SWIFT Web Access

SWIFT WebAccess, Evolving Browse

SWIFT Operations Forum Europe

Isabelle Noblesse, Security Product Manager

Paris, 27 November 2014

Agenda

• Introduction

• New product offering

• Features & benefits

• Demo

• Q&A

SWIFT WebAccess - SOFE 27 Nov 2014 2

SWIFT

SWIFT WebAccess, evolving Browse

SWIFT offering for web application providers and their customers

End-user Service Provider

SWIFT WebAccess - SOFE 27 Nov 2014

Enable service providers to offer secure access and use of their on-line,

web-based services over SWIFT to their end-users

• Service providers leverage SWIFT security

• End-users use their SWIFTNet infrastructure and SWIFT credentials

3

Previous browse service implementation


Web server

SWIFTNet

Link

Business

application

Service Provider End-user

Browse

framework

InterAct flows used for security-

sensitive transactions

HTTPS used for

screen flows

MV-SIPN

Central value added:

• Strong internet defense by SWIFT

• Strong SWIFT credentials

• Closed User Group

• Access control (RBAC)

• Single URL 4

Drivers for evolving browse offering

Easier

• Ability to offer browse service over SWIFT channel with minimal changes

• Easier integration (open technical standards, no InterAct)

• Simpler implementation (no need for SNL next to Web server)

Flexible

• Support lighter user footprint

• Alternative to WebPlatform & HSM certificates

• Support for mixed user community (some users connecting over internet)

Secure

• Continue to support strong user authentication & non-repudiated transactions

• Enhance security offering with enriched central services

User experience

• Convenient & harmonized user experience with accessing multiple browse services


Message Flow New Product Offering

Value proposition


User

authentication

control

User account

Credentials

management

User credentials

User access

control

Web Application

Credentials, authentication & access control based on SWIFT world-class security


Multiple access methods supported

HSM

Certificates

Personal

Tokens

MV-SIPN

Internet

MV-SIPN

Alliance

WebPlatform

End-user Service

Provider

Web

Application SWIFT

PKI

Identity

Provider

Identity

Services

Personal

Tokens

Users can leverage their SWIFTNet infrastructure or go with a lighter footprint


HTTPS

8

Delegated authentication


Who are you?

I'm Rob Rob

Rob

Who is it?

It is Rob

connection request

(service URL)

connection

Web

Application

SWIFT manages user authentication on behalf of the application

9

Secure user access flows

End-user

https://myservice.browse.swiftnet.sipn.swift.com

mytoken

• • • • •

Application page displayed

Service Provider

Authenticate

user

Keep user

session Identity

Services

Browse session establishment delegated to SWIFT


Single Sign-on


Who are you?

I'm Bob

Bob Bob

Who is it?

It is Bob

connection request - SP1 URL

connection

Service

Provider1

Service

Provider2

connection request – SP2 URL Who is it?

It is Bob

connection

User can access additional services without re-authenticating

based on central authentication session (within defined period)

11

Secure transaction exchange flows


End-user

• • • • •

Service Provider

6. Archive signed

transaction for

non-repudiation

1. Manual

transaction to

be approved

2. Unsigned

transaction 3. Transaction

confirmation

4. User

signature

requested

7. Archive signed

transaction for

long-term 8.Transaction

confirmed

5. Verify user

signature &

certificate validity

Secure transaction confirmation delegated to SWIFT

12

Secure transaction confirmation

Unstructured transaction data Structured transaction data


Features & Benefits

Authentication Control


User logs in/signs with

his/her certificate

Security Officer registers

user digital identity

User sets up certificate Assigns unique identifier

Associates user account

with SWIFT identity

Verifies user signature &

certificate validity

SP access only allowed if

valid user authentication

Receives user identity info

Application can display

username of logged-in user


Access Control (1/2)



Requests service

subscription

Provisions user institution

in Closed User Group Approves customer

subscription

User logs in with his/her

certificate

Verifies CUG membership

for user’s institution


valid CUG membership

16

Access Control (2/2)



User logs in with his/her

certificate

Security officer assigns

roles to user Stores roles centrally

Optionally defines roles to

use for application access

control

Provisions service roles to

subscribed institution

Verifies if user has a role

for the service

Optionally provides user

roles to service provider


service role present

Optionally grants/limits

application functionality

based on roles

17


Single URL

User knows a single URL

Automatic connection

to available web server

Service Provider

web servers

SWIFT monitors

webservers periodically

User connects to service provider through a single URL

SWIFT automatically connects user to first available web server

18


Session distribution

User traffic distributed across web servers/data centres, spreading the load

Key features:

Extension to Single URL

(uses keyword)

Sessions distributed based

on weight/ratio, configured

on SP’s webpage

Configurable monitoring

interval

Ratio is polled regularly

MV-SIPN

SP DC1

SP DC2

User session distribution based on

SURL SP server availability &

distribution weight

DC with a lower session

distribution weight

user1

user4

Session distribution array

Pool

Members

Site

Status

Site

Weight

DC1 40

DC2 40

DC3 20

DC4 N/A

SP DC3

2x

2x

1x

Session

distribution ratio

Session

19

Operational management of HSM certificates

Evolution roadmap – tentative timeline


2015

2016

HSM enhancements Simplified installation process & remote set-up

Unique PED token option

Cluster improvements

Controlled password management

SAG Admin GUI enhancements Improved certificate monitoring

Easier/integrated certificate management

Automate recovery of group certificates

New certificate offering New type of personal certificate on HSM

with full end-user control

HSM cluster enhancement Support higher latency limit on dedicated

browse HSM clusters SAG Admin GUI enhancements Improved certificate monitoring

Easier/integrated certificate management

(for CLS users only)

Certificate management enhancements Option to avoid or minimize PED functions

Fully integrated certificate management

Operational simplicity

Refer to the HSM usability evolution roadmap 20

https://www2.swift.com/support/knowledgebase/tip/5019374



Benefits for end-users

Easy Set-up

• Leverage SWIFTNet infrastructure

• Unified processes & tools for managing users and credentials

Single Sign-on

• Same user credentials across services

• Harmonized user experience with accessing browse services over SWIFT

• Single Sign-On across services based on central user authentication session

Flexible

• Support HSM certificate used through standard browse framework & MV-SIPN

• Option to use lighter footprint with personal token

• Support internet access (if selected by service provider)

Strong Security

• Use of a secure and reliable SWIFTNet connection

• Strong user authentication based on SWIFTNet PKI certificates stored in hardware

• Access control at individual user level


Benefits for service providers

Stronger service

•Service provider can rely on SWIFT's central security platform for user authentication and access control:

•For application access

•For critical transaction confirmation

Simple Integration

•Avoids complex integration needed to support & maintain security framework

•Shields application from credentials (no impact in case of changes)

•Based on open standards (SAML 2.0)

•Integration package including developer toolkit & access to test facilities

Easy User Adoption

• Re-use single window

•Familiar processes & tools for managing users and credentials

•Users can re-use identities across browse services

Strong Security

•Strong internet defense

•Security & reliability of SWIFTNet

•Strong user authentication based on SWIFTNet PKI certificates stored in hardware

•Strong access control, preventing unauthorized application access


Questions

Thank you

Economy & Finance

SWIFT Web Access