1 © kpmg – information risk management e-business services pki-enabling e-marketplaces ronald...
TRANSCRIPT
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 1
PKI-enabling e-MarketplacesPKI-enabling e-Marketplaces
Ronald KoornRonald Koorn
KPMG Information Risk KPMG Information Risk Management Amsterdam Management Amsterdam
[email protected]@kpmg.nl+31-(0)20-656-8398+31-(0)20-656-8398
PKI Forum, München, June 19, 2001PKI Forum, München, June 19, 2001
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 2
AgendaAgenda
• e-Marketplace projecte-Marketplace project
• IdentrusIdentrus
• PKI-enablingPKI-enabling
• Lessons learnedLessons learned
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 3
e-Marketplace projecte-Marketplace project
Independent online marketplace in the trading & Independent online marketplace in the trading & transportation sectortransportation sector
Value chain approachValue chain approach
UserUser companie companies range from multinationals and s range from multinationals and customs to port authorities and mom & pop shopscustoms to port authorities and mom & pop shops
Multi-million transactionsMulti-million transactions
Strong authentication, auStrong authentication, autthorization and non-horization and non-repudiation requirementsrepudiation requirements (legally binding) (legally binding)
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 4
Buyer e-Commerce Process
Selling Process
Bank
Bank
Generic Business ProcessGeneric Business Process
Trading PartyIdentification
Critical
Seller
Select Supplier
Source Suppliers
NegotiateSales Terms
Create & Send Purchase Order
ReceiveGoods &Invoice
MakePayment
Cash &Accounting
Credit Application
Source Customers
NegotiateTerms
ReceivePayment
Cash &Accounting
Ship Goods &Send Invoice
Quotation CreditRating
ReceivePO/OrderEntry &AllocateInventory
SellerID
SellerID
SellerID
SellerID
SellerID
SellerID
BuyerID
SellerID
BuyerID
BuyerID
BuyerID
BuyerID
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 5
Consignee
Carrier
Receiver(final
buyer)
1. CREATE
3. ENDORSE
4. SURRENDER
2. APPROVE
New
Approved
Returned
Endorsed
Returned
SurrenderedReturned
ARCHIVE
Accom plished
Replaced
by xx
Conversion topaper
Requested
Conversion topaper
RequestedReplaced
by xx
Com plete Converted to
paper
Shipper's AgentT erm inalO peratorInspector
Shipper
Sample process / document workflowSample process / document workflow
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 6
Marketplace ArchitectureMarketplace Architecture
Source: CommerceOne
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 7
Functionality e-MarketplacesFunctionality e-Marketplaces
Account/user administration
Directory Services
Catalogue & Content management
Selection/Configuring & Purchasing
Tendering & Auctioning
Pricing
Accounting & AR / Factoring
Insurance
Information feeds
Collaboration
Quality Assurance
Security & Trust
Auditing & Monitoring
Transaction processing
Misc. trading functions
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 8
AgendaAgenda
• e-Marketplace projecte-Marketplace project
• IdentrusIdentrus
• PKI-enablingPKI-enabling
• Lessons learnedLessons learned
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 9
Identrus StructureIdentrus Structure
Authenticated e-Business Interaction
Equity Members
Financial Institutions(up to 300+)
Corporate Clients
Employees with Certificates
Level 1 Certificate Authorities
BNS WellsFargo
Dresdner RBS West LB CommerzDeutsche Citibank Chase B of A Additional L1 CAs
French BanksBank of America NT & SA
ABN Amro NVBarclays Bank
Deutsche Bank
BSCH
Citibank NAThe Chase Manhattan Bank
Hypo-Vereinsbank
CIBC
Sanwa
IBJ
NatWest
HSBC
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 10
Identrus Commercial Market CoverageIdentrus Commercial Market Coverage
March 1999
6 millionNumber of
Commercial Accounts
October 1999
11 million
2000
14 million
2001
40 million
Founding Equity Members
Bank of AmericaCitibank NABankers TrustDeutsche BankBarclays BankABN AmroChase ManhattanHypoVereinsbank
Additional Equity Members
CIBCSanwa BankNat WestIBJHSBCBSCHNAGWells Fargo
Additional Equity Members
BNP ParibasCaisseNational deCredit AgricoleSociete GeneraleTokyo BankANZ
Individual Participants
Allied IrishArgentariaArgentina GalaciaBanco Bilbao (BBV)Bank AustriaBank LeumiBank LuxembourgBank of ScotlandBerliner BankCDG Bank LisbonCharles ScwabCommerzbankDBS Singapore BankDen Danske BankDresdner BankHapaolim BankING BaringsItaliaIsabelJPMorganKuwait National Bank
LaCaixaLloyds TSBMalaysia BankMeritaBankPoland Central BankRoyal Bank of CanadaSakura BankScotiaBankSEBankenSingapore BanksSIZFirst UnionBank HapolimStandard CharteredSumitomoSwedBankSwiss Bank CorpUBSWestLBWestPac
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 11
Identrus Value PropositionIdentrus Value Proposition
Five key factors:Five key factors:
Financially backed identity assuranceFinancially backed identity assurance
Message Integrity & Non-repudiationMessage Integrity & Non-repudiation
Robust trust and risk management platformRobust trust and risk management platform
Customer and Global reachCustomer and Global reach
Interoperable Trade & Payment ApplicationsInteroperable Trade & Payment Applications
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 12
Internet
Identrus 4-corner modelIdentrus 4-corner model
Buyer/Customer(User of an Identrus-enabled service;
holder of Identrus certificate)Seller
(Identrus-enabled service)
Certificate Authority of BuyerIssuing Bank
Identrus LLC (Root CA)
Relying Customer
SubscribingCustomer
B2B Transactions signed with Identrus certificate
Certificate Authority of Seller
Verification of identity of buyers
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 13
Identity Trust Identity Trust CycleCycle
1. Buyer’s Bank issues a certificate to Buyer
2. Buyer sends message to Seller with Certificate attached (part of a electronic business transactions)
3. Seller requests Seller’s Bank to check the validity of the Buyer’s certificate
4. Seller’s Bank requests Identrus root to check validity of Buyer’s Bank. Identrus root responds to validity check and advises Buyer’s Bank
5. Seller’s Bank requests Buyer’s Bank check validity of Buyer’s certificate (identity validation)
6. Buyer’s Bank responds to validity check
7. Seller’s Bank advises Seller of Buyer’s certificate validity
Seller’s Identrus Bank
Buyer’s Identrus Bank
1
B2B Commerce2
3
44
5
6
7
Seller(Identrus-enabled service)
Buyer/Customer(holder of Identrus certificate)
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 14
Identrus architectureIdentrus architecture
Seller(Relying Party)
Certificate Authority
Client AppClient App
Certificate Authority
Business to Business
Interactions
Identrus Root
Certificate AuthorityLevel 1 MemberFinancial Institution
Level 1 MemberFinancial Institution
PurchasingManager
(Certificate Holder)
Risk ManagementModule
OCSP Responder& Repository
TransactionCoordinator
Risk ManagementModule
OCSP Responder& Repository
TransactionCoordinator
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 15
AgendaAgenda
• e-Marketplace projecte-Marketplace project
• IdentrusIdentrus
• PKI-enablingPKI-enabling
• Lessons learnedLessons learned
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 16
Implementation AspectsImplementation Aspects RequirementsRequirements
Business processes:Business processes:
Technical architectureTechnical architecture
TestingTesting
DeploymentDeployment
Identification/AuthenticationIdentification/Authentication AuthorizationAuthorization Non-repudiationNon-repudiation Management (billing, auditing)Management (billing, auditing) Registration, issuing, Registration, issuing,
revocation and renewal revocation and renewal processesprocesses
User supportUser support Tactical processesTactical processes SDK implementationSDK implementation Authentication – AuthorizationAuthentication – Authorization Win2K co-existenceWin2K co-existence 3- and 4-corner testing3- and 4-corner testing Stress testingStress testing Card /reader issuanceCard /reader issuance User trainingUser training Post-implementation reviewPost-implementation review
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 17
Source: J. Barsoux, Funny Business)Source: J. Barsoux, Funny Business)
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 18
Security Capabilities ModelSecurity Capabilities Model
Technology Protection and Continuity Physical and Environment Controls
Contingency Planning Controls
Information Asset Security Application Security
Database/Information Security Host Security
Internal Network Security Network Perimeter Security
User Management User Management User Awareness
Security Management Security Administration
Security Monitoring
Security Policies Security Policies
Standards and Guidelines
Security Program Security Program Structure Security Program Resources
and Skillsets
Security Leadership Security Sponsorship
Security Strategy
Effects
Causes
Support
Technologies
Knowledge
Management
Strategy
Availability
Integrity
Confidentiality
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 19
Identrus Member
TTP
Internet
SmartcardReader
Internet
Smart Card
Identrus Member
TTP
HTMLPages
DFC
AuthenticationCheck
Documentume-Content
Server
IBMHTTPServer
DocumentObjects
Browser
ReaderDriver
Plugin
HTTPS HTTPS
HTTPS
HTTPS HTTPS
HSMValidation
Service
RDBMS(Oracle)
IBM WebSphere Application Server
ACLs
Authorization(LDAP)
UserDirectory
OSE
SDK ORB
Audit
AuditRecords
IIOP
SecurityToolkit
JavaRuntime
ServletEngine
Business Components
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 20
AgendaAgenda
• e-Marketplace projecte-Marketplace project
• IdentrusIdentrus
• PKI-enablingPKI-enabling
• Lessons learnedLessons learned
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 21
Lessons learnedLessons learned Reluctance in specifying trust and security requirement
PKI-enabled applications needed, difficult application integration
Digitally signing documents (incl. XML); visibility on physical document
Interoperability & portability
Version / change management and client software distribution management
Technology: cards, readers, DSMS, HSM, Win2K, signing software, etc.
(L)RA process and issuing process
SLA: helpdesk, performance, availability/resilience, privacy
Billing & (management) reporting
Liabilities in case of critical business transactions
User-friendliness and user acceptance
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 22
or: +31 20-656-8398
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 23
AgendaAgenda
• e-Marketplace projecte-Marketplace project
• IdentrusIdentrus
• PKI-enablingPKI-enabling
• Lessons learnedLessons learned
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 24
e-Marketplace projecte-Marketplace project
Independent online marketplace in the trading & Independent online marketplace in the trading & transportation sectortransportation sector
Value chain approachValue chain approach
UserUser companie companies range from multinationals and s range from multinationals and customs to port authorities and mom & pop shopscustoms to port authorities and mom & pop shops
Multi-million transactionsMulti-million transactions
Strong authentication, auStrong authentication, autthorization and non-horization and non-repudiation requirementsrepudiation requirements (legally binding) (legally binding)
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 25
Buyer e-Commerce Process
Selling Process
Bank
Bank
Generic Business ProcessGeneric Business Process
Trading PartyIdentification
Critical
Seller
Select Supplier
Source Suppliers
NegotiateSales Terms
Create & Send Purchase Order
ReceiveGoods &Invoice
MakePayment
Cash &Accounting
Credit Application
Source Customers
NegotiateTerms
ReceivePayment
Cash &Accounting
Ship Goods &Send Invoice
Quotation CreditRating
ReceivePO/OrderEntry &AllocateInventory
SellerID
SellerID
SellerID
SellerID
SellerID
SellerID
BuyerID
SellerID
BuyerID
BuyerID
BuyerID
BuyerID
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 26
Marketplace ArchitectureMarketplace Architecture
Source: CommerceOne
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 27
Functionality e-MarketplacesFunctionality e-Marketplaces
Account/user administration
Directory Services
Catalogue & Content management
Selection/Configuring & Purchasing
Tendering & Auctioning
Pricing
Accounting & AR / Factoring
Insurance
Information feeds
Collaboration
Quality Assurance
Security & Trust
Auditing & Monitoring
Transaction processing
Misc. trading functions
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 28
AgendaAgenda
• e-Marketplace projecte-Marketplace project
• IdentrusIdentrus
• PKI-enablingPKI-enabling
• Lessons learnedLessons learned
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 29
Identrus StructureIdentrus Structure
Authenticated e-Business Interaction
Equity Members
Financial Institutions(up to 300+)
Corporate Clients
Employees with Certificates
Level 1 Certificate Authorities
BNS WellsFargo
Dresdner RBS West LB CommerzDeutsche Citibank Chase B of A Additional L1 CAs
French BanksBank of America NT & SA
ABN Amro NVBarclays Bank
Deutsche Bank
BSCH
Citibank NAThe Chase Manhattan Bank
Hypo-Vereinsbank
CIBC
Sanwa
IBJ
NatWest
HSBC
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 30
Identrus Commercial Market CoverageIdentrus Commercial Market Coverage
March 1999
6 millionNumber of
Commercial Accounts
October 1999
11 million
2000
14 million
2001
40 million
Founding Equity Members
Bank of AmericaCitibank NABankers TrustDeutsche BankBarclays BankABN AmroChase ManhattanHypoVereinsbank
Additional Equity Members
CIBCSanwa BankNat WestIBJHSBCBSCHNAGWells Fargo
Additional Equity Members
BNP ParibasCaisseNational deCredit AgricoleSociete GeneraleTokyo BankANZ
Individual Participants
Allied IrishArgentariaArgentina GalaciaBanco Bilbao (BBV)Bank AustriaBank LeumiBank LuxembourgBank of ScotlandBerliner BankCDG Bank LisbonCharles ScwabCommerzbankDBS Singapore BankDen Danske BankDresdner BankHapaolim BankING BaringsItaliaIsabelJPMorganKuwait National Bank
LaCaixaLloyds TSBMalaysia BankMeritaBankPoland Central BankRoyal Bank of CanadaSakura BankScotiaBankSEBankenSingapore BanksSIZFirst UnionBank HapolimStandard CharteredSumitomoSwedBankSwiss Bank CorpUBSWestLBWestPac
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 31
Identrus Value PropositionIdentrus Value Proposition
Five key factors:Five key factors:
Financially backed identity assuranceFinancially backed identity assurance
Message Integrity & Non-repudiationMessage Integrity & Non-repudiation
Robust trust and risk management platformRobust trust and risk management platform
Customer and Global reachCustomer and Global reach
Interoperable Trade & Payment ApplicationsInteroperable Trade & Payment Applications
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 32
Internet
Identrus 4-corner modelIdentrus 4-corner model
Buyer/Customer(User of an Identrus-enabled service;
holder of Identrus certificate)Seller
(Identrus-enabled service)
Certificate Authority of BuyerIssuing Bank
Identrus LLC (Root CA)
Relying Customer
SubscribingCustomer
B2B Transactions signed with Identrus certificate
Certificate Authority of Seller
Verification of identity of buyers
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 33
Identity Trust Identity Trust CycleCycle
1. Buyer’s Bank issues a certificate to Buyer
2. Buyer sends message to Seller with Certificate attached (part of a electronic business transactions)
3. Seller requests Seller’s Bank to check the validity of the Buyer’s certificate
4. Seller’s Bank requests Identrus root to check validity of Buyer’s Bank. Identrus root responds to validity check and advises Buyer’s Bank
5. Seller’s Bank requests Buyer’s Bank check validity of Buyer’s certificate (identity validation)
6. Buyer’s Bank responds to validity check
7. Seller’s Bank advises Seller of Buyer’s certificate validity
Seller’s Identrus Bank
Buyer’s Identrus Bank
1
B2B Commerce2
3
44
5
6
7
Seller(Identrus-enabled service)
Buyer/Customer(holder of Identrus certificate)
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 34
Identrus architectureIdentrus architecture
Seller(Relying Party)
Certificate Authority
Client AppClient App
Certificate Authority
Business to Business
Interactions
Identrus Root
Certificate AuthorityLevel 1 MemberFinancial Institution
Level 1 MemberFinancial Institution
PurchasingManager
(Certificate Holder)
Risk ManagementModule
OCSP Responder& Repository
TransactionCoordinator
Risk ManagementModule
OCSP Responder& Repository
TransactionCoordinator
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 35
AgendaAgenda
• e-Marketplace projecte-Marketplace project
• IdentrusIdentrus
• PKI-enablingPKI-enabling
• Lessons learnedLessons learned
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 36
Implementation AspectsImplementation Aspects RequirementsRequirements
Business processes:Business processes:
Technical architectureTechnical architecture
TestingTesting
DeploymentDeployment
Identification/AuthenticationIdentification/Authentication AuthorizationAuthorization Non-repudiationNon-repudiation Management (billing, auditing)Management (billing, auditing) Registration, issuing, Registration, issuing,
revocation and renewal revocation and renewal processesprocesses
User supportUser support Tactical processesTactical processes SDK implementationSDK implementation Authentication – AuthorizationAuthentication – Authorization Win2K co-existenceWin2K co-existence 3- and 4-corner testing3- and 4-corner testing Stress testingStress testing Card /reader issuanceCard /reader issuance User trainingUser training Post-implementation reviewPost-implementation review
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 37
Source: J. Barsoux, Funny Business)Source: J. Barsoux, Funny Business)
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 38
Security Capabilities ModelSecurity Capabilities Model
Technology Protection and Continuity Physical and Environment Controls
Contingency Planning Controls
Information Asset Security Application Security
Database/Information Security Host Security
Internal Network Security Network Perimeter Security
User Management User Management User Awareness
Security Management Security Administration
Security Monitoring
Security Policies Security Policies
Standards and Guidelines
Security Program Security Program Structure Security Program Resources
and Skillsets
Security Leadership Security Sponsorship
Security Strategy
Effects
Causes
Support
Technologies
Knowledge
Management
Strategy
Availability
Integrity
Confidentiality
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 39
AgendaAgenda
• e-Marketplace projecte-Marketplace project
• IdentrusIdentrus
• PKI-enablingPKI-enabling
• Lessons learnedLessons learned
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 40
Lessons learnedLessons learned Reluctance in specifying trust and security requirement
PKI-enabled applications needed, difficult application integration
Digitally signing documents (incl. XML); visibility on physical document
Interoperability & portability
Version / change management and client software distribution management
Technology: cards, readers, DSMS, HSM, Win2K, signing software, etc.
(L)RA process and issuing process
SLA: helpdesk, performance, availability/resilience, privacy
Billing & (management) reporting
Liabilities in case of critical business transactions
User-friendliness and user acceptance
© KPMG © KPMG – Information Risk Management e-– Information Risk Management e-Business ServicesBusiness Services 41
or: +31 20-656-8398