Lappeenranta 29.11.2001

Presenter Kari OksanenE-mail Kari.Oksanen@Nordea.comTel. +358 9 165 25062

About the Bank The largest financial services group in the Nordic region

•Unibank in Denmark

•Merita in Finland

•Christiania Kredikassen in Norway

•Nordbanken in Sweden

9 million private and 700 000 corporate customers

2.6 million Internet Bank customers

About 40 000 employees

World leader in internet banking

World’s first WAP based banking services launched in October 1999

More information: www.nordea.com

Nordea 1.12.2001

Now alsowith

Customersatis-faction

High

Low

ServicesFew

Adding new banking and e-services = adding valuevalue

1982

1988

1992

1996

1998

1999

Balances+ Payments

Shares

e-identi- fication

Inv.Fundse-shopping

e-Loanse-billinge-signature

Foreignpaymentse-studentloan

Now virtually allbanking services andincreasingly e-services

Now virtually allbanking services andincreasingly e-services

Many All

Same password for all services!

Same password for all services!

e-salary

2000

0

500000

1000000

1500000

2000000

2500000

3000000

1997 1998 1999 2000 2001

Kristiania

Unibank

Merita

Nordbanken

Net-banking customersin Nordea

50% off active customer base in Merita

01 - 10/2001 18 million visits morethan last year withinthe same period

Giro-payment transactions Private customers

Payment Atms

Homebanking

Direct debiting

Envelope payments

Branch office

Branch office

Direct debiting

Envelope payments

4 %

Home banking

Payment ATMs

Daily Solo Sessions In Merita October 2001

0

20000

40000

60000

80000

100000

120000

140000

160000

180000

The Number of sessions

Information security

b

SoftwareSecurityHardware

Security

OperationsSecurityb

DataSecurity

OperationsSecurity

Threats and Risks

UHKAT

Risks

Threats

No impact orfictionary

Impact, protection inplace

Impact,vulnerabilities

Strategic Context: Nordea ITSecurity is today one of the foundation elements Security technologies are relationship management tools

Relationships between identities and resources (privileges)

Relationships between internal systems (integration/interoperability.)

Relationships between networks (business relationships)

Relationship management = identity and risk management

•We need a repository/ies for identity and relationship management

•Risk management through authentication, integrity, and confidentiality

Identity management

•Infrastructure must establish an unambiguous identity

•Authentication is only the first step

IT security in a company with large scale e-business activities - some findings

• Businesses are going to the networks - the role of IT security is becoming more important.• To implement seamless and businesses supporting security solutions means that we have to understand also our customers’ behaviour, techniques they deploy and how these are changing.• We have to understand business strategies to some extent and we have to build security solutions in co-operation with persons responsible for business issues. •IT security is to secure business information when it is processed, stored in data systems or transferred in telecommunications - it is not to build or to buy toys for ourselves.

IT security in a company with large scale e-business activities - some findings contd.

•The business controls are very near to IT security tools - without understanding business controls you can’t build secure systems.• We have to co-operate with many units in our organisation and with people from other organisations - IT security is networking.• We have to understand what cost-effectiveness means.• We are accountable for our decisions.

IT security is not a property of a product or it is not only security products; it is the property of an environment!

Control and Security Architecture• Control architecture; describes technology neutral controlsand security principles:

•Duty segregation•Need to know -principle

• Security architecture; is helping to create a common and platform-neutral understanding of security capabilities.

• It is a general picture for designing.• It describes all aspects of the environment that are related to security.• It is a guide to aid in the construction of security.• It helps us to effectively implement business requirements across various platforms: Basic security functions, Controls, Auditing• It does not say how to secure or what products to use.

Control and Security Architecture contd

•Security implementation guidelines; describes the application of controls to each specific platform

• more technical • detailed

IT- security, some principles

Sec

uri

ng

reso

urc

es a

nd

acc

ess

con

trol

for

tech

nic

al u

sers

(N

T, U

NIX

, Rac

f, T

opS

ecre

t)Identification and authentication

Customers

Authorisation

•Services•Databases

Authorisation to applications (never system level)

Internal end-users

•Databases•Applications, services

Tec

hn

icia

ns

Identification and authentication

Customersauthorisedto access accounts of their own, only.

Internal end-users authorised to access all accounts but not those of their own.

Rem

ote

acce

ss

(In

tern

al e

nd-u

sers

, on

ly) A

uth

oris

atio

n

Iden

t if i

cati

on a

nd

au

then

tica

tion

Au

thor

isat

ion

to

app

l ica

tion

s (n

ever

sys

tem

leve

l)

Authorising remoteusers to access services neededoutside offices

Security services

b

Technical IDs

ServicesServices

Confidentiality/ encryption

Identification and authenticationAuthorisation

Integrity; MAC, Digital signatures

IT-security, some principles

• no compilers• files and databases are read or updated via properly accepted user interface- or batch programs, only• it is mandatory to verify user’s access rights when moving from one application to another• integrity control for all software • audit trail in all business related transactions including inquiries

Development Test Production

Naming standard for easier administration and better control or security

VersioningVersion control

• it is not allowed to transfer information from production environment

Programmers, application planners End users

• source code for each piece of software transferred toproduction env. has to be stored at least two years

Tools for duality principle when transferring new or amended code from development to production; audit trail in transfers

• controls to force to follow naming std.• controls to force to follow programming model• source code protectedagainst unauthor. modifications•developers have full access only to those objects they are responsible for

•mechanisms to makeit possible to resetthe previous version•audit trail in all changes

Duty segregation

Access control and Authorisation

Identification and authenticationAuthorisation

X X

Access control and Authorisation

Authorisation

Authorisation

Authorisation

Authorisation

Ident. & Authent.

Ident. & Authent.

Ident. & Authent.

Ident. & Authent.

Application/ service

Application/ service

Application/ service

Application/ service

Security architecture:The basic idea is to avoid application specific access control systems as long as possible to achieve robust control level, end user satisfaction and cost efficiency in administration.

Access control and Authorization

Application Application Application Application

c ccc

Authorizationdata

One login

End-users and administrators

The end-user

The administrator

Where to find servicesavailable? MENU systems!Single signon!

Impossible to create reports for auditors, unit managers;Which systems am I authorised to use in Nordea?

Very difficult tounderstand and manage!

SW packagesWebC/S3270NTOS/2Sweden

SW packagesWebC/S3270NTNorway

SW packagesWebC/S3270NTFinland

SW packagesWebC/S3270NTOS/2Denmark

Security - covering the whole chain

Customers• Behaviour• Technical env.• Control needs

Customers• Identification• Authentication

Networks• Confidentiality•Integrity

e-services• Access control• Authorisation

e-services• Architecture• Base controls• Configurations

Security arrang. towards otherpartners; banks,.

Profitability and security

GROSS PROFIT./. probability to get arrested * repayment= NET PROFIT

IMPLEMENTATIONCOST

GROSS LOSS(material, others)* probability= EXPOSURE

REDUCTION OFEXPOSURE

PROTECTIONCOST

SECURITYSOLUTION

comparison A

comparison B

Arresteffectiveness

Protectioneffectiveness

Impedimenteffectiveness

Cost effectiveness

Loss coefficient

Attractiveness

ATTACK RANDOM INCIDENT

Threats and Risks in e-business Systems

Networks

Eavesdropping?

Malicious software:• Trojan horses• Viruses • Etc.

•Poor quality•Insufficient testing•Non-scalable systems•Availability problems•Poorly configuredrouters or Firewalls•Poor programming models (Norway)

• Poor session handling•New techniques•Missing audit trailsor logs•Unauthorised accessto system level•Internal breaches•Etc.

•Unauthorised attempts•Denial of Service attacks

IT-security in large scale e-banking systems

•Identification and authentication•Integrity; MAC, hashing....•Confidentiality; encryption

Control and security architectureTechnical architecture• scalability•availability•continuity Application architecture•clarity•independent components

Networks

Security in customers’ environments:• instructions• anti virus softwareService providers can’t help in this area!

•strict programming modelsConfigurations•Routers•FirewallsTesting arrangementsHow to inform customers in problem situationsContingency planning

End-to-end security!

Instead of all these...

Debit/Credit cards

Access codes to net-bank

Loyalty cards

Teemu Testihenkilö

Nihitsillantie 3 D

00020 MERITA

FINLAND

6789 7890 3562 3652 5674 4567 8767 6543 4235 6347

5678 5678 2341 2345 5678 4321 4321 7635 6353 7585

6789 7890 3562 3652 5674 4567 8767 6543 6373 5748

6789 7890 3562 3652 5674 4567 8767 6543 6363 3838

6789 7890 3562 3652 5674 4567 8767 6543 7378 3738

6789 7890 3562 3652 5674 4567 8767 6543 3737 3334

6789 7890 3562 3652 5674 4567 8767 6543 7363 8383

6789 7890 3562 3652 5674 4567 8767 6543 3838 3395

6789 7890 3562 3652 5674 4567 8767 6543 3142 8696

3456 2312 6543 8976 6778 4567 8976 6543 6272 7484

4567 8767 6543 5678 5678 2341 2345 5678 7474 8494

3456 2312 6543 8976 6778 4567 8976 6543 4848 4493

EMPS: what is it all about?EMPS: what is it all about?EMPS: what is it all about?EMPS: what is it all about?

All cards in one chip inside your WAP-phoneAll cards in one chip inside your WAP-phoneAll cards in one chip inside your WAP-phoneAll cards in one chip inside your WAP-phone

SIM

Debit-/Credit card, bank log-on, club membership, application downloading etc.

…THIS!

EMV

2. Withdrawing cash from ATM

EMPS: Many ways to use itEMPS: Many ways to use itEMPS: Many ways to use itEMPS: Many ways to use it

-Merita ATM-

Enter your PIN [****]

-Merita ATM-Withdraw: 100,- 300,- other...

-Merita ATM-100,- withdrawn Balance 12.562,-

5. Logging on to internet bank

- with WAP …or with WAP and PC using bluetooth

EMPS: Many ways to use itEMPS: Many ways to use itEMPS: Many ways to use itEMPS: Many ways to use it

-Solo-bank-Please enter your pin[****]

Th

e cu

sto

mer

Home

Work

Traveling Variousnetworks

XPW2000NT 4MEW98W95W3.xLinuxMac

Security needed • Confidentiality• Identification and authentication• Integrity

Some problems•Incompatible standards •Generally available techniques?•The availability of smart card readers and drivers?

Where are we?

E-business

eBanking

E-mail

Do business withauthorities

SET

WTLS

PKCS#15

SEIS

CAPI

CDSA

SSL

VPN

EMV

CAs

FINEID

Newdevices