Data exchange can be a sensitive issue at the best of times and this is especially true when the banking sector is involved. So when the British Bankers' Association (BBA) tightened up communications with its members, it had to be certain that the right security was in place.
More than 300 banks belong to the BBA all of them operating in the UK. For years, its communication system had been based on traditional methods: phones, faxes, couriers and mail. Unfortunately, this system was not fast, or efficient and, most important, was not secure.
As security is paramount in the banking sector, the BBA created a more secure environment for its information distribution. It chose to adopt a public key infrastructure (PKI). This option offered the twin benefits of authentication and encryption, so if potentially sensitive documents were intercepted or lost, they would remain secure.
"Security was the main problem with the previous system," says Giuliano Gasparini, the BBA's Web editor. "We wanted to control the exchange of information. We wanted centralised control.
"We thought that PKI was the right solution for us," he adds. "Now we have the capability to control all the traffic of information with our members."
Maintaining security when dealing with sensitive information such as draft documents is crucial, says Gasparini. Because the BBA is a trade association, it has to communicate with parliament and other regulatory bodies. "It is important to reassure our members that everything in the consultation process is secure," he says.
An additional benefit is that PKI uses online communication, which is faster and more efficient than phones and faxes.
But the BBA realised early on that although it wanted the benefits that PKI offers, the association was not interested in the day-to-day running of it. "We are not an Internet company: we are a trade association," says
Gasparini. "We don't want to specialise in PKI implementations and we don't have the resources to manage a PKI system, so we decided to outsource." The BBA chose InterClear because it felt it would work well with the association's rules and regulations, with InterClear looking after the technical side. These areas were more important to the association than the state of the firm's software.
The outsourcing option also left the BBA free to focus on educating its members about PKI. Essentially, the association had embraced PKI in the hope that its members would follow suit.
"Before, there weren't a great many projects out there based on PKI," says Gasparini. "We considered it important to demonstrate it to our member banks, to show them the possible uses and benefits. They wouldn't employ PKI just for the sake of it."
He stresses that the education process goes far beyond making sure that members' IT staff are up to speed. Employees in human resources and legal departments - in fact everyone who uses PKI - must be aware of the nature of the digital certificates, how they work and the level of liability they take on by becoming involved in the scheme.
According to Gasparini, the problem is that the extent to which member banks are PKI-savvy varies enormously -- as does the technical ability of staff. He is quick to point out that this technology is still relatively new and the majority of people who work in the BBA's banks are not technical people.
Not all members have greeted the developments with open arms. One member bank complained about the legal issues surrounding the digital certificates. And another voiced concerns about some obligations between itself and the issuer.
However, Gasparini says the majority of the feedback from members that have become involved in the scheme has been good. And there has been a great deal of interest from members regarding the possibilities and functionality of PKI. But he admits the uptake so far has been quite slow. "It is a long process," he says. "We've provided some guidelines, but ultimately the decision is with our member banks."
Gasparini believes that the adoption of PKI by BBA members has also been held back by technical and legal issues. "With digital certificates, there are rights and obligations and this covers a whole new legal area for a lot of our members."
Digital certificates have to be applied for online, but some members do not have widespread Internet access, so they need technical support as well. And the decision process can take a long time.
According to Gasparini, the best response has been from the small and medium sized banks, which are "more ready to jump on the PKI bandwagon". With the bigger banks, there are more technical and legal problems and the decision process is longer and slower.
Gasparini stresses that the PKI system has been implemented and developed for the end-users (its members) and not the BBA. He describes the structure of the PKI system at the association as a triangular relationship between the association, end-users and the digital certificate issuer, InterClear.
So far, about 47 of the BBA's members have applied for digital certificates and approximately 100 digital certificates are being used at the moment.
"Our target is to take on board 100-150 banks by the end of the year," Gasparini says. "This would involve 500 digital certificates."
So it appears that, having made the initial decision to lead by example, the BBA is finally succeeding in passing on the lessons it has learnt and getting its members on board the PKI bandwagon.
How public key infrastructure works
- PKI allows users to exchange data securely and privately through the use of a public and private key pair, created by a certificate authority.
- The certificate authority also creates a digital certificate, which identifies an individual or organisation and includes the public key
- Whereas the public key is widely available to people, the private key is kept secret and only known and used by the person or company that requested it. It is used to decrypt messages that have been encrypted by someone else with the corresponding public key
- To send an encrypted message to someone, you "lock it" using his or her freely available public key. The recipient then decrypts or "opens" it with the corresponding private key
- The private key can also be used to encrypt a digital certificate to authenticate yourself to a second party. The recipient then uses the corresponding public key to decrypt it.