Upload
swift
View
239
Download
9
Tags:
Embed Size (px)
Citation preview
SWIFT WebAccess, Evolving Browse
SWIFT Operations Forum Europe
Isabelle Noblesse, Security Product Manager
Paris, 27 November 2014
Agenda
• Introduction
• New product offering
• Features & benefits
• Demo
• Q&A
SWIFT WebAccess - SOFE 27 Nov 2014 2
SWIFT
SWIFT WebAccess, evolving Browse
SWIFT offering for web application providers and their customers
End-user Service Provider
SWIFT WebAccess - SOFE 27 Nov 2014
Enable service providers to offer secure access and use of their on-line,
web-based services over SWIFT to their end-users
• Service providers leverage SWIFT security
• End-users use their SWIFTNet infrastructure and SWIFT credentials
3
Previous browse service implementation
SWIFT WebAccess - SOFE 27 Nov 2014
Web server
SWIFTNet
Link
Business
application
Service Provider End-user
Browse
framework
InterAct flows used for security-
sensitive transactions
HTTPS used for
screen flows
MV-SIPN
Central value added:
• Strong internet defense by SWIFT
• Strong SWIFT credentials
• Closed User Group
• Access control (RBAC)
• Single URL 4
Drivers for evolving browse offering
Easier
• Ability to offer browse service over SWIFT channel with minimal changes
• Easier integration (open technical standards, no InterAct)
• Simpler implementation (no need for SNL next to Web server)
Flexible
• Support lighter user footprint
• Alternative to WebPlatform & HSM certificates
• Support for mixed user community (some users connecting over internet)
Secure
• Continue to support strong user authentication & non-repudiated transactions
• Enhance security offering with enriched central services
User experience
• Convenient & harmonized user experience with accessing multiple browse services
SWIFT WebAccess - SOFE 27 Nov 2014 5
Message Flow New Product Offering
Value proposition
End-user Service Provider
User
authentication
control
User account
Credentials
management
User credentials
User access
control
Web Application
Credentials, authentication & access control based on SWIFT world-class security
SWIFT WebAccess - SOFE 27 Nov 2014 7
Multiple access methods supported
HSM
Certificates
Personal
Tokens
MV-SIPN
Internet
MV-SIPN
Alliance
WebPlatform
End-user Service
Provider
Web
Application SWIFT
PKI
Identity
Provider
Identity
Services
Personal
Tokens
Users can leverage their SWIFTNet infrastructure or go with a lighter footprint
SWIFT WebAccess - SOFE 27 Nov 2014
HTTPS
8
Delegated authentication
SWIFT WebAccess - SOFE 27 Nov 2014
Who are you?
I'm Rob Rob
Rob
Who is it?
It is Rob
connection request
(service URL)
connection
Web
Application
SWIFT manages user authentication on behalf of the application
9
Secure user access flows
End-user
https://myservice.browse.swiftnet.sipn.swift.com
mytoken
• • • • •
Application page displayed
Service Provider
Authenticate
user
Keep user
session Identity
Services
Browse session establishment delegated to SWIFT
SWIFT WebAccess - SOFE 27 Nov 2014 10
Single Sign-on
SWIFT WebAccess - SOFE 27 Nov 2014
Who are you?
I'm Bob
Bob Bob
Who is it?
It is Bob
connection request - SP1 URL
connection
Service
Provider1
Service
Provider2
connection request – SP2 URL Who is it?
It is Bob
connection
User can access additional services without re-authenticating
based on central authentication session (within defined period)
11
Secure transaction exchange flows
SWIFT WebAccess - SOFE 27 Nov 2014
End-user
• • • • •
Service Provider
6. Archive signed
transaction for
non-repudiation
1. Manual
transaction to
be approved
2. Unsigned
transaction 3. Transaction
confirmation
4. User
signature
requested
7. Archive signed
transaction for
long-term 8.Transaction
confirmed
5. Verify user
signature &
certificate validity
Secure transaction confirmation delegated to SWIFT
12
Secure transaction confirmation
Unstructured transaction data Structured transaction data
SWIFT WebAccess - SOFE 27 Nov 2014 13
Features & Benefits
Authentication Control
End-user Service Provider
User logs in/signs with
his/her certificate
Security Officer registers
user digital identity
User sets up certificate Assigns unique identifier
Associates user account
with SWIFT identity
Verifies user signature &
certificate validity
SP access only allowed if
valid user authentication
Receives user identity info
Application can display
username of logged-in user
SWIFT WebAccess - SOFE 27 Nov 2014 15
Access Control (1/2)
SWIFT WebAccess - SOFE 27 Nov 2014
End-user Service Provider
Requests service
subscription
Provisions user institution
in Closed User Group Approves customer
subscription
User logs in with his/her
certificate
Verifies CUG membership
for user’s institution
SP access only allowed if
valid CUG membership
16
Access Control (2/2)
SWIFT WebAccess - SOFE 27 Nov 2014
End-user Service Provider
User logs in with his/her
certificate
Security officer assigns
roles to user Stores roles centrally
Optionally defines roles to
use for application access
control
Provisions service roles to
subscribed institution
Verifies if user has a role
for the service
Optionally provides user
roles to service provider
SP access only allowed if
service role present
Optionally grants/limits
application functionality
based on roles
17
SWIFT WebAccess - SOFE 27 Nov 2014
Single URL
User knows a single URL
Automatic connection
to available web server
Service Provider
web servers
SWIFT monitors
webservers periodically
User connects to service provider through a single URL
SWIFT automatically connects user to first available web server
18
SWIFT WebAccess - SOFE 27 Nov 2014
Session distribution
User traffic distributed across web servers/data centres, spreading the load
Key features:
Extension to Single URL
(uses keyword)
Sessions distributed based
on weight/ratio, configured
on SP’s webpage
Configurable monitoring
interval
Ratio is polled regularly
MV-SIPN
SP DC1
SP DC2
User session distribution based on
SURL SP server availability &
distribution weight
DC with a lower session
distribution weight
user1
user4
Session distribution array
Pool
Members
Site
Status
Site
Weight
DC1 40
DC2 40
DC3 20
DC4 N/A
SP DC3
2x
2x
1x
Session
distribution ratio
Session
19
Operational management of HSM certificates
Evolution roadmap – tentative timeline
SWIFT WebAccess - SOFE 27 Nov 2014 2014
2015
2016
HSM enhancements Simplified installation process & remote set-up
Unique PED token option
Cluster improvements
Controlled password management
SAG Admin GUI enhancements Improved certificate monitoring
Easier/integrated certificate management
Automate recovery of group certificates
New certificate offering New type of personal certificate on HSM
with full end-user control
HSM cluster enhancement Support higher latency limit on dedicated
browse HSM clusters SAG Admin GUI enhancements Improved certificate monitoring
Easier/integrated certificate management
(for CLS users only)
Certificate management enhancements Option to avoid or minimize PED functions
Fully integrated certificate management
Operational simplicity
Refer to the HSM usability evolution roadmap 20
Benefits for end-users
Easy Set-up
• Leverage SWIFTNet infrastructure
• Unified processes & tools for managing users and credentials
Single Sign-on
• Same user credentials across services
• Harmonized user experience with accessing browse services over SWIFT
• Single Sign-On across services based on central user authentication session
Flexible
• Support HSM certificate used through standard browse framework & MV-SIPN
• Option to use lighter footprint with personal token
• Support internet access (if selected by service provider)
Strong Security
• Use of a secure and reliable SWIFTNet connection
• Strong user authentication based on SWIFTNet PKI certificates stored in hardware
• Access control at individual user level
SWIFT WebAccess - SOFE 27 Nov 2014 21
Benefits for service providers
Stronger service
•Service provider can rely on SWIFT's central security platform for user authentication and access control:
•For application access
•For critical transaction confirmation
Simple Integration
•Avoids complex integration needed to support & maintain security framework
•Shields application from credentials (no impact in case of changes)
•Based on open standards (SAML 2.0)
•Integration package including developer toolkit & access to test facilities
Easy User Adoption
• Re-use single window
•Familiar processes & tools for managing users and credentials
•Users can re-use identities across browse services
Strong Security
•Strong internet defense
•Security & reliability of SWIFTNet
•Strong user authentication based on SWIFTNet PKI certificates stored in hardware
•Strong access control, preventing unauthorized application access
SWIFT WebAccess - SOFE 27 Nov 2014 22
Questions
Thank you