Prepared by Niteo Partners: An NEC Company Security Requirements for Financial Web Services XML Web Services One Conference Forum on Security Standards August 26, 2002

Proprietary to Niteo Partners 28/26/02 Topics for Discussion FS Industry Drivers An Example: Corporate Cash Management Issues & Challenges Q & A

Proprietary to Niteo Partners 38/26/02 FS Industry Drivers Increasing Use of Outsourced Functions  Corporations looking to eliminate unnecessary costs and look to ASP model in greater numbers  General trend toward using XML over public networks rather than private networks Service & Component Architectures becoming more widespread  Business Service Architectures offer stronger ROI through reduction of duplicated functions  CIOs looking to leverage existing significant IT investments not create new ones  Looking to serve millions of customers through multiple channels with common services Straight-Through-Processing is becoming the mantra  Securities industry has targets for implementation  Banking moving toward STP even though key processes are held up by paper check system Corporations becoming more aware of service continuity and related risks  9/11 raised awareness of business continuity at the board level  Distributed functions generate different risk profiles for the corporations

Proprietary to Niteo Partners 48/26/02 Topics for Discussion FS Industry Drivers An Example: Corporate Cash Management  What is Corporate Cash Management?  Cash Management Use Case Issues & Challenges Q & A

Proprietary to Niteo Partners 58/26/02 What is Corporate Cash Management? Corporate Cash Management is an important function of the corporate treasury office. Cash Management is:  The gathering of cash related information from the company’s banks and internal ERP systems.  The planning of investment or borrowing strategies to manage the firm’s liquidity.  The execution of those plans with the firm’s banks. Cash Management happens on a daily, weekly, and monthly basis. Treasury management is typically supported by file transfers of data, Internet views of single bank data, or proprietary hub/spoke architectures.

Proprietary to Niteo Partners 68/26/02 Corporate Cash Management via Web Services Description: Create and execute a cash management strategy through a lead bank by dynamically aggregating and analyzing account positions in multiple institutions, corporate cash receivables history (DSO) and disbursement plans, and working capital requirements. Functional Area: Treasury Management Actors: Corporate Treasury, Banks, Private UDDI Repository Pre-Conditions: Account positions in multiple institutions accessible via web services; receivable and payable schedules accessible via web services. Scenario: 1. Treasury Workstation discovers service points. 2. Treasury Workstation composes cash positions held in multiple banks. 3. ERP systems report receivables aging history, DSO, and daily disbursement plans across multiple business units/operating companies 4. Target working capital positions are determined. Short-term and near-term investment and return plans and a daily global cash management strategy are constructed 5. Treasurer executes a set of funds transfer and investment transaction through a lead bank. Benefit of Scenario: Improved use of available cash balances and return on available funds Less costly than manual process. Creation of new Inter-bank network.

Proprietary to Niteo Partners 78/26/02 Corporate Cash Management Actors The Treasury Workstation and ERP Platform are packaged software systems used by the corporation. ERP, and Treasury workstation are within the main corporate firewall. Each of the bank’s systems is behind it’s own firewall. All transactions are over the public Internet except the ERP/Treasury Workstation Interaction. There are existing contractual relationships between all the parties exchanging data. The UDDI repository run by a major bank or third party as part of this inter-bank network.

Proprietary to Niteo Partners 88/26/02 Corporate Cash Management Step 1: Discover service points Treasury Workstation begins cash management process by discovering or verifying signatures of relevant partner web services. A Private Bank Network will use a private UDDI repository. Private in the sense it’s membership- based of some form not a VPN. Publishing repository entries and process must be secure and auditable. Version control and time stamping of registry must be verifiable. The Repository entries must be authentic. Identity and integrity of entries must be verifiable in some standard way. The Registry must be secure from performance based attacks (DoS). Access of signature files must be auditable by the publisher. Operations of repository must be operated in a highly secure way. Every Treasury Workstation in the network must be authenticated and authorized. Retrieval of WSDL file must be secure. Requirements & Issues

Proprietary to Niteo Partners 98/26/02 Corporate Cash Management Step 2: Compose Cash Positions from Multiple Banks Treasury Workstation gathers position data from banks through web service touch points. SOAP payload probably uses a banking standard like IFX. Requirements & Issues Service points must be authenticated and verified. Bank Service Point must be reliable and secure from DOS attacks. Some protocols like IFX have their logon segments. Are redundant credentials an issue? SOAP messaging must have integrity, reliability, and confidentiality. The message payloads must have integrity and confidentiality. Key management process must be secure. Banks must provide data only to individuals entitled to that data (Role based Authorization).

Proprietary to Niteo Partners 108/26/02 Corporate Cash Management Step 3: Retrieve Data from ERP Systems ERP systems report receivables aging history, Day Sales Outstanding, and daily disbursement plans across multiple business units/operating companies. Application level SOAP interface supports role based permissions. Data on internal network must be secure. ERP platforms may be globally dispersed so all traffic must be highly secure. Requirements & Issues

Proprietary to Niteo Partners 118/26/02 Corporate Cash Management Step 4: Construct Daily Investment Strategy Target working capital positions are determined through local software. Short-term and near-term investment and return plans and a daily global cash management strategy are constructed. Requirements & Issues Not a Web Service interaction but traditional authorization and authentication requirements hold.

Proprietary to Niteo Partners 128/26/02 Corporate Cash Management Step 5: Execute Plan Through Lead Bank Treasurer executes a set of funds transfer and investment allocations through a lead bank. The lead bank transfers the instructions to other banks via SOAP messaging. Requirements & Issues Instruction Document must have credentials to other banks systems Document may have data that can only be viewed by end bank not intermediary. Any shared Web Services conversation description (BPML, XLANG,etc) must be tamper-proof and verifiable. Banks and treasurers need verifiable proof that transactions were received, confirmed, and executed.

Proprietary to Niteo Partners 138/26/02 Topics for Discussion FS Industry Drivers An Example: Corporate Cash Management Issues & Challenges Q & A

Proprietary to Niteo Partners 148/26/02 Issues & Challenges Security standards must be proven to be applicable to financial services risk profiles and interoperable for adoption to take place  Corporate customers are confused and concerned about security standards in Web Services  Multiple and potentially competing standard must be reconciled within specific financial application context UDDI repositories must support integrity, authentication, privacy and version control services when operated both within and outside enterprise firewalls  The governance model for the operation of financial UDDI directories will influence the UDDI security model Financial institutions will connect core applications and systems across the Internet and share data with their customers once they can trust the connections. Web services security must prove to leverage existing digital signature, encryption, and key management infrastructures and new strong authentication solutions  CIOs will not spend significant amounts on new security systems without visible ROI  New, strong authentication mechanisms like smart cards and biometric technologies are being considered and deployed so solutions must integrate

Proprietary to Niteo Partners 158/26/02 Requirement: Non-SSL solutions must be ‘buildable’ and understandable. IdentityAuthenticityConfidentialityIntegrityAuditN/RVersion Control Users Business rules of IP (identity producer) Business rules of the IC (identity consumer) SSL, not universally encrypted on database Business rules of IP Business rules Accounts Business rules of AP (account provider) Business rules of the AU (account consumer) SSL, not universally encrypted on database Business rules Services UDDI naming, WSDL signatures httpsWSDL Signatures Business rulesWSDL signatures, business rules WDSL Messages SOAPSOAP enhancements for single messages SOAP enhancements Business rulesSOAP enhance Payload XML Dsig XML EncryptionXML DsigBusiness rulesNAXML Dsig Keying material XKMS Business rules Assertion SAML, X509 XML EncryptionSAML Services Assets

Proprietary to Niteo Partners 168/26/02 Topics for Discussion FS Industry Drivers An Example: Corporate Cash Management Issues & Challenges Q & A

Proprietary to Niteo Partners 178/26/02 Contacts at Niteo Partners, Inc Mr. Kevin Cronin – Chief Technical Architect Co-Chair, Financial Services Technology Consortium Web Services Advisory Group Mr. Michael Versace – Partner, Financial Services Chairman, ISO TC68 SC2, Security and Banking