Presentation is loading. Please wait.

Presentation is loading. Please wait.

Prepared by Niteo Partners: An NEC Company Security Requirements for Financial Web Services XML Web Services One Conference Forum on Security Standards.

Published byDonald Cobb Modified over 9 years ago

Similar presentations

Presentation on theme: "Prepared by Niteo Partners: An NEC Company Security Requirements for Financial Web Services XML Web Services One Conference Forum on Security Standards."— Presentation transcript:

1 Prepared by Niteo Partners: An NEC Company Security Requirements for Financial Web Services XML Web Services One Conference Forum on Security Standards August 26, 2002

2 Proprietary to Niteo Partners 28/26/02 Topics for Discussion FS Industry Drivers An Example: Corporate Cash Management Issues & Challenges Q & A

3 Proprietary to Niteo Partners 38/26/02 FS Industry Drivers Increasing Use of Outsourced Functions  Corporations looking to eliminate unnecessary costs and look to ASP model in greater numbers  General trend toward using XML over public networks rather than private networks Service & Component Architectures becoming more widespread  Business Service Architectures offer stronger ROI through reduction of duplicated functions  CIOs looking to leverage existing significant IT investments not create new ones  Looking to serve millions of customers through multiple channels with common services Straight-Through-Processing is becoming the mantra  Securities industry has targets for implementation  Banking moving toward STP even though key processes are held up by paper check system Corporations becoming more aware of service continuity and related risks  9/11 raised awareness of business continuity at the board level  Distributed functions generate different risk profiles for the corporations

4 Proprietary to Niteo Partners 48/26/02 Topics for Discussion FS Industry Drivers An Example: Corporate Cash Management  What is Corporate Cash Management?  Cash Management Use Case Issues & Challenges Q & A

5 Proprietary to Niteo Partners 58/26/02 What is Corporate Cash Management? Corporate Cash Management is an important function of the corporate treasury office. Cash Management is:  The gathering of cash related information from the company’s banks and internal ERP systems.  The planning of investment or borrowing strategies to manage the firm’s liquidity.  The execution of those plans with the firm’s banks. Cash Management happens on a daily, weekly, and monthly basis. Treasury management is typically supported by file transfers of data, Internet views of single bank data, or proprietary hub/spoke architectures.

6 Proprietary to Niteo Partners 68/26/02 Corporate Cash Management via Web Services Description: Create and execute a cash management strategy through a lead bank by dynamically aggregating and analyzing account positions in multiple institutions, corporate cash receivables history (DSO) and disbursement plans, and working capital requirements. Functional Area: Treasury Management Actors: Corporate Treasury, Banks, Private UDDI Repository Pre-Conditions: Account positions in multiple institutions accessible via web services; receivable and payable schedules accessible via web services. Scenario: 1. Treasury Workstation discovers service points. 2. Treasury Workstation composes cash positions held in multiple banks. 3. ERP systems report receivables aging history, DSO, and daily disbursement plans across multiple business units/operating companies 4. Target working capital positions are determined. Short-term and near-term investment and return plans and a daily global cash management strategy are constructed 5. Treasurer executes a set of funds transfer and investment transaction through a lead bank. Benefit of Scenario: Improved use of available cash balances and return on available funds Less costly than manual process. Creation of new Inter-bank network.

7 Proprietary to Niteo Partners 78/26/02 Corporate Cash Management Actors The Treasury Workstation and ERP Platform are packaged software systems used by the corporation. ERP, and Treasury workstation are within the main corporate firewall. Each of the bank’s systems is behind it’s own firewall. All transactions are over the public Internet except the ERP/Treasury Workstation Interaction. There are existing contractual relationships between all the parties exchanging data. The UDDI repository run by a major bank or third party as part of this inter-bank network.

8 Proprietary to Niteo Partners 88/26/02 Corporate Cash Management Step 1: Discover service points Treasury Workstation begins cash management process by discovering or verifying signatures of relevant partner web services. A Private Bank Network will use a private UDDI repository. Private in the sense it’s membership- based of some form not a VPN. Publishing repository entries and process must be secure and auditable. Version control and time stamping of registry must be verifiable. The Repository entries must be authentic. Identity and integrity of entries must be verifiable in some standard way. The Registry must be secure from performance based attacks (DoS). Access of signature files must be auditable by the publisher. Operations of repository must be operated in a highly secure way. Every Treasury Workstation in the network must be authenticated and authorized. Retrieval of WSDL file must be secure. Requirements & Issues

9 Proprietary to Niteo Partners 98/26/02 Corporate Cash Management Step 2: Compose Cash Positions from Multiple Banks Treasury Workstation gathers position data from banks through web service touch points. SOAP payload probably uses a banking standard like IFX. Requirements & Issues Service points must be authenticated and verified. Bank Service Point must be reliable and secure from DOS attacks. Some protocols like IFX have their logon segments. Are redundant credentials an issue? SOAP messaging must have integrity, reliability, and confidentiality. The message payloads must have integrity and confidentiality. Key management process must be secure. Banks must provide data only to individuals entitled to that data (Role based Authorization).

10 Proprietary to Niteo Partners 108/26/02 Corporate Cash Management Step 3: Retrieve Data from ERP Systems ERP systems report receivables aging history, Day Sales Outstanding, and daily disbursement plans across multiple business units/operating companies. Application level SOAP interface supports role based permissions. Data on internal network must be secure. ERP platforms may be globally dispersed so all traffic must be highly secure. Requirements & Issues

11 Proprietary to Niteo Partners 118/26/02 Corporate Cash Management Step 4: Construct Daily Investment Strategy Target working capital positions are determined through local software. Short-term and near-term investment and return plans and a daily global cash management strategy are constructed. Requirements & Issues Not a Web Service interaction but traditional authorization and authentication requirements hold.

12 Proprietary to Niteo Partners 128/26/02 Corporate Cash Management Step 5: Execute Plan Through Lead Bank Treasurer executes a set of funds transfer and investment allocations through a lead bank. The lead bank transfers the instructions to other banks via SOAP messaging. Requirements & Issues Instruction Document must have credentials to other banks systems Document may have data that can only be viewed by end bank not intermediary. Any shared Web Services conversation description (BPML, XLANG,etc) must be tamper-proof and verifiable. Banks and treasurers need verifiable proof that transactions were received, confirmed, and executed.

13 Proprietary to Niteo Partners 138/26/02 Topics for Discussion FS Industry Drivers An Example: Corporate Cash Management Issues & Challenges Q & A

14 Proprietary to Niteo Partners 148/26/02 Issues & Challenges Security standards must be proven to be applicable to financial services risk profiles and interoperable for adoption to take place  Corporate customers are confused and concerned about security standards in Web Services  Multiple and potentially competing standard must be reconciled within specific financial application context UDDI repositories must support integrity, authentication, privacy and version control services when operated both within and outside enterprise firewalls  The governance model for the operation of financial UDDI directories will influence the UDDI security model Financial institutions will connect core applications and systems across the Internet and share data with their customers once they can trust the connections. Web services security must prove to leverage existing digital signature, encryption, and key management infrastructures and new strong authentication solutions  CIOs will not spend significant amounts on new security systems without visible ROI  New, strong authentication mechanisms like smart cards and biometric technologies are being considered and deployed so solutions must integrate

15 Proprietary to Niteo Partners 158/26/02 Requirement: Non-SSL solutions must be ‘buildable’ and understandable. IdentityAuthenticityConfidentialityIntegrityAuditN/RVersion Control Users Business rules of IP (identity producer) Business rules of the IC (identity consumer) SSL, not universally encrypted on database Business rules of IP Business rules Accounts Business rules of AP (account provider) Business rules of the AU (account consumer) SSL, not universally encrypted on database Business rules Services UDDI naming, WSDL signatures httpsWSDL Signatures Business rulesWSDL signatures, business rules WDSL Messages SOAPSOAP enhancements for single messages SOAP enhancements Business rulesSOAP enhance Payload XML Dsig XML EncryptionXML DsigBusiness rulesNAXML Dsig Keying material XKMS Business rules Assertion SAML, X509 XML EncryptionSAML Services Assets

16 Proprietary to Niteo Partners 168/26/02 Topics for Discussion FS Industry Drivers An Example: Corporate Cash Management Issues & Challenges Q & A

17 Proprietary to Niteo Partners 178/26/02 Contacts at Niteo Partners, Inc Mr. Kevin Cronin – Chief Technical Architect Co-Chair, Financial Services Technology Consortium Web Services Advisory Group k.cronin@niteo.com 617.895.3042 Mr. Michael Versace – Partner, Financial Services Chairman, ISO TC68 SC2, Security and Banking m.versace@niteo.com 617.895.3042

Download ppt "Prepared by Niteo Partners: An NEC Company Security Requirements for Financial Web Services XML Web Services One Conference Forum on Security Standards."

Similar presentations

Learning Objects Network We see the e-knowledge market being the next major growth phase of the Internet Michael Moe, Merrill Lynch Tom Barefoot, Chief.

Learning Objects Network We see the e-knowledge market being the next major growth phase of the Internet Michael Moe, Merrill Lynch Tom Barefoot, Chief.
Web Service Architecture

Web Service Architecture
Service Oriented Architecture for Mobile Applications Swarupsingh Baran University of North Carolina Charlotte.

Service Oriented Architecture for Mobile Applications Swarupsingh Baran University of North Carolina Charlotte.
A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.
Building an Operational Enterprise Architecture and Service Oriented Architecture Best Practices Presented by: Ajay Budhraja Copyright 2006 Ajay Budhraja,

Building an Operational Enterprise Architecture and Service Oriented Architecture Best Practices Presented by: Ajay Budhraja Copyright 2006 Ajay Budhraja,
UDDI, Discovery and Web Services Registries. Introduction To facilitate e-commerce, companies needed a way to locate one another and exchange information.

UDDI, Discovery and Web Services Registries. Introduction To facilitate e-commerce, companies needed a way to locate one another and exchange information.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
How Smart, Connected Products are Transforming Competition: Executive Summary Eric Snow SVP, Corporate Communications April 9, 2015.

How Smart, Connected Products are Transforming Competition: Executive Summary Eric Snow SVP, Corporate Communications April 9, 2015.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
A New Computing Paradigm. Overview of Web Services Over 66 percent of respondents to a 2001 InfoWorld magazine poll agreed that Web services are likely.

A New Computing Paradigm. Overview of Web Services Over 66 percent of respondents to a 2001 InfoWorld magazine poll agreed that "Web services are likely.
Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.

Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.
Chapter 12 USING TECHNOLOGY TO ENHANCE BUSINESS PROCESSES.

Chapter 12 USING TECHNOLOGY TO ENHANCE BUSINESS PROCESSES.
Building an efficient pipeline for your bank communication

Building an efficient pipeline for your bank communication
Introduction to UDDI From: OASIS, Introduction to UDDI: Important Features and Functional Concepts.

Introduction to UDDI From: OASIS, Introduction to UDDI: Important Features and Functional Concepts.
JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.

JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.
Slide 1 Intellectual property of Vayana Vayana – Next Generation Banking using Social Connect.

Slide 1 Intellectual property of Vayana Vayana – Next Generation Banking using Social Connect.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
CS 4720 Security CS 4720 – Web & Mobile Systems. CS 4720 The Traditional Security Model The Firewall Approach “Keep the good guys in and the bad guys.

CS 4720 Security CS 4720 – Web & Mobile Systems. CS 4720 The Traditional Security Model The Firewall Approach “Keep the good guys in and the bad guys.

Similar presentations

Ads by Google