Alcatel-Lucent OmniAccess 8550 Web Services Gateway Secure and auditable web services for financial institutions
Multiple systems in the financial industry loan and mortgage applications, risk reporting, offline batch processing, Internet banking, enterprise resource planning (ERP), and customer relationship management (CRM) operate together to process billions of daily transactions. Technology is imperative to keep the financial engines running. However, when using a variety of solutions, it is difficult to integrate enterprise class authentication, authorization and auditing into a group of disparate IT systems and still maintain information security, corporate governance and regulatory compliance. The leading technology to facilitate interoperability between disparate business systems is to use a common element through which all services can operate. Service-oriented architecture (SOA) is widely used in the financial industry as a flexible modular framework designed to enable interoperability as a service over a network (Internet, intranet, extranet). The greatest strengths of SOA environments are providing business agility and IT system re-use through flexibility and openness. The true burden of all financial institutions is to have the ability to easily and accurately prove that each transaction is completed according to regulatory and corporate governance standards. However, like a double-edged sword, it is also a SOA s greatest weakness, because by default, an SOA has minimal authentication and authorization mechanisms and lacks functions critical to financial institutions such as consolidated auditing and policy enforcement capabilities. The sensitive nature of the information routinely handled by financial institutions demands enterprise-wide role-based authentication of users, run-time authorization of transactions, and consolidated audit trails to create a historical record for corporate governance and to demonstrate regulatory compliance. 2 Alcatel-Lucent 8550 Web Services Gateway
any [SOA] system is inherently insecure the moment you open it up to the outside world. Butler Group OMNIACCESS 8550 WEB SERVICES GATEWAY The Alcatel-Lucent OmniAccess 8550 Web Services Gateway (WSG), deployed as in Figure 1, provides reliable enterprise-wide user-centric stateful policy enforcement with consolidated audit trails to web-enabled services, data, applications and business processes. Once deployed, the OmniAccess 8550 WSG provides a secure application-independent infrastructure to share web services between financial institutions and their partners regardless if the services are local or external (outside the firewall). The benefits gained are corporate-wide security risk management capabilities, end-to-end enterprise-class data and identity security (encryption, digitial signing, and single identity), and stateful (multi-transaction) run-time policy enforcement to ensure compliance with consolidated audit trails to demonstrate compliance. Figure 1. Example OmniAccess 8550 Web Services Gateway Deployment Remote Datacenter esales Portal Sales Force Mortgage Application OA8550 WSG DMZ Batch Processing Primary Datacenter CRM Systems OA8550 WSG Internet Banking OA8550 WSG ERP Systems Financial Systems Alcatel-Lucent OmniAccess 8550 Web Services Gateway 3
SINGLE IDENTITY AND STATEFUL POLICY ENFORCEMENT Threats to sensitive information come from multiple sources. Internal threats come from employees and external threats from partners, outsourcers, contractors and the Internet. The OmniAccess 8550 WSG uses data encryption coupled with stateful policy enforcement and active auditing to ensure that transactions are secure and stored data is safe from misuse. Figure 2. Sources of threats to information security Threats from business partners Threats from outsources Threats from employees Treats from contractors The OmniAccess 8550 WSG allows single identity and identity mapping from internal and external authentication systems of trusted partners. The OmniAccess 8550 WSG integrating with these authentication systems will share digital credentials; enabling a the trust relationship between partners Very importantly, each partner can employ their own authentication systems as well as maintain their own identity store and set access policies independently. After validating the credential of a user, the OmniAccess 8550 WSG uses a combination of user-aware authorization and policy enforcement for information access control. Authorization is based on the credentials of the user; the OmniAccess 8550 WSG controls which users can access and/or change data based on users level of access. Stateful (multi-transactional) policy enforcement allows policy to be enforced on each transaction based upon the context in which it is requested. During the transaction, the OmniAccess 8550 WSG enforces published policies in a stateful manner at run time. For instance, a password reset request might be normal, but not if it is followed by a large transfer of funds. The OmniAccess 8550 WSG would be able to see the password change and deny fund transfers after a password change without additional authentication or could trigger an alert followed by a phone call to the customer. With user centric stateful run-time policy enforcement, the OmniAccess 8550 WSG can effectively secure the integrity and confidentiality of information from end-to-end for each transaction as well dictate how the transaction information is accessed and modified. 4 Alcatel-Lucent OmniAccess 8550 Web Services Gateway
REGULATORY COMPLIANCE Regulatory compliance is one of the most difficult and time-consuming hurdles for financial institutions. The OmniAccess 8550 WSG takes over the management of higher functions such as policy enforcement and auditing by inserting itself into the XML message flow. The OmniAccess 8550 WSG can therefore monitor each transaction from end-to-end and can automatically perform auditing functions to document that session data integrity was maintained and application data was properly secured after the transaction was completed. For instance, a bank creates a rebate program of $100 for employees who sign up for a new credit account. There are several steps for the rebate program: the rebate request, rebate amount calculation, manager approval and payroll disbursal. The first three steps are handled by a web service linked to the system that handles new credit accounts and the final step is handled by the payroll system. All validation of user credentials and policy enforcement is handled by the OmniAccess 8550 WSG. Policies are in place to ensure duplicate accounts are not created and that an alert is sent if an employee earns more than $500 from the rebate program in a month. A transaction occurs as shown in Figure 3. Figure 3. Validation process example 2. Credit calculated submitted for approval Rebate application LDAP Historical 4. Credit issued Payroll Rebates to employee 1. Rebate request submitted Rebate request OA8550 Payment issued 3. Approval granted HRDB Rebate approval 1. A representative receives authentication into the credit system and signs up a new account. The rebate request is validated by checking to make sure the representative is an actual current employee and that they have the authority to add the account. 2. The employee request is compared to the new customer database to validate that the customer is real and not a duplicate. In addition the system validates the rebate amount at $100. 3. The rebate request is sent to the manager of the representative for approval. The manager checks to make sure the account is set up correctly and validates the account for the rebate requirements. 4. The payroll department checks to make sure the rebate amounts are correct and the maximum rebate is not exceeded before disbursing the check. At each step, the OmniAccess 8550 WSG is authenticating, authorizing and auditing the transactions according to existing policies. After completion, a review of any transaction can be easily proven to be valid by accessing historical data from the OmniAccess 8550 WSG. Alcatel-Lucent OmniAccess 8550 Web Services Gateway 5
EXTENSION OF NETWORK SERVICES TO PARTNERS The financial world is a synergy of large, medium and small companies working together to create a portfolio of products using a variety of applications. Therefore, it is important for financial institutions to be able to easily connect with a variety of business partners, contractors and outsourcers. However, connecting various businesses creates a problem tracking all the activity of each transaction through multiple business systems and networks. Since the OmniAccess 8550 WSG is the common element it can track all transaction activity in accordance with Statement on Auditing Standards (SAS) No. 70 (SAS 70) practices and consolidate the activity into a single tracking report. When IT functions are outsourced the ultimate responsibility for achieving control objectives rests with the client American Institute of CPAs Figure 4. Example OmniAccess 8550 Web Services Gateway Deployment Primary Datacenter Remote Datacenter Security and Alerting WAN Partner 1 WS Network Element Identity Directory DMZ Application Servers WS Network Element Web Servers OA8550 WSG WAN Partner 2 OA8550 WSG DMZ WS Network Element WS Network Element 6 Alcatel-Lucent OmniAccess 8550 Web Services Gateway
The OmniAccess 8550 allows easy integration with external partners through identity interoperability, enabling cross-validation between partners and the extension of virtual services. Coordinating authentication systems has several benefits. First, by interfacing with existing authentication systems, the OmniAccess 8550 reduces the overall complexity of the system, creates flexible security that allows partners to be added or removed with out major infrastructure changes, and allows partners to individually maintain their own corporate governance. Second, it allows users to travel between sites and still have access to network services. And finally, a single point of control for partner access reduces the total cost of ownership (TCO) of the system. For partners that do not have their own authentication system, such as an independent contractor, the OmniAccess 8550 WSG can extend virtual services, which provide proper authenticated access while limiting the exposure to security threats. DATA INTEGRITY AND CONFIDENTIALITY The OmniAccess 8550 WSG secures data in real time through hardware engines dedicated encryption and digital signing. Each transaction can be secured using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) and data is secured by encryption. Whether application data is in transit or stored, it is secured with state-of-the-art encryption technology. However, while sensitive data is secured from misuse, it is always available when and where it is needed (internally or externally). CONCLUSION The OmniAccess 8550 WSG is a corporate-wide solution designed to secure multiple services over a reliable and secure SOA backbone. By inserting itself into the XML message transaction flow, the OmniAccess 8550 WSG creates a single point for run-time policy enforcement thus assuring regulatory compliance and providing a single point for consolidated audit trails. The OmniAccess 8550 WSG means that web-service based business process integration doesn t have to mean an increase in risk; with the OmniAccess 8550 WSG financial institutions deploying web services reduce their exposure to both external and internal information misuse while easing the IT demands of corporate governance and regulatory compliance. Alcatel-Lucent OmniAccess 8550 Web Services Gateway 7
Alcatel-Lucent OmniAccess 8550 Web Services Gateway Alcatel, Lucent, Alcatel-Lucent and Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein. 2008 Alcatel-Lucent. All rights reserved. 032108-00 Rev A 6/08 www.alcatel-lucent.com