1 / 28

Lappeenranta 29.11.2001

Lappeenranta 29.11.2001. Presenter Kari Oksanen E-mail Kari.Oksanen@Nordea.com Tel. +358 9 165 25062 . About the Bank. The largest financial services group in the Nordic region Unibank in Denmark Merita in Finland Christiania Kredikassen in Norway Nordbanken in Sweden

borna
Download Presentation

Lappeenranta 29.11.2001

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lappeenranta 29.11.2001 Presenter Kari Oksanen E-mail Kari.Oksanen@Nordea.com Tel. +358 9 165 25062

  2. About the Bank • The largest financial services group in the Nordic region • Unibank in Denmark • Merita in Finland • Christiania Kredikassen in Norway • Nordbanken in Sweden • 9 million private and 700 000 corporate customers • 2.6 million Internet Bank customers • About 40 000 employees • World leader in internet banking • World’s first WAP based banking services launched in October 1999 • More information: www.nordea.com Nordea 1.12.2001

  3. Adding new banking and e-services = adding value Now also with e-salary Foreign payments e-studentloan Same password for all services! High 2000 e-Loans e-billing e-signature 1999 Inv.Funds e-shopping 1998 Customer satis- faction e-identi- fication 1996 1992 Shares Now virtually all banking services and increasinglye-services Balances+ Payments 1988 1982 Low Few Services Many All

  4. 50% off active customer base in Merita Net-banking customersin Nordea 01 - 10/2001 18 million visits more than last year within the same period

  5. Giro-payment transactionsPrivate customers Envelope payments Branch office 4 % Direct debiting Home banking Payment ATMs

  6. Daily Solo Sessions In Merita October 2001 The Number of sessions

  7. b Information security Administrative and Organisational Security Personnel Security Physical and Environmental Security Communications Security Data Security Operations Security Operations Securityb Software Security Hardware Security

  8. Threats and Risks Threats UHKAT Impact, protection in place Impact, vulnerabilities No impact or fictionary Risks

  9. Strategic Context: Nordea IT Security is today one of the foundation elements • Security technologies are relationship management tools • Relationships between identities and resources (privileges) • Relationships between internal systems (integration/interoperability.) • Relationships between networks (business relationships) • Relationship management = identity and risk management • We need a repository/ies for identity and relationship management • Risk management through authentication, integrity, and confidentiality • Identity management • Infrastructure must establish an unambiguous identity • Authentication is only the first step

  10. IT security in a company with large scale e-business activities - some findings • Businesses are going to the networks - the role of IT security is becoming more important. • To implement seamless and businesses supporting security solutions means that we have to understand also our customers’ behaviour, techniques they deploy and how these are changing. • We have to understand business strategies to some extent and we have to build security solutions in co-operation with persons responsible for business issues. • IT security is to secure business information when it is processed, stored in data systems or transferred in telecommunications - it is not to build or to buy toys for ourselves.

  11. IT security in a company with large scale e-business activities - some findingscontd. • The business controls are very near to IT security tools - without understanding business controls you can’t build secure systems. • We have to co-operate with many units in our organisation and with people from otherorganisations - IT security is networking. • We have to understand what cost-effectiveness means. • We are accountable for our decisions. • IT security is not a property of a product or it is not only security products; it is the property of an environment!

  12. Control and Security Architecture • Control architecture;describes technology neutral controls • and security principles: • Duty segregation • Need to know -principle • Security architecture; is helping to create a common and platform-neutral understanding of security capabilities. • It is a general picture for designing. • It describes all aspects of the environment that are related to security. • It is a guide to aid in the construction of security. • It helps us to effectively implement business requirements across various platforms: Basic security functions, Controls, Auditing • It does not say how to secure or what products to use.

  13. Control and Security Architecturecontd • Security implementation guidelines; describes the application of controls to each specific platform • more technical • detailed

  14. Customers authorised to access accounts of their own, only. IT- security, some principles Customers Identification and authentication Authorisation • Services • Databases Securing resources and access control for technical users (NT, UNIX, Racf, TopSecret) Authorisation to applications (never system level) Technicians • Databases • Applications, services Remote access (Internal end-users, only) Identification and authentication Authorisation Authorisation to applications (never system level) Internal end-users authorised to access all accounts but not those of their own. Identification and authentication Internal end-users Authorising remote users to access services needed outside offices

  15. b Security services Confidentiality/ encryption Identification and authentication Authorisation Integrity; MAC, Digital signatures Services Services Technical IDs

  16. Naming standard for easier administration and better control or security IT-security, some principles • mechanisms to make • it possible to reset • the previous version • audit trail in all changes • source code for each piece of software transferred to • production env. has to be stored at least two years Versioning Version control Test Development Production • no compilers • files and databases are read or updated via properly accepted user interface- or batch programs, only • it is mandatory to verify user’s access rights when moving from one application to another • integrity control for all software • audit trail in all business related transactions including inquiries • controls to force to follow naming std. • controls to force to follow programming model • source code protected • against unauthor. modifications • developers have full access only to those objects they are • responsible for • it is not allowed to transfer information from production environment Tools for duality principle when transferring new or amended code from development to production; audit trail in transfers Duty segregation Programmers, application planners End users

  17. Access control and Authorisation Identification and authentication Authorisation X X

  18. Access control and Authorisation Security architecture: The basic idea is to avoid application specific access control systems as long as possible to achieve robust control level, end user satisfaction and cost efficiency in administration. Ident. & Authent. Ident. & Authent. Ident. & Authent. Ident. & Authent. Authorisation Authorisation Authorisation Authorisation Application/ service Application/ service Application/ service Application/ service

  19. Access control and Authorization One login Authorization data c c c c Application Application Application Application

  20. Denmark OS/2 NT 3270 C/S Web SW packages Finland NT 3270 C/S Web SW packages Norway NT 3270 C/S Web SW packages Sweden OS/2 NT 3270 C/S Web SW packages End-users and administrators Where to find services available? MENU systems! Single signon! The end-user Very difficult to understand and manage! Impossible to create reports for auditors, unit managers; Which systems am I authorised to use in Nordea? The administrator

  21. Security - covering the whole chain Security arrang. towards other partners; banks,. • e-services • Access control • Authorisation • Customers • Identification • Authentication • e-services • Architecture • Base controls • Configurations • Networks • Confidentiality • Integrity • Customers • Behaviour • Technical env. • Control needs

  22. Profitability and security RANDOM INCIDENT ATTACK GROSS LOSS(material, others) * probability = EXPOSURE REDUCTION OF EXPOSURE GROSS PROFIT ./. probability to get arrested * repayment = NET PROFIT Loss coefficient Arrest effectiveness Protection effectiveness Attractiveness comparison B IMPLEMENTATION COST comparison A SECURITY SOLUTION Cost effectiveness PROTECTION COST Impediment effectiveness

  23. Threats and Risks in e-business Systems • Unauthorised attempts • Denial of Service attacks Eavesdropping? Networks • Poor quality • Insufficient testing • Non-scalable systems • Availability problems • Poorly configured • routers or Firewalls • Poor programming • models (Norway) • Poor session handling • New techniques • Missing audit trails • or logs • Unauthorised access • to system level • Internal breaches • Etc. • Malicious software: • Trojan horses • Viruses • Etc.

  24. IT-security in large scale e-banking systems End-to-end security! • Identification and authentication • Integrity; MAC, hashing.... • Confidentiality; encryption Networks • strict programming models • Configurations • Routers • Firewalls • Testing arrangements • How to inform customers in problem situations • Contingency planning • Control and security architecture • Technical architecture • scalability • availability • continuity • Application architecture • clarity • independent components • Security in customers’ environments: • instructions • anti virus software • Service providers can’t help in this area!

  25. SIM EMV EMPS: what is it all about? …THIS! Instead of all these... All cards in one chip inside your WAP-phone Debit/Credit cards Loyalty cards Access codes to net-bank Teemu Testihenkilö Nihitsillantie 3 D 00020 MERITA FINLAND 6789 7890 3562 3652 5674 4567 8767 6543 4235 6347 5678 5678 2341 2345 5678 4321 4321 7635 6353 7585 6789 7890 3562 3652 5674 4567 8767 6543 6373 5748 6789 7890 3562 3652 5674 4567 8767 6543 6363 3838 6789 7890 3562 3652 5674 4567 8767 6543 7378 3738 6789 7890 3562 3652 5674 4567 8767 6543 3737 3334 6789 7890 3562 3652 5674 4567 8767 6543 7363 8383 6789 7890 3562 3652 5674 4567 8767 6543 3838 3395 6789 7890 3562 3652 5674 4567 8767 6543 3142 8696 3456 2312 6543 8976 6778 4567 8976 6543 6272 7484 4567 8767 6543 5678 5678 2341 2345 5678 7474 8494 3456 2312 6543 8976 6778 4567 8976 6543 4848 4493 Debit-/Credit card, bank log-on, club membership, application downloading etc.

  26. -Merita ATM- -Merita ATM- Withdraw: 100,- 300,- other... 100,- withdrawn Balance 12.562,- -Merita ATM- Enter your PIN [****] EMPS: Many ways to use it 2. Withdrawing cash from ATM

  27. -Solo-bank- Please enter your pin [****] EMPS: Many ways to use it 5. Logging on to internet bank …or with WAP and PC using bluetooth - with WAP

  28. Where are we? XP W2000 NT 4 ME W98 W95 W3.x Linux Mac • Security needed • Confidentiality • Identification and authentication • Integrity Home Work SEIS CAPI E-business SSL Traveling SET Various networks EMV WTLS The customer eBanking PKCS#15 CDSA VPN FINEID • Some problems • Incompatible standards • Generally available techniques? • The availability of smart card readers and drivers? Do business with authorities New devices E-mail CAs

More Related