Implementing a Crypto Services Strategy at ABN AMRO Bank

Christiane Peters, IBM Tiago Teles, ABN AMRO Bank with inputs from Barbara Vieira, Jeroen van der Harst, and the ABN AMRO Crypto Services team

RWC 2020 Studies on encryption trends have shown that 45% of large organizations have implemented an enterprise-wide “encryption and key management strategy” in 2018 [1]. 45%

[1] Ponemon Institute. “2019 Global Encryption Trends Study”. https://www.ncipher.com/2019/global-encryption-trends-study. 2019. 2 Let’s see how ABN AMRO started this journey in

• Smart card CA for user authentication J 2016 • TLS certificate management is a mailbox L • Key management is a 3FA safe with good procedures K

• HSMs are kept up and running for payment systems (regulated) K

• Google and Microsoft announced SHA-1 Deprecation L

3 IBM Security / © 2019 IBM Corporation First Step: Definition Strategy in 2016

WHAT: Crypto Services Portfolio 2019 CS 2019 >> 1 2 Cryptographic Cryptographic Services Services Application Innovation

Key and Certificate Crypto Intelligence Management

Consulting, Data in Transit and Information and Data at Rest Knowledge Sharing

Application of Crypto Development of Solutions Crypto Solutions 6

4 Crypto Services Overview 2020 AAB Crypto

Key & Certificate Crypto Crypto Crypto Services Management Consulting Innovation

Certificate Key management HSM aaS management

Manual key ABN AMRO On-premise Review of Legacy Zero Knowledge management Internal CA HSM Crypto applications

Automated KMS on- prem, Crypto- Smartcard CA PETs Gateway, Transparent Data Enc

Public Cloud Public Cloud 1 Public Cloud 1 KMS MPC CA HSM

Managing Rogue Public Cloud 2 KMS Public Cloud 2 HSM certificates

Backup and Storage Digital Signing KMS Service

5 SHA-1 Deprecation

WHAT: Crypto Services Portfolio 2019 CS 2019 >> 1 2 Cryptographic Cryptographic Services Services Application Innovation

Key and Certificate Crypto Intelligence Management

Consulting, Data in Transit and Information and Data at Rest Knowledge Sharing

Application of Crypto Development of Solutions Crypto Solutions 6

6 SHA-1 deprecation

• Taskforce 1 to migrate external (client facing) certificates to secure certificates.

Ø TF1 ended in the first week of January 2016.

• Taskforce 2 to migrate internal certificates to secure certificates, or to propose other solutions to mitigate this risk. Ø TF2 ran from 2016 to 2017.

Snippet AAB Crypto strategy 2016

7 Weekly Stats on Task Force 2 SHA1 Migration 2017 Wave 2 2 3 4 5 6 7 8 9 10 11 12 13 14 15 01 01 01 01 02 02 02 02 03 03 03 03 04 04 ------

Week starting at Monday 09 16 23 30 06 13 20 27 06 13 20 27 03 10 CISO ET Productie Private Banking ET Productie Credits and mortgages ET Productie IT Services ET Productie Channels ET Productie Functions ET Productie Wave WAS MQ NETWORK Wintel W1 Wintel W2 Systems in scope 182 1573 497 57 189 Systems to be changed, in scope Match 64 n.a. n.a. 0 0 Verified migration Match 18 n.a. n.a. 0 0 Number of systems migrated Systems in research (SHA 1 ) 0 0 n.a. 0 0 Systems change started (project) 0 322 27 0 64 Status 2017 Systems remaining for change (project) 0 0 429 0 42 Systems finished (SHA 2) 112 1107 32 57 11 Systems in Backlog SHA 2 incompatible 6 144 9 0 11 Key Management – HSM as a Service

WHAT: Crypto Services Portfolio 2019 CS 2019 >> 1 2 Cryptographic Cryptographic Services Services Application Innovation

Key and Certificate Crypto Intelligence Management

Consulting, Data in Transit and Information and Data at Rest Knowledge Sharing

Application of Crypto Development of Solutions Crypto Solutions 6

IBM Security / © 2019 IBM Corporation 9 HSM as a Service landscape HSMs on-premises

All purpose MSEC Payments Infra CA HSM cluster HSM cluster HSM cluster HSM cluster

• Security Tooling • EMV Keys for online • Payments • ABN AMRO Internal CA • Security for applications banking • Generic Signing (e.g., MVL) • SWIFT • Digital Signing • Payment apps

Consolidate / move

• Core Banking Enterprise Key Management Service (KMS) • Databases

HSMs off-premises Deployment ongoing Deployment ongoing • Data at rest • Cloud data Public Cloud #1 encryption Public Cloud #2 services HSM (dedicated HSM)

HSM

Connected applications Crypto Consulting

WHAT: Crypto Services Portfolio 2019 CS 2019 >> 1 2 Cryptographic Cryptographic Services Services Application Innovation

Key and Certificate Crypto Intelligence Management

Consulting, Data in Transit and Information and Data at Rest Knowledge Sharing

Application of Crypto Development of Solutions Crypto Solutions 6

11 Quantum computing puts data at risk

Lessons learned from SHA-1 deprecation: do nothing will keep bank unprepared

Crypto migrations take time and are very costly. Crypto Agility: end-to-end view needed

The ease of crypto migrations can be viewed as follows:

Most Agile

Scripts

Applications The ability to migrate crypto implementations to new schemes is dependent on how today’s cryptography Operating Systems is deployed. Field Programmable Gate Array

Hardware

Least Agile

13 Crypto Innovation

WHAT: Crypto Services Portfolio 2019 CS 2019 >> 1 2 Cryptographic Cryptographic Services Services Application Innovation

Key and Certificate Crypto Intelligence Management

Consulting, Data in Transit and Information and Data at Rest Knowledge Sharing

Application of Crypto Development of Solutions Crypto Solutions 6

14 Research Collaborations ABN AMRO Fraud Control

Encrypted Domain • ABN AMRO Innovation Center works together with Crypto experts in CISO department.

• Collaborations with industrial and academic Rabobank Fraud researchers Control

• Success Story: Fraud Detection

• MPC to solve the problem to exchange ING Fraud insights with other banks Control • Implemented in practice

IBM Research & ABN AMRO : I. Molloy, S. Chari, U. Finkler, M. Wiggerman, C. Jonker, T. Habeck, Y. Park, F. Jordens, R. van Schaik: Graph Analytics for Real-Time Scoring of Cross-Channel Transactional Fraud. Financial Cryptography 2016.

TNO, ABN AMRO, RABOBANK, ING, CWI: A. Sangers, M. van Heesch, T. Attema, T. Veugen, M. Wiggerman, J. Veldsink, O. Bloemen, D. Worm: Secure Multiparty PageRank Algorithm for Collaborative Fraud Detection. Financial Cryptography 2019. 15 What’s next?

WHAT: Crypto Services Portfolio 2023 CS 2023 >>

IBM Security / © 2019 IBM Corporation 16 Challenges

• Crypto and Quantum Challenges • Crypto Agility • Crypto in DevSecOps • Crypto in / for Public Cloud • Secure Crypto Keys in times of Big Data Thank you

Christiane Peters Global Lead Crypto Services – IBM Security Services [email protected] @cbcrypto (twitter)

Tiago Teles InfoSec Evangelist – ABN AMRO Bank [email protected] @tiagomteles (twitter)

18