Security Requirements for Financial Web Services

1

• Security Requirements for Financial Web Services
• XML Web Services One Conference
• Forum on Security Standards
• August 26, 2002

2
Topics for Discussion

• FS Industry Drivers
• An Example Corporate Cash Management
• Issues Challenges
• Q A

3
FS Industry Drivers

• Increasing Use of Outsourced Functions
• Corporations looking to eliminate unnecessary
  costs and look to ASP model in greater numbers
• General trend toward using XML over public
  networks rather than private networks
• Service Component Architectures becoming more
  widespread
• Business Service Architectures offer stronger ROI
  through reduction of duplicated functions
• CIOs looking to leverage existing significant IT
  investments not create new ones
• Looking to serve millions of customers through
  multiple channels with common services
• Straight-Through-Processing is becoming the
  mantra
• Securities industry has targets for
  implementation
• Banking moving toward STP even though key
  processes are held up by paper check system
• Corporations becoming more aware of service
  continuity and related risks
• 9/11 raised awareness of business continuity at
  the board level
• Distributed functions generate different risk
  profiles for the corporations

4
Topics for Discussion

• FS Industry Drivers
• An Example Corporate Cash Management
• What is Corporate Cash Management?
• Cash Management Use Case
• Issues Challenges
• Q A

5
What is Corporate Cash Management?

• Corporate Cash Management is an important
  function of the corporate treasury office. Cash
  Management is
• The gathering of cash related information from
  the companys banks and internal ERP systems.
• The planning of investment or borrowing
  strategies to manage the firms liquidity.
• The execution of those plans with the firms
  banks.
• Cash Management happens on a daily, weekly, and
  monthly basis.
• Treasury management is typically supported by
  file transfers of data, Internet views of single
  bank data, or proprietary hub/spoke architectures.

6
Corporate Cash Management via Web Services
Create and execute a cash management strategy
through a lead bank by dynamically aggregating
and analyzing account positions in multiple
institutions, corporate cash receivables history
(DSO) and disbursement plans, and working capital
requirements.

• Description

Functional Area
Treasury Management
Actors
Corporate Treasury, Banks, Private UDDI Repository
Account positions in multiple institutions
accessible via web services receivable and
payable schedules accessible via web services.
Pre-Conditions
Scenario

• Treasury Workstation discovers service points.
• Treasury Workstation composes cash positions held
  in multiple banks.
• ERP systems report receivables aging history,
  DSO, and daily disbursement plans across multiple
  business units/operating companies
• Target working capital positions are determined.
  Short-term and near-term investment and return
  plans and a daily global cash management strategy
  are constructed
• Treasurer executes a set of funds transfer and
  investment transaction through a lead bank .

Benefit of Scenario
Improved use of available cash balances and
return on available funds Less costly than manual
process. Creation of new Inter-bank network.
7
Corporate Cash Management Actors

• The Treasury Workstation and ERP Platform are
  packaged software systems used by the
  corporation.
• ERP, and Treasury workstation are within the
  main corporate firewall.
• Each of the banks systems is behind its own
  firewall.
• All transactions are over the public Internet
  except the ERP/Treasury Workstation Interaction.
• There are existing contractual relationships
  between all the parties exchanging data.
• The UDDI repository run by a major bank or third
  party as part of this inter-bank network.

8
Corporate Cash Management Step 1 Discover
service points
Requirements Issues
Treasury Workstation begins cash management
process by discovering or verifying signatures of
relevant partner web services.

• A Private Bank Network will use a private UDDI
  repository. Private in the sense its
  membership-based of some form not a VPN.
• Publishing repository entries and process must be
  secure and auditable. Version control and time
  stamping of registry must be verifiable.
• The Repository entries must be authentic.
  Identity and integrity of entries must be
  verifiable in some standard way.
• The Registry must be secure from performance
  based attacks (DoS).
• Access of signature files must be auditable by
  the publisher. Operations of repository must be
  operated in a highly secure way.
• Every Treasury Workstation in the network must
  be authenticated and authorized.
• Retrieval of WSDL file must be secure.

9
Corporate Cash Management Step 2 Compose Cash
Positions from Multiple Banks
Requirements Issues
Treasury Workstation gathers position data from
banks through web service touch points. SOAP
payload probably uses a banking standard like IFX.

• Service points must be authenticated and
  verified.
• Bank Service Point must be reliable and secure
  from DOS attacks.
• Some protocols like IFX have their logon
  segments. Are redundant credentials an issue?
• SOAP messaging must have integrity, reliability,
  and confidentiality.
• The message payloads must have integrity and
  confidentiality.
• Key management process must be secure.
• Banks must provide data only to individuals
  entitled to that data (Role based Authorization).

10
Corporate Cash Management Step 3 Retrieve Data
from ERP Systems
ERP systems report receivables aging history, Day
Sales Outstanding, and daily disbursement plans
across multiple business units/operating
companies.
Requirements Issues

• Application level SOAP interface supports role
  based permissions.
• Data on internal network must be secure. ERP
  platforms may be globally dispersed so all
  traffic must be highly secure.

11
Corporate Cash Management Step 4 Construct
Daily Investment Strategy
Requirements Issues
Target working capital positions are determined
through local software. Short-term and near-term
investment and return plans and a daily global
cash management strategy are constructed.

• Not a Web Service interaction but traditional
  authorization and authentication requirements
  hold.

12
Corporate Cash Management Step 5 Execute Plan
Through Lead Bank
Treasurer executes a set of funds transfer and
investment allocations through a lead bank. The
lead bank transfers the instructions to other
banks via SOAP messaging.
Requirements Issues

• Instruction Document must have credentials to
  other banks systems
• Document may have data that can only be viewed by
  end bank not intermediary.
• Any shared Web Services conversation description
  (BPML, XLANG,etc) must be tamper-proof and
  verifiable.
• Banks and treasurers need verifiable proof that
  transactions were received, confirmed, and
  executed.

13
Topics for Discussion

• FS Industry Drivers
• An Example Corporate Cash Management
• Issues Challenges
• Q A

14
Issues Challenges

• Security standards must be proven to be
  applicable to financial services risk profiles
  and interoperable for adoption to take place
• Corporate customers are confused and concerned
  about security standards in Web Services
• Multiple and potentially competing standard must
  be reconciled within specific financial
  application context
• UDDI repositories must support integrity,
  authentication, privacy and version control
  services when operated both within and outside
  enterprise firewalls
• The governance model for the operation of
  financial UDDI directories will influence the
  UDDI security model
• Financial institutions will connect core
  applications and systems across the Internet and
  share data with their customers once they can
  trust the connections.
• Web services security must prove to leverage
  existing digital signature, encryption, and key
  management infrastructures and new strong
  authentication solutions
• CIOs will not spend significant amounts on new
  security systems without visible ROI
• New, strong authentication mechanisms like smart
  cards and biometric technologies are being
  considered and deployed so solutions must
  integrate

15
Requirement Non-SSL solutions must be
buildable and understandable.
Services
Assets
16
Topics for Discussion

• FS Industry Drivers
• An Example Corporate Cash Management
• Issues Challenges
• Q A

17
Contacts at Niteo Partners, Inc
Mr. Kevin Cronin Chief Technical
Architect Co-Chair, Financial Services Technology
Consortium Web Services Advisory
Group k.cronin_at_niteo.com 617.895.3042 Mr.
Michael Versace Partner, Financial
Services Chairman, ISO TC68 SC2, Security and
Banking m.versace_at_niteo.com 617.895.3042