Implementing a Crypto Services Strategy at ABN AMRO Bank
Christiane Peters, IBM Tiago Teles, ABN AMRO Bank with inputs from Barbara Vieira, Jeroen van der Harst, and the ABN AMRO Crypto Services team
RWC 2020 Studies on encryption trends have shown that 45% of large organizations have implemented an enterprise-wide “encryption and key management strategy” in 2018 [1]. 45%
[1] Ponemon Institute. “2019 Global Encryption Trends Study”. https://www.ncipher.com/2019/global-encryption-trends-study. 2019. 2 Let’s see how ABN AMRO started this journey in
• Smart card CA for user authentication J 2016 • TLS certificate management is a mailbox L • Key management is a 3FA safe with good procedures K
• HSMs are kept up and running for payment systems (regulated) K
• Google and Microsoft announced SHA-1 Deprecation L
3 IBM Security / © 2019 IBM Corporation First Step: Definition Strategy in 2016
WHAT: Crypto Services Portfolio 2019 CS 2019 >> 1 2 Cryptographic Cryptographic Services Services Application Innovation
Key and Certificate Crypto Intelligence Management
Consulting, Data in Transit and Information and Data at Rest Knowledge Sharing
Application of Crypto Development of Solutions Crypto Solutions 6
4 Crypto Services Overview 2020 AAB Crypto
Key & Certificate Crypto Crypto Crypto Services Management Consulting Innovation
Certificate Key management HSM aaS management
Manual key ABN AMRO On-premise Review of Legacy Zero Knowledge management Internal CA HSM Crypto applications
Automated KMS on- prem, Crypto- Smartcard CA PETs Gateway, Transparent Data Enc
Public Cloud Public Cloud 1 Public Cloud 1 KMS MPC CA HSM
Managing Rogue Public Cloud 2 KMS Public Cloud 2 HSM certificates
Backup and Storage Digital Signing KMS Service
5 SHA-1 Deprecation
WHAT: Crypto Services Portfolio 2019 CS 2019 >> 1 2 Cryptographic Cryptographic Services Services Application Innovation
Key and Certificate Crypto Intelligence Management
Consulting, Data in Transit and Information and Data at Rest Knowledge Sharing
Application of Crypto Development of Solutions Crypto Solutions 6
6 SHA-1 deprecation
• Taskforce 1 to migrate external (client facing) certificates to secure certificates.
Ø TF1 ended in the first week of January 2016.
• Taskforce 2 to migrate internal certificates to secure certificates, or to propose other solutions to mitigate this risk. Ø TF2 ran from 2016 to 2017.
Snippet AAB Crypto strategy 2016
7 Weekly Stats on Task Force 2 SHA1 Migration 2017 Wave 2 2 3 4 5 6 7 8 9 10 11 12 13 14 15 01 01 01 01 02 02 02 02 03 03 03 03 04 04 ------
Week starting at Monday 09 16 23 30 06 13 20 27 06 13 20 27 03 10 CISO ET Productie Private Banking ET Productie Credits and mortgages ET Productie IT Services ET Productie Channels ET Productie Functions ET Productie Wave WAS MQ NETWORK Wintel W1 Wintel W2 Systems in scope 182 1573 497 57 189 Systems to be changed, in scope Match 64 n.a. n.a. 0 0 Verified migration Match 18 n.a. n.a. 0 0 Number of systems migrated Systems in research (SHA 1 ) 0 0 n.a. 0 0 Systems change started (project) 0 322 27 0 64 Status 2017 Systems remaining for change (project) 0 0 429 0 42 Systems finished (SHA 2) 112 1107 32 57 11 Systems in Backlog SHA 2 incompatible 6 144 9 0 11 Key Management – HSM as a Service
WHAT: Crypto Services Portfolio 2019 CS 2019 >> 1 2 Cryptographic Cryptographic Services Services Application Innovation
Key and Certificate Crypto Intelligence Management
Consulting, Data in Transit and Information and Data at Rest Knowledge Sharing
Application of Crypto Development of Solutions Crypto Solutions 6
IBM Security / © 2019 IBM Corporation 9 HSM as a Service landscape HSMs on-premises
All purpose MSEC Payments Infra CA HSM cluster HSM cluster HSM cluster HSM cluster
• Security Tooling • EMV Keys for online • Payments • ABN AMRO Internal CA • Security for applications banking • Generic Signing (e.g., MVL) • SWIFT • Digital Signing • Payment apps
Consolidate / move
• Core Banking Enterprise Key Management Service (KMS) • Databases
HSMs off-premises Deployment ongoing Deployment ongoing • Data at rest • Cloud data Public Cloud #1 encryption Public Cloud #2 services HSM (dedicated HSM)
HSM
Connected applications Crypto Consulting
WHAT: Crypto Services Portfolio 2019 CS 2019 >> 1 2 Cryptographic Cryptographic Services Services Application Innovation
Key and Certificate Crypto Intelligence Management
Consulting, Data in Transit and Information and Data at Rest Knowledge Sharing
Application of Crypto Development of Solutions Crypto Solutions 6
11 Quantum computing puts data at risk
Lessons learned from SHA-1 deprecation: do nothing will keep bank unprepared
Crypto migrations take time and are very costly. Crypto Agility: end-to-end view needed
The ease of crypto migrations can be viewed as follows:
Most Agile
Scripts
Applications The ability to migrate crypto implementations to new schemes is dependent on how today’s cryptography Operating Systems is deployed. Field Programmable Gate Array
Hardware
Least Agile
13 Crypto Innovation
WHAT: Crypto Services Portfolio 2019 CS 2019 >> 1 2 Cryptographic Cryptographic Services Services Application Innovation
Key and Certificate Crypto Intelligence Management
Consulting, Data in Transit and Information and Data at Rest Knowledge Sharing
Application of Crypto Development of Solutions Crypto Solutions 6
14 Research Collaborations ABN AMRO Fraud Control
Encrypted Domain • ABN AMRO Innovation Center works together with Crypto experts in CISO department.
• Collaborations with industrial and academic Rabobank Fraud researchers Control
• Success Story: Fraud Detection
• MPC to solve the problem to exchange ING Fraud insights with other banks Control • Implemented in practice
IBM Research & ABN AMRO : I. Molloy, S. Chari, U. Finkler, M. Wiggerman, C. Jonker, T. Habeck, Y. Park, F. Jordens, R. van Schaik: Graph Analytics for Real-Time Scoring of Cross-Channel Transactional Fraud. Financial Cryptography 2016.
TNO, ABN AMRO, RABOBANK, ING, CWI: A. Sangers, M. van Heesch, T. Attema, T. Veugen, M. Wiggerman, J. Veldsink, O. Bloemen, D. Worm: Secure Multiparty PageRank Algorithm for Collaborative Fraud Detection. Financial Cryptography 2019. 15 What’s next?
WHAT: Crypto Services Portfolio 2023 CS 2023 >>
IBM Security / © 2019 IBM Corporation 16 Challenges
• Crypto and Quantum Challenges • Crypto Agility • Crypto in DevSecOps • Crypto in / for Public Cloud • Secure Crypto Keys in times of Big Data Thank you
Christiane Peters Global Lead Crypto Services – IBM Security Services [email protected] @cbcrypto (twitter)
Tiago Teles InfoSec Evangelist – ABN AMRO Bank [email protected] @tiagomteles (twitter)
18