3. IBM Secure Remote Desktop
Gaming
weak security and control
eBanking
application specific security
„Evolution“ of Secure Private Computer usage in the Bank's Environment
one single computer
dynamically adapting
to security demands
Corporate Use
Remote desktop session using RAM disk
1
4. IBM Secure Enterprise Desktop
Working Principle
Corporate Use
eZTIC is Secure Environment
and maintains all keys to Back-End
(user, hard disk and TLS session keys)
User
PC / Mac (Insecure Environment)
UBS Windows 7 Desktop secured with SED
Interact
with
Approve
operations
Shows
2
Back-End
(VM Image Server)
Running
Virtual Desktop
Baseline Linux
5. IBM Secure Remote Desktop
• NO Software is installed / modified / used on the PC or X86-based Apple
• NO data (logs, credentials, ...) is written to HDD; its HDD is not used
• For the duration of the session, the Computer is 100% „owned“ by SED
3
• UBS PersAuth (DTP) Authentication
• Convenience through Single Sign On
4
• User credentials handled outside of PC5
• Form Factor = UBS Access Key (**)6
• Do not interfere with existing protection technologies
• VPNs, Firewalls, Virus scanners, etc.
2
Main Characteristics
(*) must be USB-bootable and X86 architecture, such as a PC or X86-based Mac (**) IBM Zone Trusted Information Channel Stick
• Protect against “State of the Art” Attacks (esp. Malware & Man-in-the-Middle)
• Do not rely on PC or smart phone for input or output of critical data
1
Corporate Use
3
6. UBS use cases
• Loss of workplaces (e.g. through natural disasters) or forced absence (e.g. pandemics) can
be compensated by working from home
Business Continuity
Management
• Give employees the freedom of „Bring Your Own Device“
• Reduce Number of UBS owned equipment
BYOD
• Potential changes in methods of working and opportunities for designBranch Format
• SED enables secure additional "locations"Offshoring/Outsourc
ing
• IT Support has access to all systems and services
• No need to control/manage End User Devices
IT Support
• Replacement for SCGLigt for SmartCard-Users
• Policy-driven access to corporate data, in real-time, securely
Work from Home
Corporate Use
• Two virtual images can be set up and accessed depending on the jurisdiction your logging in
from
Cross Boarder Data
Security
• External Staff (Auditors, Consultants, Developers ...) can easily be provided with a temporary
UBS managed workplaceExternal Staff
• SED can be extended to perform the functionality of the Secure USB StickSecure Memory
Stick Replacement
CurrentCasesFutureCases
• SED enables secure additional "locations"Family Office UHNW
4
7. Prove of Concept
Phase 1 - Initial, IBM-based usability testing:
• Real eZTICs (full-size smart card reader)
• Fully operational, full-size UBS PersAuth .NET card (or IBM-provided .NET card)
• Server hardware @ IBM
Permited UBS to begin testing of
• eZTIC-as-a-smartcard-reader
• access from different locations (e.g. regarding network connectivity)
• usability aspects with “benevolent” users (IT/support staff, etc.)
Phase 2 – UBS-based usability/POC system
• Hard- and software @ UBS
• Bigger user community ("non-benevolent" as well)
Permited UBS to begin testing of
• Obtain real user feedback (no limitation on user community)
• Continuously correct problems detected
• Define & implementproduction processes and customer support procedures
• Demonstrate use of management interface (e.g., updating eZTICs on the fly and on a per-user/device basis)
SED Project – deployment as a replacement for SCGLigt
• Evaluation on the potential of eZTIC as a BCM solution (e.g. replacement of backup desks in Basel)
• Deployment of eZTIC to a broader user community in WM&SB
PoC
Phase 1
Q4 2012
PoC
Phase 2
Q1 2013
SED Project
Q3 2013
5
8. Proof of Concept Results
Good news first: It works! Restrictions:
• HW reboot mandatory to fully control HW without the risk of already running malware
• Printing is on purpose disable
• Cable connection or Wireless Password is required
1
Known issues
• A20 Issue 'Failed to enable' -> Driver Issue of SED
• No dual screen support -> might comes later
• Citrix server overloaded -> Limitation of PoC infrastructure
• Performance Issues reported -> in analyses we will follow up
2
Old HW without USB boot option -> new HW required3
One time Bios configuration not always easy -> User guide to be upgraded4
Test results from PoC
6
9. Timeline SED Project
IBM Secure Enterprise Desktop (SED) introduction timeline as agreed with IBM
3 months3 months3 months
Duration
Phase
Setup
Assisted
Operations
Assisted Operations Regular Operations
Setup
Assisted
Operations
MS1 MS2 MS3 MS4
Milestone
7