 49%
Document deliveryproblems (duplicate,delayed, or lostdocuments)
1 3 3 2 1 24%
Message problems(truncation)
2 5%
Decryption problems 1 1 5%
A. Total # ofProblems for themonth
9 2 11 4 8 2 4 1
B. Total # of EDItransmissions for themonth
19 21 22 22 21 23 21 21
Error Rate for themonth = A/B
47% 10% 50% 18% 38% 9% 19% 5%
Second Phase of the PilotSecond Phase of the Pilot
• After seven months, the maximum dollar amount for a single payment was increased from $10.000 to $100.000/vendor/day
• LLNL expanded the use of the system to provide travel and entertainment reimbursements to its employees
• volume testing with files consisting up to 1,000 transactions was conducted
• the speed and reliability of the system remained high• delays were mostly caused by the FEDI systems not by
the network
Volume Testing ResultsVolume Testing Results
• Table E. Results of Volume Testing – Average Total Processing Time (transmission,decryption/encryption, translation, acknowledgment) for increasing numbers ofembedded 820 payment instructions.Number of 820payment instructionsin the e-mailmessage
Average Total ProcessingTime (from the timeLLNL sends 820 to thetime LLNL sends the final997)
Notes
null to 5 11 minutes N=129(Average over 7 months of thepilot – includes only problem-freetransmissions.)
100 12 minutes N=8300 19 minutes N=6500 43 minutes N=71000 58 minutes N=4
Volume TestingVolume Testing
Figure 6. Volume Testing -- Summaryof ResultsBank of America/LLNL FEDI Pilot
0:07
0:14
0:24
0:39
0:05
0:12
0:18
0:31
100 300 500 1,000
Number of 820s embedded in e-mail message
Step A
Step F
Note: White areas show time required by Bof A servers to process EDI documents (Steps B and D).
Gray areas show time spent transmitting messages over the Internet (Steps A, C, E and F).
Volume TestingVolume Testing
•
# of 820 (payment instructions) in the mail message
message containing 820s transmitted from LLNL to BofA over internet
decryption and format checking of 820, generation and encryption of 997
997 transmitted from BofA to LLNL over Internet
BofA's ECS processes payment instructions, generation and encryption of the 824
824 transmitted from BofA to LLNL over the Internet
LLNL system matches information on 820, 997 and 824 and sends a 997 acknowledgement back to BofA over the Internet
Step A B C D E F100 0:00 0:07 0:03 0:05 0:03 0:00300 0:01 0:14 0:01 0:12 0:01 0:00500 0:04 0:24 0:09 0:18 0:09 0:00
1,000 0:09 0:39 0:01 0:31 0:01 0:00
Summary of ProblemsSummary of Problems
• 49% of the problems encountered during the project stemmed from the systems being down or off line
• Other problems included– transaction delivery problems (duplicate, delayed or lost
transactions) (24%)
– Application, operating system incompatibilities (17%)
– message delivery problems (5%)
– decryption problems (5%)
• Error rate per month varied from 5% to 50%
The FutureThe Future
• The Pilot project served as a proof of concept• The production system is being designed based on the
Pilot with heightened security, reliability and speed sensitivity
• The project prompted a network security processes reevaluation at BofA
• Organizational changes have taken place and are planned for
• Open issues include Internet based information systems security management of which one central area is encryption key management
Have a Great Summer!Have a Great Summer!
© 2000 Jaana Porra University of Houston