Page 1
Alcatel-Lucent OmniAccess 8550
Web Services Gateway
Secure and auditable web services for financial institutions
Page 2
Multiple systems in the financial industry — loan and mortgage applications,
risk reporting, offline batch processing, Internet banking, enterprise resource
planning (ERP), and customer relationship management (CRM) — operate
together to process billions of daily transactions. Technology is imperative
to keep the financial engines running. However, when using a variety of
solutions, it is difficult to integrate enterprise class authentication, authorization
and auditing into a group of disparate IT systems and still maintain
information security, corporate governance and regulatory compliance.
The leading technology to facilitate interoperability between
disparate business systems is to use a common element through
which all services can operate. Service-oriented architecture (SOA)
is widely used in the financial industry as a flexible modular
framework designed to enable interoperability as a service over
a network (Internet, intranet, extranet). The greatest strengths of
SOA environments are providing business agility and IT system
re-use through flexibility and openness.
However, like a double-edged sword, it is also a SOA’s greatest weakness,
because by default, an SOA has minimal authentication and authorization
mechanisms and lacks functions critical to financial institutions such as
consolidated auditing and policy enforcement capabilities. The sensitive nature
of the information routinely handled by financial institutions demands
enterprise-wide role-based authentication of users, run-time authorization of
transactions, and consolidated audit trails to create a historical record for
corporate governance and to demonstrate regulatory compliance.
The true burden of all
financial institutions is to
have the ability to easily
and accurately prove
that each transaction is
completed according to
regulatory and corporate
governance standards.
2 Alcatel-Lucent | 8550 Web Services Gateway
Page 3
“… any [SOA] system is inherently insecure the
Batch Processing
Internet Banking
Mortgage Application
eSales Portal Sales Force
Remote Datacenter
CRM Systems
OA8550 WSG
DMZ
OA8550 WSG
ERP Systems
Primary Datacenter
Financial Systems
OA8550 WSG
moment you open it up to the outside world….”
Butler Group
OMNIACCESS 8550 WEB SERVICES GATEWAY
The Alcatel-Lucent®OmniAccess™8550 Web Services Gateway (WSG), deployed as in
Figure 1, provides reliable enterprise-wide user-centric stateful policy enforcement with
consolidated audit trails to web-enabled services, data, applications and business processes.
Once deployed, the OmniAccess 8550 WSG provides a secure application-independent
infrastructure to share web services between financial institutions and their partners
regardless if the services are local or external (outside the firewall). The benefits gained
are corporate-wide security risk management capabilities, end-to-end enterprise-class
data and identity security (encryption, digitial signing, and single identity), and stateful
(multi-transaction) run-time policy enforcement to ensure compliance with consolidated
audit trails to demonstrate compliance.
Figure 1. Example OmniAccess 8550 Web Services Gateway Deployment
3Alcatel-Lucent | OmniAccess 8550 Web Services Gateway
Page 4
SINGLE IDENTITY AND STATEFUL POLICY ENFORCEMENT
Threats
f
rom
business
partners
Threats
from
e
mployees
Threats
f
rom
outsources
Treats
f
rom
contractors
hreats to sensitive information come from multiple sources. Internal threats come from employees and external threats
T
from partners, outsourcers, contractors and the Internet. The OmniAccess 8550 WSG uses data encryption coupled with
stateful policy enforcement and active auditing to ensure that transactions are secure and stored data is safe from misuse.
Figure 2. Sources of threats to information security
The OmniAccess 8550 WSG allows single identity and
identity mapping from internal and external authentication
systems of trusted partners. The OmniAccess 8550 WSG
integrating with these authentication systems will share
digital credentials; enabling a the trust relationship between
partners Very importantly, each partner can employ their
own authentication systems as well as maintain their own
identity store and set access policies independently.
After validating the credential of a user, the OmniAccess
8550 WSG uses a combination of user-aware authorization
and policy enforcement for information access control.
Authorization is based on the credentials of the user;
the OmniAccess 8550 WSG controls which users can access
and/or change data based on users’ level of access. Stateful
(multi-transactional) policy enforcement allows policy to
be enforced on each transaction based upon the context
in which it is requested.
During the transaction, the OmniAccess 8550 WSG
enforces published policies in a stateful manner at run
time. For instance, a password reset request might be
normal, but not if it is followed by a large transfer of
funds. The OmniAccess 8550 WSG would be able to
see the password change and deny fund transfers after
a password change without additional authentication
or could trigger an alert followed by a phone call to the
customer. With user centric stateful run-time policy
enforcement, the OmniAccess 8550 WSG can effectively
secure the integrity and confidentiality of information from
end-to-end for each transaction as well dictate how the
transaction information is accessed and modified.
4 Alcatel-Lucent | OmniAccess 8550 Web Services Gateway
Page 5
REGULATORY COMPLIANCE
2. Credit calculated
submitted for
approval
Rebate application LDAP Payroll
1. Rebate request
submitted
Rebate
request
Payment
issued
Rebate approval
4. Credit issued
toemployee
3. Approval
granted
OA8550
HRDB
Historical
Rebates
Regulatory compliance is one of the most difficult and time-consuming hurdles for financial institutions. The
OmniAccess 8550 WSG takes over the management of higher functions such as policy enforcement and
uditing by inserting itself into the XML message flow. The OmniAccess 8550 WSG can therefore monitor
a
each transaction from end-to-end and can automatically perform auditing functions to document that session
data integrity was maintained and application data was properly secured after the transaction was completed.
For instance, a bank creates a rebate program of $100 for employees who sign up for a new credit account.
There are several steps for the rebate program: the rebate request, rebate amount calculation, manager
approval and payroll disbursal. The first three steps are handled by a web service linked to the system that
handles new credit accounts and the final step is handled by the payroll system. All validation of user
credentials and policy enforcement is handled by the OmniAccess 8550 WSG. Policies are in place to ensure
duplicate accounts are not created and that an alert is sent if an employee earns more than $500 from the
rebate program in a month. A transaction occurs as shown in Figure 3.
Figure 3. Validation process example
1. A representative receives authentication into the credit system and signs up a new account. The
rebate request is validated by checking to make sure the representative is an actual current employee
and that they have the authority to add the account.
2. The employee request is compared to the new customer database to validate that the customer
is real and not a duplicate. In addition the system validates the rebate amount at $100.
3. The rebate request is sent to the manager of the representative for approval. The manager checks
to make sure the account is set up correctly and validates the account for the rebate requirements.
4. The payroll department checks to make sure the rebate amounts are correct and the maximum rebate
is not exceeded before disbursing the check.
At each step, the OmniAccess 8550 WSG is authenticating, authorizing and auditing the transactions
according to existing policies. After completion, a review of any transaction can be easily proven to
be valid by accessing historical data from the OmniAccess 8550 WSG.
5Alcatel-Lucent | OmniAccess 8550 Web Services Gateway
Page 6
EXTENSION OF NETWORK SERVICES TO PARTNERS
Primary Datacenter
Partner 1
Security and Alerting
Web
Servers
Application
Servers
OA8550
WSG
DMZ
WS Network
Element
WS
Network
Element
WS Network
Element
Identity
Directory
OA8550
WSG
DMZ
WAN
WAN
Partner 2
WS Network
Element
Remote Datacenter
The financial world is a synergy of large, medium and small companies working together to create a
portfolio of products using a variety of applications. Therefore, it is important for financial institutions to
be able to easily connect with a variety of business partners, contractors and outsourcers. However, connecting
various businesses creates a problem tracking all the activity of each transaction through multiple business
systems and networks. Since the OmniAccess 8550 WSG is the common element it can track all transaction
activity in accordance with Statement on Auditing Standards (SAS) No. 70 (SAS 70) practices and consolidate
the activity into a single tracking report.
“When IT functions are outsourced … the ultimate responsibility
for achieving control objectives rests with the client”
American Institute of CPAs
Figure 4. Example OmniAccess 8550 Web Services Gateway Deployment
6 Alcatel-Lucent | OmniAccess 8550 Web Services Gateway
Page 7
The OmniAccess 8550 allows easy integration with external partners through identity interoperability,
enabling cross-validation between partners and the extension of virtual services.
Coordinating authentication systems has several benefits. First, by interfacing with existing authentication
systems, the OmniAccess 8550 reduces the overall complexity of the system, creates flexible security that
allows partners to be added or removed with out major infrastructure changes, and allows partners to
individually maintain their own corporate governance. Second, it allows users to travel between sites and
still have access to network services. And finally, a single point of control for partner access reduces the
total cost of ownership (TCO) of the system.
For partners that do not have their own authentication system, such as an independent contractor, the
OmniAccess 8550 WSG can extend virtual services, which provide proper authenticated access while limiting
the exposure to security threats.
DATA INTEGRITY AND CONFIDENTIALITY
The OmniAccess 8550 WSG secures data in real time through hardware engines’ dedicated encryption
and digital signing. Each transaction can be secured using Secure Sockets Layer (SSL) or Transport Layer
Security (TLS) and data is secured by encryption. Whether application data is in transit or stored, it is secured
with state-of-the-art encryption technology. However, while sensitive data is secured from misuse, it is
always available when and where it is needed (internally or externally).
CONCLUSION
The OmniAccess 8550 WSG is a corporate-wide solution designed to secure
multiple services over a reliable and secure SOA backbone. By inserting itself
into the XML message transaction flow, the OmniAccess 8550 WSG creates a
single point for run-time policy enforcement thus assuring regulatory compliance
and providing a single point for consolidated audit trails. The OmniAccess 8550
WSG means that web-service based business process integration doesn’t have to
mean an increase in risk; with the OmniAccess 8550 WSG financial institutions
deploying web services reduce their exposure to both external and internal
information misuse while easing the IT demands of corporate governance and
regulatory compliance.
7Alcatel-Lucent | OmniAccess 8550 Web Services Gateway
Page 8
Alcatel-Lucent OmniAccess 8550 Web Services Gateway
Alcatel, Lucent, Alcatel -Lucent and A lcatel-Lucent logo are trademark s of Alcatel- Lucent. All othe r
trademar ks are the property of the ir respective owners. The in formation pr esented is subject t o
change without notice. Alcatel-Lu cent assumes no resp onsibility f or inaccuraci es contained herein.
© 200 8 Alcatel-Lucent. Al l rights r eserved. 032108 -00 Rev A 6 /08
www.alcatel-lucent.com
Loading...