ODYSSEY. cryptic by intent IMPLEMENTING TRANSACTION SECURITY FOR HDFC BANK A CASE STUDY ODYSSEY TECHNOLOGIES LIMITED. Odyssey Technologies Ltd

Transcription

1 IMPLEMENTING TRANSACTION SECURITY FOR HDFC BANK A CASE STUDY TECHNOLOGIES LIMITED

2 Problem HDFC Bank wanted to implement the best-in-class technology for protecting their online banking services from cyber attacks. The challenge was to implement effective security without compromising customer convenience or limiting scalability. Solution Odyssey Technologies Limited deployed Snorkel-TX, a PKI-based plug-configure-play transaction security server that protects HDFC Bank's high-value transaction applications from unauthorized entry and information access. Snorkel-TX also ensures non-repudiation and integrity of transactions. Results The bank has been able to ensure authentication, access control, channel security, non-repudiation and integrity of its online transactions cost-effectively and without affecting customer convenience or scalability. Thanks to reliable security infrastructure, the bank has been able to grow and expand its online services confidently. About HDFC Bank HDFC Bank was one of the first banks to have set-up services in the Indian private sector. Since its inception, the bank has concentrated on providing its clients with world-class services by enhancing banking convenience and safety.

3 Today, HDFC Bank is a trusted name in the banking sector, having established a nationwide network of 2,544 branches and 9,333 ATMs in 1,399 Indian towns and cities. In order to support its growing customer-base and product offerings, the bank has implemented a highly automated environment with the help of multiple technologies. NEED FOR TRANSACTION SECURITY Password Credit Card Net Banking Transactions HDFC Bank was one of the first in India to set-up Internet banking for its customers. Since the Internet is ripe with security threats, the bank wanted to safeguard its corporate customers from identity thefts and abuse of private information. These customers carried out high-valued transactions over the Internet on a regular basis and so the bank also wanted to ensure the integrity and non-repudiation of these transactions. SOLUTION REQUIREMENTS HDFC Bank wanted to implement a secure banking solution that could protect its banking applications from multiple dimensions The solution should provide a stronger means of authentication than passwords, which can be easily broken. Financial information of clients should remain private when accessed over the internet. The solution should impart accountability and integrity to the online transactions. Usability of the application should not suffer. The solution should have a comprehensive reporting system for collecting business intelligence.

4 TECHNOLOGY IDENTIFICATION The bank identified Public Key Infrastructure (PKI) as a suitable technology for addressing its security requirements. With PKI, the bank would be able to implement strong identification and authentication mechanisms using digital certificates, privacy using SSL, non-repudiation using digital signatures and integrity using hashing algorithms. CHALLENGES PKI technology was still in its infancy when HDFC Bank was seeking to implement the technology. Solutions from most vendors required integration with the banking applications, which posed multiple challenges for the bank: The bank was risking breakdown of existing infrastructure and code-base in the process of integrating security components. Integration required additional time, effort and human resources, which drastically increased the cost of implementation. Integrated solutions seldom scale or adapt to changes in the IT environment. SOLUTION IDENTIFICATION Odyssey's Snorkel-TX server is a powerful PKI-based transaction security server that could instantly PKI-enable any application without the need for integration. As a PKI solutions vendor, Odyssey successfully overcame challenges with PKI integration by isolating the security components from the application. Odyssey's Snorkel-TX server is a powerful PKI-based transaction security server that could instantly PKI-enable any application without the need for integration. The server is typically deployed between the application and end-user. By intercepting requests made to the application, Snorkel can examine the requests and take action appropriately, based on how Snorkel is configured.

5 The solution uses digital certificates for authenticating users into the system. URLbased authorization provides fine-grained access control by allowing specific users to access specific services within the application. By establishing an SSL channel with the end-user, Snorkel also assures privacy of transactions. Additionally, Snorkel enables end-users to digitally sign transactions, thus ensuring non-repudiation. In addition to fulfilling the essential security requirements, Snorkel provided several benefits that were advantageous to the bank. The solution sported multiple authentication mechanisms including certificate-based authentication, and one time passwords. Snorkel could protect multiple back-end applications at once. Administrators could access Snorkel securely from anywhere, both on the intranet and Internet. The product sported a fully web-based administrator interface with point and click features for configuration of back-end applications, a dynamic web console for monitoring system functions and user status and user self-registration features. The solution had minimal effect on user-experience. All administrator activities were digitally signed and logged for accountability. The reporting system provided the bank with valuable security and business intelligence. The solution had an integrated XML based configuration database that eliminates the need for a separate RDBMS. Snorkel demonstrated superior cryptographic and SSL performance that rivals that of dedicated crypto-accelerators. SOLUTION IMPLEMENTATION In order to have a comprehensive PKI infrastructure, Odyssey implemented a complete Certificate Management System (CMS) at HDFC Bank, prior to implementing Snorkel. Having its own CMS enabled HDFC Bank to cost-effectively issue and manage digital certificates for its application users.

6 Odyssey's unique zero-touch a p p r o a c h t o s o l u t i o n i m p l e m e n ta t i o n e n a b l e d Snorkel to be deployed at HDFC Bank premises without having to make any changes to the application code-base. Odyssey's unique zero-touch approach to solution implementation enabled Snorkel to be deployed at HDFC Bank premises without having to make any changes to the application code-base. The implementation was completed in weeks. This was a new record in PKI implementation since competing vendors followed the integration model which typically involved years. With Snorkel implementation, HDFC Bank's corporate customers could now access their online services securely. Bank The applications employed for corporate banking required server-to-server security since it was interacting with thick clients at the client end. For this, Odyssey interfaced HDFC Bank clients' premises with Snorkel-BX, a business-to-business transaction security server that could interact securely with HDFC Bank's Snorkel-TX server. Enterprise Customer With the implementation of Snorkel-TX and Snorkel-BX, HDFC Bank's application servers were protected both while interacting with thin clients and thick clients. The implementation was carried out on 64 bit Opteron/EM64T platform with Linux V2.6 operating system kernel. POST-DEPLOYMENT SUPPORT Odyssey has provided post-deployment support for HDFC Bank in the form of training, regular solution upgrades, and timely 24 X 7 customer support. Since the initial implementation, the bank has upgraded to Snorkel-TX 3.0 which sports enhanced features in order to keep up with technological advancements and changing security needs.

7 Results The bank's preemptive actions for protecting its customers' assets against cyber threats have enhanced the brand name and reputation of the organization. Snorkel-TX has protected HDFC Bank from incurring huge losses due to security incidents. The zero-touch security implementation model has allowed the bank to upgrade its banking applications without having to invest in new security infrastructure. The bank has been able to take advantage of the trust-factor introduced by good security infrastructure, to increase subscription to its online services. The bank has won several awards including the IBA Banking Technology Awards 2010 for 'Technology Bank of the Year' and the DSCI (Data Security Council of India) Excellence Awards 2011 for 'Security in Bank', further enhancing the brand name and trust factor. ABOUT TECHNOLOGIES LIMITED Odyssey Technologies Limited is a pioneer in PKI technology in the Asia-Pacific region. The company develops products and solutions for transaction security and is recognized by the Controller of Certification Authorities in India as a technology vendor. By isolating the security components and business logic, Odyssey stays true to its zero-touch philosophy and ensures deployment of solutions quickly and effectively without the need for integration or changes to the existing code-base. The company proudly supports the security needs of major banks and financial institutions in the Asia-Pacific region and has earned their trust as a reliable vendor. Odyssey Technologies Limited is based in Chennai, India and is listed in the Bombay Stock Exchange. To learn more about solutions from Odyssey Technologies Limited, visit or [email protected].