security requirements for financial web services xml web services one conference

Prepared by Niteo Partners: An NEC Company

Security Requirements for Financial Web Services

XML Web Services One Conference

Forum on Security Standards

August 26, 2002

Proprietary to Niteo Partners 28/26/02

Topics for Discussion

FS Industry Drivers

An Example: Corporate Cash Management

Issues & Challenges

Q & A


FS Industry Drivers

Increasing Use of Outsourced Functions Corporations looking to eliminate unnecessary costs and look to ASP model in greater

numbers General trend toward using XML over public networks rather than private networks

Service & Component Architectures becoming more widespread Business Service Architectures offer stronger ROI through reduction of duplicated functions CIOs looking to leverage existing significant IT investments not create new ones Looking to serve millions of customers through multiple channels with common services

Straight-Through-Processing is becoming the mantra Securities industry has targets for implementation Banking moving toward STP even though key processes are held up by paper check

system

Corporations becoming more aware of service continuity and related risks 9/11 raised awareness of business continuity at the board level Distributed functions generate different risk profiles for the corporations



FS Industry Drivers

An Example: Corporate Cash Management What is Corporate Cash Management? Cash Management Use Case

Issues & Challenges

Q & A


What is Corporate Cash Management?

Corporate Cash Management is an important function of the corporate treasury office. Cash Management is:

The gathering of cash related information from the company’s banks and internal ERP systems.

The planning of investment or borrowing strategies to manage the firm’s liquidity. The execution of those plans with the firm’s banks.

Cash Management happens on a daily, weekly, and monthly basis.

Treasury management is typically supported by file transfers of data, Internet views of single bank data, or proprietary hub/spoke architectures.


Corporate Cash Management via Web Services

Description: Create and execute a cash management strategy through a lead bank by dynamically aggregating and analyzing account positions in multiple institutions, corporate cash receivables history (DSO) and disbursement plans, and working capital requirements.

Functional Area: Treasury Management

Actors: Corporate Treasury, Banks, Private UDDI Repository

Pre-Conditions: Account positions in multiple institutions accessible via web services; receivable and payable schedules accessible via web services.

Scenario: 1. Treasury Workstation discovers service points.

2. Treasury Workstation composes cash positions held in multiple banks.

3. ERP systems report receivables aging history, DSO, and daily disbursement plans across multiple business units/operating companies

4. Target working capital positions are determined. Short-term and near-term investment and return plans and a daily global cash management strategy are constructed

5. Treasurer executes a set of funds transfer and investment transaction through a lead bank .

Benefit of Scenario:

Improved use of available cash balances and return on available funds

Less costly than manual process. Creation of new Inter-bank network.


Corporate Cash Management Actors

Lead Cash MgmtBank

West Bank Group

Internet

Banks- Web Service Enabled

TreasuryWork-station

ERPPlatform

Mutual BancShares

Private UDDIRepository

$$

Treasurer

Legend

WebService

Active

Inactive

• The Treasury Workstation and ERP Platform are packaged software systems used by the corporation. • ERP, and Treasury workstation are within the main corporate firewall.

• Each of the bank’s systems is behind it’s own firewall.

• All transactions are over the public Internet except the ERP/Treasury Workstation Interaction.

• There are existing contractual relationships between all the parties exchanging data.

• The UDDI repository run by a major bank or third party as part of this inter-bank network.


Corporate Cash Management Step 1: Discover service points

Lead Cash MgmtBank

West Bank Group


Mutual BancShares

ERPPlatform

UDDIRepository

$$

Treasurer

Treasury Workstation begins cash management process by discovering or verifying signatures of relevant partner web services.

•A Private Bank Network will use a private UDDI repository. Private in the sense it’s membership-based of some form not a VPN.

•Publishing repository entries and process must be secure and auditable. Version control and time stamping of registry must be verifiable.

•The Repository entries must be authentic. Identity and integrity of entries must be verifiable in some standard way.

•The Registry must be secure from performance based attacks (DoS).

• Access of signature files must be auditable by the publisher. Operations of repository must be operated in a highly secure way.

• Every Treasury Workstation in the network must be authenticated and authorized.

• Retrieval of WSDL file must be secure.

Requirements & Issues


Corporate Cash Management Step 2: Compose Cash Positions from Multiple Banks

Lead Cash MgmtBank

West Bank Group


Mutual BancShares

UDDIRepository

ERPPlatform

$$

Treasurer

Treasury Workstation gathers position data from banks through web service touch points. SOAP payload probably uses a banking standard like IFX.

Requirements & Issues• Service points must be authenticated and verified.

• Bank Service Point must be reliable and secure from DOS attacks.

• Some protocols like IFX have their logon segments. Are redundant credentials an issue?

• SOAP messaging must have integrity, reliability, and confidentiality.

• The message payloads must have integrity and confidentiality.

• Key management process must be secure.

• Banks must provide data only to individuals entitled to that data (Role based Authorization).


Corporate Cash Management Step 3: Retrieve Data from ERP Systems

Lead Cash MgmtBank

West Bank Group


Mutual BancShares

UDDIRepository

ERPPlatform

$$

Treasurer

ERP systems report receivables aging history, Day Sales Outstanding, and daily disbursement plans across multiple business units/operating companies. • Application level SOAP interface

supports role based permissions.

• Data on internal network must be secure. ERP platforms may be globally dispersed so all traffic must be highly secure.



Corporate Cash Management Step 4: Construct Daily Investment Strategy

Lead Cash MgmtBank

West Bank Group


Mutual BancShares

UDDIRepository

ERPPlatform

$$

Treasurer

Target working capital positions are determined through local software. Short-term and near-term investment and return plans and a daily global cash management strategy are constructed.


• Not a Web Service interaction but traditional authorization and authentication requirements hold.


Corporate Cash Management Step 5: Execute Plan Through Lead Bank

Lead Cash MgmtBank

West Bank Group


Mutual BancShares

UDDIRepository

ERPPlatform

$$

Treasurer

Treasurer executes a set of funds transfer and investment allocations through a lead bank. The lead bank transfers the instructions to other banks via SOAP messaging.


•Instruction Document must have credentials to other banks systems

•Document may have data that can only be viewed by end bank not intermediary.

• Any shared Web Services conversation description (BPML, XLANG,etc) must be tamper-proof and verifiable.

• Banks and treasurers need verifiable proof that transactions were received, confirmed, and executed.



FS Industry Drivers


Issues & Challenges

Q & A


Issues & Challenges

Security standards must be proven to be applicable to financial services risk profiles and interoperable for adoption to take place

Corporate customers are confused and concerned about security standards in Web Services

Multiple and potentially competing standard must be reconciled within specific financial application context

UDDI repositories must support integrity, authentication, privacy and version control services when operated both within and outside enterprise firewalls

The governance model for the operation of financial UDDI directories will influence the UDDI security model

Financial institutions will connect core applications and systems across the Internet and share data with their customers once they can trust the connections.

Web services security must prove to leverage existing digital signature, encryption, and key management infrastructures and new strong authentication solutions

CIOs will not spend significant amounts on new security systems without visible ROI New, strong authentication mechanisms like smart cards and biometric technologies are

being considered and deployed so solutions must integrate


Requirement: Non-SSL solutions must be ‘buildable’ and understandable.

Identity Authenticity Confidentiality Integrity Audit N/R VersionControl

Users Business rules of IP (identity producer)

Business rules of the IC (identity consumer)

SSL, not universally encrypted on database

Business rules of IP

Business rules Business rules

Accounts Business rules of AP (account provider)

Business rules of the AU (account consumer)

SSL, not universally encrypted on database

Business rules Business rules Business rules

Services UDDI naming, WSDL signatures

UDDI naming, WSDL signatures

https WSDL Signatures

Business rules WSDL signatures, business rules

WDSL

Messages SOAP SOAP enhancements for single messages

SOAP enhancements

SOAP enhancements

Business rules SOAP enhance

Payload XML Dsig XML Dsig XML Encryption XML Dsig Business rules NA XML Dsig

Keying material

XKMS XKMS XKMS Business rules

Assertion SAML, X509 SAML, X509 XML Encryption SAML SAML SAML

Services

Assets



FS Industry Drivers


Issues & Challenges

Q & A


Contacts at Niteo Partners, Inc

Mr. Kevin Cronin – Chief Technical ArchitectCo-Chair, Financial Services Technology Consortium Web Services Advisory [email protected]

Mr. Michael Versace – Partner, Financial ServicesChairman, ISO TC68 SC2, Security and [email protected]

security requirements for financial web services xml web services one conference

Documents