170 likes | 282 Views
Security Requirements for Financial Web Services XML Web Services One Conference Forum on Security Standards August 26, 2002. Topics for Discussion. FS Industry Drivers An Example: Corporate Cash Management Issues & Challenges Q & A. FS Industry Drivers.
E N D
Security Requirements for Financial Web Services XML Web Services One Conference Forum on Security Standards August 26, 2002
Topics for Discussion • FS Industry Drivers • An Example: Corporate Cash Management • Issues & Challenges • Q & A
FS Industry Drivers • Increasing Use of Outsourced Functions • Corporations looking to eliminate unnecessary costs and look to ASP model in greater numbers • General trend toward using XML over public networks rather than private networks • Service & Component Architectures becoming more widespread • Business Service Architectures offer stronger ROI through reduction of duplicated functions • CIOs looking to leverage existing significant IT investments not create new ones • Looking to serve millions of customers through multiple channels with common services • Straight-Through-Processing is becoming the mantra • Securities industry has targets for implementation • Banking moving toward STP even though key processes are held up by paper check system • Corporations becoming more aware of service continuity and related risks • 9/11 raised awareness of business continuity at the board level • Distributed functions generate different risk profiles for the corporations
Topics for Discussion • FS Industry Drivers • An Example: Corporate Cash Management • What is Corporate Cash Management? • Cash Management Use Case • Issues & Challenges • Q & A
What is Corporate Cash Management? • Corporate Cash Management is an important function of the corporate treasury office. Cash Management is: • The gathering of cash related information from the company’s banks and internal ERP systems. • The planning of investment or borrowing strategies to manage the firm’s liquidity. • The execution of those plans with the firm’s banks. • Cash Management happens on a daily, weekly, and monthly basis. • Treasury management is typically supported by file transfers of data, Internet views of single bank data, or proprietary hub/spoke architectures.
Corporate Cash Management via Web Services Create and execute a cash management strategy through a lead bank by dynamically aggregating and analyzing account positions in multiple institutions, corporate cash receivables history (DSO) and disbursement plans, and working capital requirements. Description: Functional Area: Treasury Management Actors: Corporate Treasury, Banks, Private UDDI Repository Account positions in multiple institutions accessible via web services; receivable and payable schedules accessible via web services. Pre-Conditions: Scenario: Treasury Workstation discovers service points. Treasury Workstation composes cash positions held in multiple banks. ERP systems report receivables aging history, DSO, and daily disbursement plans across multiple business units/operating companies Target working capital positions are determined. Short-term and near-term investment and return plans and a daily global cash management strategy are constructed Treasurer executes a set of funds transfer and investment transaction through a lead bank . Benefit of Scenario: Improved use of available cash balances and return on available funds Less costly than manual process. Creation of new Inter-bank network.
Corporate Cash Management Actors • The Treasury Workstation and ERP Platform are packaged software systems used by the corporation. • ERP, and Treasury workstation are within the main corporate firewall. • Each of the bank’s systems is behind it’s own firewall. • All transactions are over the public Internet except the ERP/Treasury Workstation Interaction. • There are existing contractual relationships between all the parties exchanging data. • The UDDI repository run by a major bank or third party as part of this inter-bank network.
Corporate Cash Management Step 1: Discover service points Requirements & Issues Treasury Workstation begins cash management process by discovering or verifying signatures of relevant partner web services. • A Private Bank Network will use a private UDDI repository. Private in the sense it’s membership-based of some form not a VPN. • Publishing repository entries and process must be secure and auditable. Version control and time stamping of registry must be verifiable. • The Repository entries must be authentic. Identity and integrity of entries must be verifiable in some standard way. • The Registry must be secure from performance based attacks (DoS). • Access of signature files must be auditable by the publisher. Operations of repository must be operated in a highly secure way. • Every Treasury Workstation in the network must be authenticated and authorized. • Retrieval of WSDL file must be secure.
Corporate Cash Management Step 2: Compose Cash Positions from Multiple Banks Requirements & Issues Treasury Workstation gathers position data from banks through web service touch points. SOAP payload probably uses a banking standard like IFX. • Service points must be authenticated and verified. • Bank Service Point must be reliable and secure from DOS attacks. • Some protocols like IFX have their logon segments. Are redundant credentials an issue? • SOAP messaging must have integrity, reliability, and confidentiality. • The message payloads must have integrity and confidentiality. • Key management process must be secure. • Banks must provide data only to individuals entitled to that data (Role based Authorization).
Corporate Cash Management Step 3: Retrieve Data from ERP Systems ERP systems report receivables aging history, Day Sales Outstanding, and daily disbursement plans across multiple business units/operating companies. Requirements & Issues • Application level SOAP interface supports role based permissions. • Data on internal network must be secure. ERP platforms may be globally dispersed so all traffic must be highly secure.
Corporate Cash Management Step 4: Construct Daily Investment Strategy Requirements & Issues Target working capital positions are determined through local software. Short-term and near-term investment and return plans and a daily global cash management strategy are constructed. • Not a Web Service interaction but traditional authorization and authentication requirements hold.
Corporate Cash Management Step 5: Execute Plan Through Lead Bank Treasurer executes a set of funds transfer and investment allocations through a lead bank. The lead bank transfers the instructions to other banks via SOAP messaging. Requirements & Issues • Instruction Document must have credentials to other banks systems • Document may have data that can only be viewed by end bank not intermediary. • Any shared Web Services conversation description (BPML, XLANG,etc) must be tamper-proof and verifiable. • Banks and treasurers need verifiable proof that transactions were received, confirmed, and executed.
Topics for Discussion • FS Industry Drivers • An Example: Corporate Cash Management • Issues & Challenges • Q & A
Issues & Challenges • Security standards must be proven to be applicable to financial services risk profiles and interoperable for adoption to take place • Corporate customers are confused and concerned about security standards in Web Services • Multiple and potentially competing standard must be reconciled within specific financial application context • UDDI repositories must support integrity, authentication, privacy and version control services when operated both within and outside enterprise firewalls • The governance model for the operation of financial UDDI directories will influence the UDDI security model • Financial institutions will connect core applications and systems across the Internet and share data with their customers once they can trust the connections. • Web services security must prove to leverage existing digital signature, encryption, and key management infrastructures and new strong authentication solutions • CIOs will not spend significant amounts on new security systems without visible ROI • New, strong authentication mechanisms like smart cards and biometric technologies are being considered and deployed so solutions must integrate
Requirement: Non-SSL solutions must be ‘buildable’ and understandable. Services Assets
Topics for Discussion • FS Industry Drivers • An Example: Corporate Cash Management • Issues & Challenges • Q & A
Contacts at Niteo Partners, Inc Mr. Kevin Cronin – Chief Technical Architect Co-Chair, Financial Services Technology Consortium Web Services Advisory Group k.cronin@niteo.com 617.895.3042 Mr. Michael Versace – Partner, Financial Services Chairman, ISO TC68 SC2, Security and Banking m.versace@niteo.com 617.895.3042