Public-Key Infrastructures

1
Public-Key Infrastructures

• Mary Horrigan

2
a quick outline(a.k.a. Bank
of Nova Scotia or BNS)

• Established in 1832 in Halifax, Nova Scotia now
  based in Toronto
• Profitable, with sound Balance Sheet
• Operations in over 50 countries
• Largest Bank in the Caribbean, extensive Latin
  America Network
• Large syndication lender in the US (top 10)
• Recently acquired National Trust and Mocatta
  Bullion (326 years old)
• Scoitabank is Strength, Integrity, Service

3
Scotiabank in Asia

• JAPAN 2 Branches
• China
• Hong Kong
• Singapore
• Bangladesh
• India

• Indonesia
• Malaysia
• The Philippines
• Republic of Korea
• Sri Lanka
• Taiwan
• Vietnam

4
Service and Technology at SCOTIABANK

• Alternate Delivery Channels
• ABMs and Point-of-Sale
• Wireless Devices
• TeleScotia - Telephone Banking
• Internet - ScotiaOnline
• Customer Service/Call Centers
• Smart Cards - VISA Cash and Mondex

5
The Highlights

• Scotiabank is pioneering the use of
  PKIs/digital certificates/CAs to secure
  Internet-based business
• This technology is viewed as essential for safe
  and efficient e-business/commerce
• Partnered with Entrust Tech,. HP, IBM, ICL ect.
• Implemented two PKIs in 1997 a test PKI
• Scotia Online Security, an idea to reality in 7
  mths
• Customer acceptance exceeding our expectations
• Real-World experience of operations.

6

Topics

• Management of Risk
• Demonstration of Scotia OnLine
• Requirements Potential Threats
• Scotiabanks PKIs
• Scotiabanks Decisions and Acquisition
• Critical Success Factors
• The Trust Model
• Real World Operational Experience

7
Electronic Internet based Commerce Scotiabanks
Management of Risk

• What Scotiabank didnt want to do
• Offer disparate, stand-alone on-line services
• Offer dial-up services
• Force customers into a Branch to enroll
• Send/mail digital Certificates to customers
• require our customers to decide the risk they
  wanted to take through the Browser the chose to
  use
• validate passwords at the centralized
  servers/mainframes
• rely on Certificates issued by a third party

8
Electronic Internet based Commerce Scotiabanks
Management of Risk

• What Scotiabank wanted to do
• Offer an internet-based service, with
  state-of-the-art security to open standards
• Provide a best-of-breed information security
  solution that will be the platform for the future
• Partner with a reputable leader whos core
  competency is information security
• Automatic enrollment and Certificate issuance
• Have minimal intrusion on the customers PC
• Have an exportable solution

9
Electronic Internet based Commerce Scotiabanks
Management of Risk

• What Scotiabank wanted to do
• Offer services that look and feel alike
• Provide Single sign-on and ease of navigation
• Use customer controlled Passwords or pass-Phrases
• Issue Scotiabank Certificates, that can be
  trusted
• Use multiple and unique anonymous Certificates
• Reduce risks of
• web-site spoofing
• identity theft
• session hijacking, and
• insider attacks

10
Electronic Internet based Commerce Scotiabanks
Management of Risk

• What Scotiabank wanted to do

- maintain our brand identity
- build on our position of trust
- differentiate ourselves in the market place
PUT AN ARMOURED CAR ON THE INTERNET
11
WHAT ARE THE BUSINESS REQUIREMENTS?

• privacy/confidentiality
• integrity
• authentication
• non-repudiation
• access control
• availability/continuity

12
Existing Customer Initialization

• Contact the bank through 1-800-4-Scotia
• Authentication by customer service rep.
• Acquire a shared secret/temporary password from
  an IVR process
• Go online to the Internet
• Download and install Banks software
• Establish personal password/pass-phrase
  (certificates are created and exchanged
  automatically and transparently)
• Access the service

13
POTENTIAL THREATS
Loss of confidentiality of information or
privacy of customer information
Unauthorized changes, duplication or deletion
of information/transactions
Malicious acts
Human error
Masquerading/spoofing
Denial of service
14
POTENTIAL THREATSWhich have changed since 1832?

• Loss of confidentiality of information or privacy
  of customer information
• unauthorized changes, duplication or deletions of
  information/transactions
• malicious acts
• human error
• masquerading/spoofing
• denial of service

disintermediation
15
So what to Scotiabank is a Public Key
Infrastructure?
Certification Authoritythat provides

• Certificate Repository/Directory
• Multiple Certificate types for different risks
• Certificate Revocation (Lists CRLs)
• Automatic Key aging and update
• Key Back-up and Recovery
• Key Histories

16
So what to Scotiabank is a... Public Key
Infrastructure?
Certification Authority.that supports

• Automated enrollment
• Cross-certification with other trusted CAs
• Non-Repudiation

System that includes client side
softwareincluding the generation of keys
17
Public Key Infrastructure (PKI)

• Approval by Bank Executive in March 1997
• Two production infrastructures
• External - Customers
• Internal - Employees other FIs
• Based on proven platform (hardware/software)
• Implemented within three months!

18
Public Key infrastructure (PKI)

• Approval by Bank Executive in March 1997
• Licenses for Entrust products
• Scotiabank group worldwide
• Initial Priorities
• Internet Banking Scotia Discount Brokerage
• Employee External Access

19
Public Key Infrastructure (PKI)

• Approved by Bank Executive September 1998
• Acquisition of all Entrust client-side software
• Desktop, Express, Unity, ICE etc.
• Acquisition of SET software and licenses
• Web and VPN connectors

20

?
Why

• Open System that has adopted standard
• Endorsed by the Federal Government
• FIPS 140-1 certified
• Product suitewith more to come
• Being adopted by major IT companies
• Growing base of Entrust compatible products
• 15 years experience within NORTEL
• cryptography is a core competency

Canadian Content.
21
Difficulties?

• Adequate, knowledgeable resources
• Immature supporting technologies at the client
  e.g. operating systems, browsers, ISPs
• General acceptance that this is a business
  decision not a technology decision
• The rotating

22
Critical Success Factors

• Executive commitment not viewed as an ROI
  issue ..rather a strategic investment

The best way to predict the future.. ..is to
create it!
23
Critical Success Factors

• Executive commitment
• Strong Champion
• Partnering
• Focus on business risk, policy matters not
  technical issues
• Use of technology
• Implemented within existing organization

24
Segregation of Function
25
Critical Success Factors

• Executive commitment
• Strong Champion
• Partnering
• Focus on business risk, policy matters not
  technical issues
• Use of technology
• Implemented within existing organization

Strong highly motivated team
We had some fun
Commitment to..
26
Scotiabanks Commitment toPolicy, Standards
Best Practices
Information Security Governance
27
Scotiabanks Commitment toPolicy, Standards
Best Practices

• Information Security Steering Committee
• Current Portfolio of Policy and Standards
• Certificate and Certification Practice Statement

28
Information Security Policy- first principle
Enabling Technology
Secure information processing is an enabling
technology that enhances the development of new
products and services, and can support
continuous improvements in the delivery of
quality service.
As such, Scotiabank promotes sound security
practices in conducting its business and in
interacting with customers, achieving a balance
between customer service needs and the interests
of the bank and its shareholders
29
So What is
"The Trust Model"?
It encompasses

• Governance
• Availability/Reliability
• Accountability
• Risk Management
• User Registration/Authentication

30

Milestones

• Approached Entrust December 17, 1996
• Submitted Business Case January 29, 1997
• Executive Approval March 13, 1997
• Commenced construction before April
• First Server delivered April 12, 1997
• Entrust Direct client delivered May 12, 1997
• Commissioned two PKIs May 31, 1997
• Rebuild of client started June 17, 1997
• First live Interent transactions July 25, 1997

31
Where are we now?

• April 21, 1999 0705hrs EST

90,026
32
Only Authentic Certificates Keys External
infrastructure
33
Only Authentic Certificates Keys Monthly
Service Availability
34
Important to

• Overall annual availability 99.66

35
Important to

• Certificates Revoked over 19, 000

36
Recent Accomplishments

• Conversion to Entrust Manager REL. 4
• over 220,00 licenses
• largest in the World
• Release of direct 3.0 and MAC clients
• Continued testing of Desk-top suite, Unity, ICE
  etc..
• Installation of UAT PKI (5)
• Approval of SET pilot (6)
• Finalizing plans for remote hot stand-by
• Testing of Direct 4.0 client

37
Committed to

• PKI as an enabling technology
• Being leaders in
• PKI
• Governance
• Cross-certification
• e-commerce/e-business
• Canada and International operations

38

Working together in the Real World ...developin
g business solutions ...and succeeding!
39
Whats on our mind?

• Cost of Registration
• Reliance on Browsers
• Thinner clients and light certs
• People-limited understanding
• Cross-certification
• Directories

40
Whats on Our Mind?

• Portability/Roaming
• PDAs
• Smart Cards
• Hardware
• Hot standby - remote
• Compromise Contingency Planning
• Conversion
• Security Quality Assurance
• Trust Model

41
Whats on our mind?
Cross Certification
Authentication and Registration
Partnering
Research

Attribute Certificates
Entrust
42
You have heard many messages...

• Industrial Strength enterprise-wide security
  based on a core competency
• Encryption
• Digital Signatures
• User Authentication
• Real-World
• Automated

43
You have heard many messages...

• Industrial Strength enterprise-wide security
  based on a core competency
• A platform for secure e-commerce/e-business
• Management of Risk
• Establishment of Trust
• Productivity/efficiency

44
(No Transcript)