lappeenranta 29.11.2001
DESCRIPTION
Lappeenranta 29.11.2001. PresenterKari Oksanen [email protected] Tel.+358 9 165 25062. About the Bank. The largest financial services group in the Nordic region Unibank in Denmark Merita in Finland Christiania Kredikassen in Norway Nordbanken in Sweden - PowerPoint PPT PresentationTRANSCRIPT
Lappeenranta 29.11.2001
Presenter Kari OksanenE-mail [email protected]. +358 9 165 25062
About the Bank The largest financial services group in the Nordic region
•Unibank in Denmark
•Merita in Finland
•Christiania Kredikassen in Norway
•Nordbanken in Sweden
9 million private and 700 000 corporate customers
2.6 million Internet Bank customers
About 40 000 employees
World leader in internet banking
World’s first WAP based banking services launched in October 1999
More information: www.nordea.com
Nordea 1.12.2001
Now alsowith
Customersatis-faction
High
Low
ServicesFew
Adding new banking and e-services = adding valuevalue
1982
1988
1992
1996
1998
1999
Balances+ Payments
Shares
e-identi- fication
Inv.Fundse-shopping
e-Loanse-billinge-signature
Foreignpaymentse-studentloan
Now virtually allbanking services andincreasingly e-services
Now virtually allbanking services andincreasingly e-services
Many All
Same password for all services!
Same password for all services!
e-salary
2000
0
500000
1000000
1500000
2000000
2500000
3000000
1997 1998 1999 2000 2001
Kristiania
Unibank
Merita
Nordbanken
Net-banking customersin Nordea
50% off active customer base in Merita
01 - 10/2001 18 million visits morethan last year withinthe same period
Giro-payment transactions Private customers
Payment Atms
Homebanking
Direct debiting
Envelope payments
Branch office
Branch office
Direct debiting
Envelope payments
4 %
Home banking
Payment ATMs
Daily Solo Sessions In Merita October 2001
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
The Number of sessions
Information security
b
SoftwareSecurityHardware
Security
OperationsSecurityb
DataSecurity
OperationsSecurity
Threats and Risks
UHKAT
Risks
Threats
No impact orfictionary
Impact, protection inplace
Impact,vulnerabilities
Strategic Context: Nordea ITSecurity is today one of the foundation elements Security technologies are relationship management tools
Relationships between identities and resources (privileges)
Relationships between internal systems (integration/interoperability.)
Relationships between networks (business relationships)
Relationship management = identity and risk management
•We need a repository/ies for identity and relationship management
•Risk management through authentication, integrity, and confidentiality
Identity management
•Infrastructure must establish an unambiguous identity
•Authentication is only the first step
IT security in a company with large scale e-business activities - some findings
• Businesses are going to the networks - the role of IT security is becoming more important.• To implement seamless and businesses supporting security solutions means that we have to understand also our customers’ behaviour, techniques they deploy and how these are changing.• We have to understand business strategies to some extent and we have to build security solutions in co-operation with persons responsible for business issues. •IT security is to secure business information when it is processed, stored in data systems or transferred in telecommunications - it is not to build or to buy toys for ourselves.
IT security in a company with large scale e-business activities - some findings contd.
•The business controls are very near to IT security tools - without understanding business controls you can’t build secure systems.• We have to co-operate with many units in our organisation and with people from other organisations - IT security is networking.• We have to understand what cost-effectiveness means.• We are accountable for our decisions.
IT security is not a property of a product or it is not only security products; it is the property of an environment!
Control and Security Architecture• Control architecture; describes technology neutral controlsand security principles:
•Duty segregation•Need to know -principle
• Security architecture; is helping to create a common and platform-neutral understanding of security capabilities.
• It is a general picture for designing.• It describes all aspects of the environment that are related to security.• It is a guide to aid in the construction of security.• It helps us to effectively implement business requirements across various platforms: Basic security functions, Controls, Auditing• It does not say how to secure or what products to use.
Control and Security Architecture contd
•Security implementation guidelines; describes the application of controls to each specific platform
• more technical • detailed
IT- security, some principles
Sec
uri
ng
reso
urc
es a
nd
acc
ess
con
trol
for
tech
nic
al u
sers
(N
T, U
NIX
, Rac
f, T
opS
ecre
t)Identification and authentication
Customers
Authorisation
•Services•Databases
Authorisation to applications (never system level)
Internal end-users
•Databases•Applications, services
Tec
hn
icia
ns
Identification and authentication
Customersauthorisedto access accounts of their own, only.
Internal end-users authorised to access all accounts but not those of their own.
Rem
ote
acce
ss
(In
tern
al e
nd-u
sers
, on
ly) A
uth
oris
atio
n
Iden
t if i
cati
on a
nd
au
then
tica
tion
Au
thor
isat
ion
to
app
l ica
tion
s (n
ever
sys
tem
leve
l)
Authorising remoteusers to access services neededoutside offices
Security services
b
Technical IDs
ServicesServices
Confidentiality/ encryption
Identification and authenticationAuthorisation
Integrity; MAC, Digital signatures
IT-security, some principles
• no compilers• files and databases are read or updated via properly accepted user interface- or batch programs, only• it is mandatory to verify user’s access rights when moving from one application to another• integrity control for all software • audit trail in all business related transactions including inquiries
Development Test Production
Naming standard for easier administration and better control or security
VersioningVersion control
• it is not allowed to transfer information from production environment
Programmers, application planners End users
• source code for each piece of software transferred toproduction env. has to be stored at least two years
Tools for duality principle when transferring new or amended code from development to production; audit trail in transfers
• controls to force to follow naming std.• controls to force to follow programming model• source code protectedagainst unauthor. modifications•developers have full access only to those objects they are responsible for
•mechanisms to makeit possible to resetthe previous version•audit trail in all changes
Duty segregation
Access control and Authorisation
Identification and authenticationAuthorisation
X X
Access control and Authorisation
Authorisation
Authorisation
Authorisation
Authorisation
Ident. & Authent.
Ident. & Authent.
Ident. & Authent.
Ident. & Authent.
Application/ service
Application/ service
Application/ service
Application/ service
Security architecture:The basic idea is to avoid application specific access control systems as long as possible to achieve robust control level, end user satisfaction and cost efficiency in administration.
Access control and Authorization
Application Application Application Application
c ccc
Authorizationdata
One login
End-users and administrators
The end-user
The administrator
Where to find servicesavailable? MENU systems!Single signon!
Impossible to create reports for auditors, unit managers;Which systems am I authorised to use in Nordea?
Very difficult tounderstand and manage!
SW packagesWebC/S3270NTOS/2Sweden
SW packagesWebC/S3270NTNorway
SW packagesWebC/S3270NTFinland
SW packagesWebC/S3270NTOS/2Denmark
Security - covering the whole chain
Customers• Behaviour• Technical env.• Control needs
Customers• Identification• Authentication
Networks• Confidentiality•Integrity
e-services• Access control• Authorisation
e-services• Architecture• Base controls• Configurations
Security arrang. towards otherpartners; banks,.
Profitability and security
GROSS PROFIT./. probability to get arrested * repayment= NET PROFIT
IMPLEMENTATIONCOST
GROSS LOSS(material, others)* probability= EXPOSURE
REDUCTION OFEXPOSURE
PROTECTIONCOST
SECURITYSOLUTION
comparison A
comparison B
Arresteffectiveness
Protectioneffectiveness
Impedimenteffectiveness
Cost effectiveness
Loss coefficient
Attractiveness
ATTACK RANDOM INCIDENT
Threats and Risks in e-business Systems
Networks
Eavesdropping?
Malicious software:• Trojan horses• Viruses • Etc.
•Poor quality•Insufficient testing•Non-scalable systems•Availability problems•Poorly configuredrouters or Firewalls•Poor programming models (Norway)
• Poor session handling•New techniques•Missing audit trailsor logs•Unauthorised accessto system level•Internal breaches•Etc.
•Unauthorised attempts•Denial of Service attacks
IT-security in large scale e-banking systems
•Identification and authentication•Integrity; MAC, hashing....•Confidentiality; encryption
Control and security architectureTechnical architecture• scalability•availability•continuity Application architecture•clarity•independent components
Networks
Security in customers’ environments:• instructions• anti virus softwareService providers can’t help in this area!
•strict programming modelsConfigurations•Routers•FirewallsTesting arrangementsHow to inform customers in problem situationsContingency planning
End-to-end security!
Instead of all these...
Debit/Credit cards
Access codes to net-bank
Loyalty cards
Teemu Testihenkilö
Nihitsillantie 3 D
00020 MERITA
FINLAND
6789 7890 3562 3652 5674 4567 8767 6543 4235 6347
5678 5678 2341 2345 5678 4321 4321 7635 6353 7585
6789 7890 3562 3652 5674 4567 8767 6543 6373 5748
6789 7890 3562 3652 5674 4567 8767 6543 6363 3838
6789 7890 3562 3652 5674 4567 8767 6543 7378 3738
6789 7890 3562 3652 5674 4567 8767 6543 3737 3334
6789 7890 3562 3652 5674 4567 8767 6543 7363 8383
6789 7890 3562 3652 5674 4567 8767 6543 3838 3395
6789 7890 3562 3652 5674 4567 8767 6543 3142 8696
3456 2312 6543 8976 6778 4567 8976 6543 6272 7484
4567 8767 6543 5678 5678 2341 2345 5678 7474 8494
3456 2312 6543 8976 6778 4567 8976 6543 4848 4493
EMPS: what is it all about?EMPS: what is it all about?EMPS: what is it all about?EMPS: what is it all about?
All cards in one chip inside your WAP-phoneAll cards in one chip inside your WAP-phoneAll cards in one chip inside your WAP-phoneAll cards in one chip inside your WAP-phone
SIM
Debit-/Credit card, bank log-on, club membership, application downloading etc.
…THIS!
EMV
2. Withdrawing cash from ATM
EMPS: Many ways to use itEMPS: Many ways to use itEMPS: Many ways to use itEMPS: Many ways to use it
-Merita ATM-
Enter your PIN [****]
-Merita ATM-Withdraw: 100,- 300,- other...
-Merita ATM-100,- withdrawn Balance 12.562,-
5. Logging on to internet bank
- with WAP …or with WAP and PC using bluetooth
EMPS: Many ways to use itEMPS: Many ways to use itEMPS: Many ways to use itEMPS: Many ways to use it
-Solo-bank-Please enter your pin[****]
Th
e cu
sto
mer
Home
Work
Traveling Variousnetworks
XPW2000NT 4MEW98W95W3.xLinuxMac
Security needed • Confidentiality• Identification and authentication• Integrity
Some problems•Incompatible standards •Generally available techniques?•The availability of smart card readers and drivers?
Where are we?
E-business
eBanking
Do business withauthorities
SET
WTLS
PKCS#15
SEIS
CAPI
CDSA
SSL
VPN
EMV
CAs
FINEID
Newdevices