ISDC 2013_Referat_Roland Rueegg_ubs


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

ISDC 2013_Referat_Roland Rueegg_ubs

  1. 1. IS Directors Conference – August 2013 Neuartige Lösung für sicheren Zugriff auf UBS Unternehmensdaten Roland Rüegg Director, Project Manager UBS AG
  2. 2. Public August 2013 Roland Rüegg Neuartige Lösung für sicheren Zugriff auf UBS Unternehmensdaten ISDC 2013
  3. 3. IBM Secure Remote Desktop Gaming weak security and control eBanking application specific security „Evolution“ of Secure Private Computer usage in the Bank's Environment one single computer dynamically adapting to security demands Corporate Use Remote desktop session using RAM disk 1
  4. 4. IBM Secure Enterprise Desktop Working Principle Corporate Use eZTIC is Secure Environment and maintains all keys to Back-End (user, hard disk and TLS session keys) User PC / Mac (Insecure Environment) UBS Windows 7 Desktop secured with SED Interact with Approve operations Shows 2 Back-End (VM Image Server) Running Virtual Desktop Baseline Linux
  5. 5. IBM Secure Remote Desktop • NO Software is installed / modified / used on the PC or X86-based Apple • NO data (logs, credentials, ...) is written to HDD; its HDD is not used • For the duration of the session, the Computer is 100% „owned“ by SED 3 • UBS PersAuth (DTP) Authentication • Convenience through Single Sign On 4 • User credentials handled outside of PC5 • Form Factor = UBS Access Key (**)6 • Do not interfere with existing protection technologies • VPNs, Firewalls, Virus scanners, etc. 2 Main Characteristics (*) must be USB-bootable and X86 architecture, such as a PC or X86-based Mac (**) IBM Zone Trusted Information Channel Stick • Protect against “State of the Art” Attacks (esp. Malware & Man-in-the-Middle) • Do not rely on PC or smart phone for input or output of critical data 1 Corporate Use 3
  6. 6. UBS use cases • Loss of workplaces (e.g. through natural disasters) or forced absence (e.g. pandemics) can be compensated by working from home Business Continuity Management • Give employees the freedom of „Bring Your Own Device“ • Reduce Number of UBS owned equipment BYOD • Potential changes in methods of working and opportunities for designBranch Format • SED enables secure additional "locations"Offshoring/Outsourc ing • IT Support has access to all systems and services • No need to control/manage End User Devices IT Support • Replacement for SCGLigt for SmartCard-Users • Policy-driven access to corporate data, in real-time, securely Work from Home Corporate Use • Two virtual images can be set up and accessed depending on the jurisdiction your logging in from Cross Boarder Data Security • External Staff (Auditors, Consultants, Developers ...) can easily be provided with a temporary UBS managed workplaceExternal Staff • SED can be extended to perform the functionality of the Secure USB StickSecure Memory Stick Replacement CurrentCasesFutureCases • SED enables secure additional "locations"Family Office UHNW 4
  7. 7. Prove of Concept Phase 1 - Initial, IBM-based usability testing: • Real eZTICs (full-size smart card reader) • Fully operational, full-size UBS PersAuth .NET card (or IBM-provided .NET card) • Server hardware @ IBM Permited UBS to begin testing of • eZTIC-as-a-smartcard-reader • access from different locations (e.g. regarding network connectivity) • usability aspects with “benevolent” users (IT/support staff, etc.) Phase 2 – UBS-based usability/POC system • Hard- and software @ UBS • Bigger user community ("non-benevolent" as well) Permited UBS to begin testing of • Obtain real user feedback (no limitation on user community) • Continuously correct problems detected • Define & implementproduction processes and customer support procedures • Demonstrate use of management interface (e.g., updating eZTICs on the fly and on a per-user/device basis) SED Project – deployment as a replacement for SCGLigt • Evaluation on the potential of eZTIC as a BCM solution (e.g. replacement of backup desks in Basel) • Deployment of eZTIC to a broader user community in WM&SB PoC Phase 1 Q4 2012 PoC Phase 2 Q1 2013 SED Project Q3 2013 5
  8. 8. Proof of Concept Results Good news first: It works! Restrictions: • HW reboot mandatory to fully control HW without the risk of already running malware • Printing is on purpose disable • Cable connection or Wireless Password is required 1 Known issues • A20 Issue 'Failed to enable' -> Driver Issue of SED • No dual screen support -> might comes later • Citrix server overloaded -> Limitation of PoC infrastructure • Performance Issues reported -> in analyses we will follow up 2 Old HW without USB boot option -> new HW required3 One time Bios configuration not always easy -> User guide to be upgraded4 Test results from PoC 6
  9. 9. Timeline SED Project IBM Secure Enterprise Desktop (SED) introduction timeline as agreed with IBM 3 months3 months3 months Duration Phase Setup Assisted Operations Assisted Operations Regular Operations Setup Assisted Operations MS1 MS2 MS3 MS4 Milestone 7
  10. 10. 8 Q&A
  11. 11. 9 Contact Details UBS AG Roland Rüegg Postfach 8098 Zürich SWITZERLAND Email: External tel.: +41 44-236 73 29 Mobile: +41 79 285 39 62