1 / 17

Security Requirements for Financial Web Services XML Web Services One Conference

Security Requirements for Financial Web Services XML Web Services One Conference Forum on Security Standards August 26, 2002. Topics for Discussion. FS Industry Drivers An Example: Corporate Cash Management Issues & Challenges Q & A. FS Industry Drivers.

delora
Download Presentation

Security Requirements for Financial Web Services XML Web Services One Conference

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Requirements for Financial Web Services XML Web Services One Conference Forum on Security Standards August 26, 2002

  2. Topics for Discussion • FS Industry Drivers • An Example: Corporate Cash Management • Issues & Challenges • Q & A

  3. FS Industry Drivers • Increasing Use of Outsourced Functions • Corporations looking to eliminate unnecessary costs and look to ASP model in greater numbers • General trend toward using XML over public networks rather than private networks • Service & Component Architectures becoming more widespread • Business Service Architectures offer stronger ROI through reduction of duplicated functions • CIOs looking to leverage existing significant IT investments not create new ones • Looking to serve millions of customers through multiple channels with common services • Straight-Through-Processing is becoming the mantra • Securities industry has targets for implementation • Banking moving toward STP even though key processes are held up by paper check system • Corporations becoming more aware of service continuity and related risks • 9/11 raised awareness of business continuity at the board level • Distributed functions generate different risk profiles for the corporations

  4. Topics for Discussion • FS Industry Drivers • An Example: Corporate Cash Management • What is Corporate Cash Management? • Cash Management Use Case • Issues & Challenges • Q & A

  5. What is Corporate Cash Management? • Corporate Cash Management is an important function of the corporate treasury office. Cash Management is: • The gathering of cash related information from the company’s banks and internal ERP systems. • The planning of investment or borrowing strategies to manage the firm’s liquidity. • The execution of those plans with the firm’s banks. • Cash Management happens on a daily, weekly, and monthly basis. • Treasury management is typically supported by file transfers of data, Internet views of single bank data, or proprietary hub/spoke architectures.

  6. Corporate Cash Management via Web Services Create and execute a cash management strategy through a lead bank by dynamically aggregating and analyzing account positions in multiple institutions, corporate cash receivables history (DSO) and disbursement plans, and working capital requirements. Description: Functional Area: Treasury Management Actors: Corporate Treasury, Banks, Private UDDI Repository Account positions in multiple institutions accessible via web services; receivable and payable schedules accessible via web services. Pre-Conditions: Scenario: Treasury Workstation discovers service points. Treasury Workstation composes cash positions held in multiple banks. ERP systems report receivables aging history, DSO, and daily disbursement plans across multiple business units/operating companies Target working capital positions are determined. Short-term and near-term investment and return plans and a daily global cash management strategy are constructed Treasurer executes a set of funds transfer and investment transaction through a lead bank . Benefit of Scenario: Improved use of available cash balances and return on available funds Less costly than manual process. Creation of new Inter-bank network.

  7. Corporate Cash Management Actors • The Treasury Workstation and ERP Platform are packaged software systems used by the corporation. • ERP, and Treasury workstation are within the main corporate firewall. • Each of the bank’s systems is behind it’s own firewall. • All transactions are over the public Internet except the ERP/Treasury Workstation Interaction. • There are existing contractual relationships between all the parties exchanging data. • The UDDI repository run by a major bank or third party as part of this inter-bank network.

  8. Corporate Cash Management Step 1: Discover service points Requirements & Issues Treasury Workstation begins cash management process by discovering or verifying signatures of relevant partner web services. • A Private Bank Network will use a private UDDI repository. Private in the sense it’s membership-based of some form not a VPN. • Publishing repository entries and process must be secure and auditable. Version control and time stamping of registry must be verifiable. • The Repository entries must be authentic. Identity and integrity of entries must be verifiable in some standard way. • The Registry must be secure from performance based attacks (DoS). • Access of signature files must be auditable by the publisher. Operations of repository must be operated in a highly secure way. • Every Treasury Workstation in the network must be authenticated and authorized. • Retrieval of WSDL file must be secure.

  9. Corporate Cash Management Step 2: Compose Cash Positions from Multiple Banks Requirements & Issues Treasury Workstation gathers position data from banks through web service touch points. SOAP payload probably uses a banking standard like IFX. • Service points must be authenticated and verified. • Bank Service Point must be reliable and secure from DOS attacks. • Some protocols like IFX have their logon segments. Are redundant credentials an issue? • SOAP messaging must have integrity, reliability, and confidentiality. • The message payloads must have integrity and confidentiality. • Key management process must be secure. • Banks must provide data only to individuals entitled to that data (Role based Authorization).

  10. Corporate Cash Management Step 3: Retrieve Data from ERP Systems ERP systems report receivables aging history, Day Sales Outstanding, and daily disbursement plans across multiple business units/operating companies. Requirements & Issues • Application level SOAP interface supports role based permissions. • Data on internal network must be secure. ERP platforms may be globally dispersed so all traffic must be highly secure.

  11. Corporate Cash Management Step 4: Construct Daily Investment Strategy Requirements & Issues Target working capital positions are determined through local software. Short-term and near-term investment and return plans and a daily global cash management strategy are constructed. • Not a Web Service interaction but traditional authorization and authentication requirements hold.

  12. Corporate Cash Management Step 5: Execute Plan Through Lead Bank Treasurer executes a set of funds transfer and investment allocations through a lead bank. The lead bank transfers the instructions to other banks via SOAP messaging. Requirements & Issues • Instruction Document must have credentials to other banks systems • Document may have data that can only be viewed by end bank not intermediary. • Any shared Web Services conversation description (BPML, XLANG,etc) must be tamper-proof and verifiable. • Banks and treasurers need verifiable proof that transactions were received, confirmed, and executed.

  13. Topics for Discussion • FS Industry Drivers • An Example: Corporate Cash Management • Issues & Challenges • Q & A

  14. Issues & Challenges • Security standards must be proven to be applicable to financial services risk profiles and interoperable for adoption to take place • Corporate customers are confused and concerned about security standards in Web Services • Multiple and potentially competing standard must be reconciled within specific financial application context • UDDI repositories must support integrity, authentication, privacy and version control services when operated both within and outside enterprise firewalls • The governance model for the operation of financial UDDI directories will influence the UDDI security model • Financial institutions will connect core applications and systems across the Internet and share data with their customers once they can trust the connections. • Web services security must prove to leverage existing digital signature, encryption, and key management infrastructures and new strong authentication solutions • CIOs will not spend significant amounts on new security systems without visible ROI • New, strong authentication mechanisms like smart cards and biometric technologies are being considered and deployed so solutions must integrate

  15. Requirement: Non-SSL solutions must be ‘buildable’ and understandable. Services Assets

  16. Topics for Discussion • FS Industry Drivers • An Example: Corporate Cash Management • Issues & Challenges • Q & A

  17. Contacts at Niteo Partners, Inc Mr. Kevin Cronin – Chief Technical Architect Co-Chair, Financial Services Technology Consortium Web Services Advisory Group k.cronin@niteo.com 617.895.3042 Mr. Michael Versace – Partner, Financial Services Chairman, ISO TC68 SC2, Security and Banking m.versace@niteo.com 617.895.3042

More Related