Security Requirements for Financial Web Services
Download
1 / 17

Security Requirements for Financial Web Services XML Web Services One Conference - PowerPoint PPT Presentation


  • 77 Views
  • Uploaded on

Security Requirements for Financial Web Services XML Web Services One Conference Forum on Security Standards August 26, 2002. Topics for Discussion. FS Industry Drivers An Example: Corporate Cash Management Issues & Challenges Q & A. FS Industry Drivers.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Security Requirements for Financial Web Services XML Web Services One Conference' - olga-watkins


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Security Requirements for Financial Web Services

XML Web Services One Conference

Forum on Security Standards

August 26, 2002


Topics for discussion
Topics for Discussion

  • FS Industry Drivers

  • An Example: Corporate Cash Management

  • Issues & Challenges

  • Q & A


Fs industry drivers
FS Industry Drivers

  • Increasing Use of Outsourced Functions

    • Corporations looking to eliminate unnecessary costs and look to ASP model in greater numbers

    • General trend toward using XML over public networks rather than private networks

  • Service & Component Architectures becoming more widespread

    • Business Service Architectures offer stronger ROI through reduction of duplicated functions

    • CIOs looking to leverage existing significant IT investments not create new ones

    • Looking to serve millions of customers through multiple channels with common services

  • Straight-Through-Processing is becoming the mantra

    • Securities industry has targets for implementation

    • Banking moving toward STP even though key processes are held up by paper check system

  • Corporations becoming more aware of service continuity and related risks

    • 9/11 raised awareness of business continuity at the board level

    • Distributed functions generate different risk profiles for the corporations


Topics for discussion1
Topics for Discussion

  • FS Industry Drivers

  • An Example: Corporate Cash Management

    • What is Corporate Cash Management?

    • Cash Management Use Case

  • Issues & Challenges

  • Q & A


What is corporate cash management
What is Corporate Cash Management?

  • Corporate Cash Management is an important function of the corporate treasury office. Cash Management is:

    • The gathering of cash related information from the company’s banks and internal ERP systems.

    • The planning of investment or borrowing strategies to manage the firm’s liquidity.

    • The execution of those plans with the firm’s banks.

  • Cash Management happens on a daily, weekly, and monthly basis.

  • Treasury management is typically supported by file transfers of data, Internet views of single bank data, or proprietary hub/spoke architectures.


Corporate cash management via web services
Corporate Cash Management via Web Services

Create and execute a cash management strategy through a lead bank by dynamically aggregating and analyzing account positions in multiple institutions, corporate cash receivables history (DSO) and disbursement plans, and working capital requirements.

Description:

Functional Area:

Treasury Management

Actors:

Corporate Treasury, Banks, Private UDDI Repository

Account positions in multiple institutions accessible via web services; receivable and payable schedules accessible via web services.

Pre-Conditions:

Scenario:

Treasury Workstation discovers service points.

Treasury Workstation composes cash positions held in multiple banks.

ERP systems report receivables aging history, DSO, and daily disbursement plans across multiple business units/operating companies

Target working capital positions are determined. Short-term and near-term investment and return plans and a daily global cash management strategy are constructed

Treasurer executes a set of funds transfer and investment transaction through a lead bank .

Benefit of Scenario:

Improved use of available cash balances and return on available funds

Less costly than manual process. Creation of new Inter-bank network.


Corporate cash management actors
Corporate Cash Management Actors

  • The Treasury Workstation and ERP Platform are packaged software systems used by the corporation.

  • ERP, and Treasury workstation are within the main corporate firewall.

  • Each of the bank’s systems is behind it’s own firewall.

  • All transactions are over the public Internet except the ERP/Treasury Workstation Interaction.

  • There are existing contractual relationships between all the parties exchanging data.

  • The UDDI repository run by a major bank or third party as part of this inter-bank network.


Corporate cash management step 1 discover service points
Corporate Cash Management Step 1: Discover service points

Requirements & Issues

Treasury Workstation begins cash management process by discovering or verifying signatures of relevant partner web services.

  • A Private Bank Network will use a private UDDI repository. Private in the sense it’s membership-based of some form not a VPN.

  • Publishing repository entries and process must be secure and auditable. Version control and time stamping of registry must be verifiable.

  • The Repository entries must be authentic. Identity and integrity of entries must be verifiable in some standard way.

  • The Registry must be secure from performance based attacks (DoS).

  • Access of signature files must be auditable by the publisher. Operations of repository must be operated in a highly secure way.

  • Every Treasury Workstation in the network must be authenticated and authorized.

  • Retrieval of WSDL file must be secure.


Corporate cash management step 2 compose cash positions from multiple banks
Corporate Cash Management Step 2: Compose Cash Positions from Multiple Banks

Requirements & Issues

Treasury Workstation gathers position data from banks through web service touch points. SOAP payload probably uses a banking standard like IFX.

  • Service points must be authenticated and verified.

  • Bank Service Point must be reliable and secure from DOS attacks.

  • Some protocols like IFX have their logon segments. Are redundant credentials an issue?

  • SOAP messaging must have integrity, reliability, and confidentiality.

  • The message payloads must have integrity and confidentiality.

  • Key management process must be secure.

  • Banks must provide data only to individuals entitled to that data (Role based Authorization).


Corporate cash management step 3 retrieve data from erp systems
Corporate Cash Management Step 3: Retrieve Data from ERP Systems

ERP systems report receivables aging history, Day Sales Outstanding, and daily disbursement plans across multiple business units/operating companies.

Requirements & Issues

  • Application level SOAP interface supports role based permissions.

  • Data on internal network must be secure. ERP platforms may be globally dispersed so all traffic must be highly secure.


Corporate cash management step 4 construct daily investment strategy
Corporate Cash Management Step 4: Construct Daily Investment Strategy

Requirements & Issues

Target working capital positions are determined through local software. Short-term and near-term investment and return plans and a daily global cash management strategy are constructed.

  • Not a Web Service interaction but traditional authorization and authentication requirements hold.


Corporate cash management step 5 execute plan through lead bank
Corporate Cash Management Step 5: Execute Plan Through Lead Bank

Treasurer executes a set of funds transfer and investment allocations through a lead bank. The lead bank transfers the instructions to other banks via SOAP messaging.

Requirements & Issues

  • Instruction Document must have credentials to other banks systems

  • Document may have data that can only be viewed by end bank not intermediary.

  • Any shared Web Services conversation description (BPML, XLANG,etc) must be tamper-proof and verifiable.

  • Banks and treasurers need verifiable proof that transactions were received, confirmed, and executed.


Topics for discussion2
Topics for Discussion

  • FS Industry Drivers

  • An Example: Corporate Cash Management

  • Issues & Challenges

  • Q & A


Issues challenges
Issues & Challenges

  • Security standards must be proven to be applicable to financial services risk profiles and interoperable for adoption to take place

    • Corporate customers are confused and concerned about security standards in Web Services

    • Multiple and potentially competing standard must be reconciled within specific financial application context

  • UDDI repositories must support integrity, authentication, privacy and version control services when operated both within and outside enterprise firewalls

    • The governance model for the operation of financial UDDI directories will influence the UDDI security model

  • Financial institutions will connect core applications and systems across the Internet and share data with their customers once they can trust the connections.

  • Web services security must prove to leverage existing digital signature, encryption, and key management infrastructures and new strong authentication solutions

    • CIOs will not spend significant amounts on new security systems without visible ROI

    • New, strong authentication mechanisms like smart cards and biometric technologies are being considered and deployed so solutions must integrate



Topics for discussion3
Topics for Discussion understandable.

  • FS Industry Drivers

  • An Example: Corporate Cash Management

  • Issues & Challenges

  • Q & A


Contacts at niteo partners inc
Contacts at Niteo Partners, Inc understandable.

Mr. Kevin Cronin – Chief Technical Architect

Co-Chair, Financial Services Technology Consortium Web Services Advisory Group

[email protected]

617.895.3042

Mr. Michael Versace – Partner, Financial Services

Chairman, ISO TC68 SC2, Security and Banking

[email protected]

617.895.3042


ad