Who’s on the other end of your digital transaction? COMPUTER AND COMMUNICATION SYSTEMS SECURITY The Italian Way Forward Presented By Donato Cardarelli Identrus project director Actalis Bucharest September 23th

COMPUTER AND COMMUNICATION SYSTEMS SECURITY 2 Agenda ACTALIS: the company product and services ACTALIS and Identrus The italian banks approach to Identrus steps goals the GUII the project European Directive and AIPA a case study: banks will join (CNIPA) AIPA and Identrus

COMPUTER AND COMMUNICATION SYSTEMS SECURITY 3 December 2001 ACTALIS was founded by SIA (Società Interbancaria per l’Automazione) and SSB (Società per i Servizi Bancari) March 2002 ACTALIS has been enrolled in the italian Public Register of Certification Authorities for digital signatures, assuming the role of Certification Authority acting on his own and on behalf of SIA and SSB

COMPUTER AND COMMUNICATION SYSTEMS SECURITY 4 January 2003 SECETI Certification Authority branch joins ACTALIS for digital signature purposes. SECETI being part of the shareholders May 2003 BNL Multiservizi Certification Authority and e-security branches merge in ACTALIS that increase his capital and the shareholders

COMPUTER AND COMMUNICATION SYSTEMS SECURITY 5 The company mission ACTALIS acts both as PKI competence center and ICT security player in Italy and in foreign countries. Integrity, confidentiality, non repudiation, secure transmission over networks and strong authentication are the key words of our knowledge Today ACTALIS is also a full-service provider for the design, the deployment and the integration with the customer applications of digital signature systems (PKI - Public Key Infrastructure) In this specific area, ACTALIS is operating different Certification Authorities following the market requests: - electronic signatures customer tailored - digital signatures under the italian law - in full outsourcing for Identrus banks

COMPUTER AND COMMUNICATION SYSTEMS SECURITY 6 Products and Services Certificationservices Digital Signature Products Consulting and Training

COMPUTER AND COMMUNICATION SYSTEMS SECURITY 7 The ACTALIS approach to Identrus: “let banks focusing on business” ACTALIS started in 2001 to talk with banks about Identrus as following: make banks have a full understanding the “trust framework” of Identrus (knowledge transfer) address specific issues on specific themes via working groups (business, legal, organisational, technical) identify all possible sharing solutions (cooperative project ) providing outsourcing services (as Thirdy Party Processor)

COMPUTER AND COMMUNICATION SYSTEMS SECURITY 8 Agenda ACTALIS: the company product and services ACTALIS and Identrus The italian banks approach to Identrus steps goals the GUII the project European Directive and AIPA a case study: banks will join (CNIPA) AIPA and Identrus

COMPUTER AND COMMUNICATION SYSTEMS SECURITY 9 Initiatives of the Identrus italian banks The following italian banks participate in Identrus in 2002: Banca di Roma (Capitalia Group) (*) Banca Intesa (*) Banca Lombarda Banca Monte dei Paschi di Siena (*) Banca Nazionale del Lavoro SanPaolo Imi(*) UniCredit

COMPUTER AND COMMUNICATION SYSTEMS SECURITY 10 The steps of italian banks September-December SSB Identrus Feasibility study – eleven banks involved 28th February 2002 – seven banks formally signed the participation agreement in Identrus (Candidate Participant Agreement) March 2002 – four of these banks implemented measures to be operational during 2003 (Project goals definition ) December 2002 – the phase of technical certification by Identrus LLC (interoperability and pre-production test) has been undertaken 2003 – completion of the on-boarding and production process for the first Business Application

COMPUTER AND COMMUNICATION SYSTEMS SECURITY 11 Feasibility study executive summary (dec 2001) Identrus is the best solution for those seeking a PKI standard with a global international valence for corporate services Identrus is considered one of the major international initiatives for a world-wide interoperability of the financial services Identrus is designed and evolves in accordance with the needs shared by the bank industry The dissemination of Identrus with the major financial operators of the single european market creates the conditions for strong competition Identrus can play a major role also in the domestic security of on-line services

COMPUTER AND COMMUNICATION SYSTEMS SECURITY 12 The main working areas Organisation Rules Technologies Business Auditing The italian banks have a clear and common understanding that the main are of work are strictly related to the rules that Identrus identify and manage in order to guarantee interoperability

COMPUTER AND COMMUNICATION SYSTEMS SECURITY 13 Project goals  To define and to develope a first Business Application which effectively exploits the services offered by Identrus  To manage the on-boarding process (necessary phase to obtain Identrus certification with the bank in ‘live’ mode ) in a regime of interbank co-operation, to maximise policy sharing and project documentation  The realization of an Identrus compliant PKI technological environment, shared among several banks and customised for domestic type needs (co-existence/interoperability with the AIPA framework)  Identification of ACTALIS as solution provider

COMPUTER AND COMMUNICATION SYSTEMS SECURITY 14 GUII (Gruppo Utenti Identrus Italia - Identrus Italy Users Group)  GUII has the following objectives:  to promote adoption of the Identrus standard;  to co-ordinate all the activities based on Identrus-related themes in a domestic environment, harmonizing with international themes;  to put in place specific workgroups focusing on themes of common interest and to verify areas of co-operation, if applicable, in the framework of business applications;  to identify criteria and methods of representing and co-ordinating communications activities, both in relation to Identrus and in relation to the market

COMPUTER AND COMMUNICATION SYSTEMS SECURITY 15 GUII relationships Founder members Banca di Roma Banca Intesa Banca Lombarda Banca MPS BNL Sanpaolo Imi UniCredito New participants …... GUII ABI (Italian Bankers’ Association) Bank of Italy SWIFT ASSOCERTIFICATORI CIPA ……… IEWG EBA

COMPUTER AND COMMUNICATION SYSTEMS SECURITY 16 The italian project The project output includes : the definition and the realisation of the complete infrastructure for issuing and validating certificates including test, production, disaster recovery environment; the realisation of the signing and validation software for customer (ISIL-ISPI DSMS); the definition of deliverable for the Identrus on-boarding; the definition of OBS (organisational breakdown structure) in which 4 banks and Actalis work together

COMPUTER AND COMMUNICATION SYSTEMS SECURITY 17 The italian project (...) The project output includes : the definition and respect of the approval process for all deliverables; the relationship with Identrus; professional services for technical, operational, legal aspects; integration tests of the infrastructure with SWIFT TRUSTACT; the accreditation process to AIPA; the outsourcing for CA and VA services

COMPUTER AND COMMUNICATION SYSTEMS SECURITY 18  Decision-making levels  Operational levels Steering Committee Project Committee Policies and Procedures Testing and Inspection Bank-Side Components Service Components Peripheral Components Architecture Dealings with Identrus Legal Aspects Communications Plan Service Agreements Business Sub-committee Technical/Org. Workgroup. Legal Workgroup Business Pilot Definition Project Structure

COMPUTER AND COMMUNICATION SYSTEMS SECURITY 19 Up to date Timeschedule JulyAugustSeptember Key ceremony Certificates issuing SWEEP November Delivery CCAG legal opinion October Infrastructure delivery Identrus RAP

COMPUTER AND COMMUNICATION SYSTEMS SECURITY 20 Agenda ACTALIS: the company product and services ACTALIS and Identrus The italian banks approach to Identrus steps goals the GUII the project European Directive and AIPA a case study: banks will join (CNIPA) AIPA and Identrus

COMPUTER AND COMMUNICATION SYSTEMS SECURITY 21 The italian banks: will leverage the investments; will propose their customer with certificate spending in differente areas; will provide a legal opinion compliant with italian law; will be Certification Authority in respect to the italian law (AIPA); will issue “qualified certificates” which are the highest level of certificate in the italian environment. A qualified certificate will be legally binding and is the only certificated accepted by Public Administration in Italy European directive and AIPA

COMPUTER AND COMMUNICATION SYSTEMS SECURITY 22 Use of the Identrus certificate the certificate issued by an italian banks to their customers will be spent in coherence with: Identrus, as close circuit (made by banks for banks); italian law, as it gives legal proof to document signed with “accredited digital signature”; european directive, which represents the trade union between the two ….. TYPE 5 ! QES and SSCD (qualified electronic signature and secure device)

COMPUTER AND COMMUNICATION SYSTEMS SECURITY 23 Lesson learned The key factors are Business, Methodology, Joint Forces Business is the driver from which every customer starts; in the Identrus project banks went forward because they were aware of it Methodology is the easy approach to permit large organisation to focus and gain intra customer communication and inter customers communication Joint Forces permit to gain common understanding, and achieving results (reducing significantly cost and identifying easily solutions)