PUBLIC RELATIONS OVERVIEW

1

Dec. 5th., 2000
2
Agenda

• E-Sign legislation effective Oct. 1, 2000
• Implication of the legislation and what
  organization (Wells Fargo) needs to protect (and
  How) in order to mitigate risks and liabilities
• System we have implemented (since 1997) to
  mitigate risks deployment status
• System we are undertaking today to further reduce
  risks deployment status
• Future Plans
• Q A

3
Wells Processing Environment and What Do We need
to Protect
Back-End Processing
Middle Ware
End-user
TCP/IP traffics vulnerabilities - next slide
4
TCP/IP vulnerabilities

• Lack of Authentication
• Lack of Confidentiality
• Lack of Integrity Check
• Subject to Re-Play Attack
• Lack of Non-Repudiation

5
How does Wells Fargo mitigate risks
6
MsgSecure - In production since 1997

• Vendor Software ( based on MIT Kerberos V.5)
• Custom Designed Software to Enhance the
  Capability (Key Distribution)
• Add on Performance Accelerator (Hardware
  Encryption Engine on HDS and IBM Systems)
• Support Infrastructure (H/A, 7/24, etc)
• Bundle the Services as if you are a Security
  Vendor
• Gain Support from the Organization (Policy)
• Deployment Status (11.5 million trans/day, 3000
  servers, 200 human principal, cross platform
  sign-on for UNIX/NT/MVS in pilot)

7
System we are undertaking today- Public Key
Infrastructure (PKI)

• Organizational Commitment
• Define Trust Model
• Project Organization and Responsibilities
• Physical Environment
• Certificate Practice Statement/Policies
• Root Key Creation
• Deployment Strategy Status
• Future Opportunities within Wells Fargo

8
Organizational Commitment

• A project truly requires the support of all
  levels within the organization
• Business need vs technology
• Industry analysis shows 20 of effort relies on
  technology and 80 on buy-in and support from
  others
• Requires active participation from legal,
  enterprise architecture, HR, Audit, Network
  Engineering, Business Proponent, Security
  Administration, Security Consulting, Physical
  Security,Corporate Property and other support
  organizations.

9
Trust Model
Wells Fargo Root
Identrus Root
Wells Fargo Business CA
Enterprise CA
Other Purpose CA
Wells Fargo Identrus CA
10
Project Organization
CISO
11
Roles and Responsibilities

• Project Proponent
• Funding Source

CISO
PKI Review Board

• See Next Slide

• Project documentation
• Meeting coordination
• Meeting minutes
• Reporting

• Project budget and resources
• Deliverables, timeline and quality
• Communications and future growth

Project Manager
Project Coordinator
Technical Manager
QA Process Manager
Bus Application Liaison
Identrus Liaison
Legal, Audit Security Consulting
CPS/CP/Procedures

• Build QA environment
• QA testing
• Implementation of CPS, CP, etc.
• Administration help services
• Training

• Application development
• RA functions
• Appl related procedures
• Appl help services

• Identrus Integration
• Identrus CPS and CPs
• Identrus procedures
• Identrus support

• Validate requirements
• WF CPS and CP development
• WF Root Operational procedures

• Project participant
• Functional expertise
• CPS,CP reviews
• Security Plan

• Facility Build
• Hardware components
• Software components
• Vendor selection
• Testing training

12
PKI Review Board

• Objective
• A 9 member board to provide the oversight of
  Wells Fargo PKI practice.
• Responsibilities
• Review and approve Certificate Practice Statement
  and Policies
• Review and approve on-going changes to CPS and
  CPs
• Review and approve Registration Authority and
  level of Authentication

• Board Members
• CISO
• PKI Manager
• Network Engineering
• 2 Business Unit Representatives
• Corporate legal
• Corporate HR
• Internal Audit
• CTO - Application Development

13
Physical Environment

• Site Selection
• Environment For Housing the Root Key and Master
  CA/RA
• Level of Security Requirements including the
  utilization of Token and multiple Biometrics
  devices
• Dual Access Control
• Camera, Alarm, Automated logging devices

14
Certificate Practice Statement (CPS) and Policies
(CP)

• A set of agreed upon rules to guide the usage of
  Digital Certificates
• CPS covers the life-cycle of the certificates and
  the associated process/procedures
• CP address the applicability, usability and the
  community boundary specific to that certificate
• True cooperative effort in the development
  process, involves all stakeholders in early stage
• An item that could impact production schedule

15
Root Key Generation

• Multi-day efforts
• Plan step by step script
• Internal, external and specialized personnel
• Conduct multiple dry runs
• Expert staff on-site
• Record and log all tasks and deviations
• Secure storage of key parts and all records

16
Deployment Strategy

• Pilot with low volume, low risk application
• Choose simple RA method
• Gain quick Successes and users confidence
• Support infrastructure need to be in place to
  handle the growth
• Back Up Facility and fail-over is fully
  functional
• Market the product - capabilities and benefits
• Educate the users at large

17
Deployment Status

• Secured physical environment completed in Oct.
  2000
• Performed Root key Generation in Oct. 2000
• Performed Business Sub-Master Generation Nov.,
  2000
• Enabling first B-to-B application Dec., 2000
• Perform Identrus Sub-Master Generation Feb., 2001
• Enabling first Identrus application Feb.,2001
• Perform Enterprise Sub-Master Generation Mar.,
  2001
• Enabling enterprise application Mar., 2001

18
Future Opportunities

• Enterprise CA supporting end user authentication
  and secured email
• Integrate to support MsgSecure
• Other e-business related initiatives
• Support Wireless and Appliance related
  applications
• Public Use of Digital-Certificates
• Others

19
Questions??

• Thanks for your time