Implement reliable, scalable digital certificate validation system for online, real-time instruction processing of high-value, high-volume transactions
Able to validate signatures for every single message passing through the system
Able to provide prompt and effective delivery of cash and securities without risk
Reduced risk of missed transactions with 100% uptime
Fully trained and self-sufficient security staff is able to manage solution in house
Able to handle high volume of transactions during peak times across all time zones
Recognized as a center-of-excellence for critical services that surpass all regulatory requirements
“OCSP, through Axway’s Validation Authority, enables us to offer a rock-solid base for the validation of the signatures for every single message that passes through the system.”
Trillions of Euros, Thousands of Customers
World-class certificate-based authentication required
Clearstream provides settlement and custody services to approximately 2,500 customers worldwide including major stock exchanges, banks and national treasuries in more than 110 countries. It is essentially a bank’s bank. Clearstream’s global network also extends across the stock market exchanges of 46 countries.
Clearstream is positioned as the leading European supplier of post-trading services. Clearstream, a wholly owned subsidiary of Deutsche Börse (the German Stock Exchange), ensures that cash and securities are promptly and effectively delivered between trading partners for the entire group. It also manages, safeguards, and administers the securities it holds on behalf of its customers.
In addition, over 300,000 domestic and internationally traded bonds, equities and investment funds are currently deposited with Clearstream. This equates to about €10 trillion in Clearstream’s custody at any one time.
Given the complexity, speed, quantity, and value of the assets involved, a fast, secure and trusted third-party service provider is absolutely essential for settling transactions. Clearstream meets this critical requirement by using Axway Validation Authority for Online Certificate Status Protocol (OCSP). More than 250,000 transactions are validated on a daily basis.
“About ten years ago, we made the strategic decision to move to online, internet-facing, real-time instruction processes based entirely on open standards. We required a very reliable and class-leading digital certificates validation system because, obviously, the certificates were going to be the foundation of our security mechanisms,” said Paul Rees, CISSP CEH, who is responsible for Public Key Infrastructure (PKI) Strategy at Clearstream Services. “OCSP, through Axway’s Validation Authority, enables us to offer a rock-solid base for the validation of the signatures for every single message that passes through the system.”
High-Volume, High-Value Transactions
Highly critical solution
The very nature of Clearstream’s business is online high-value transactions. Clearstream processes approximately 8.5 million transactions a month. There may be four to six individual certificate validations for every transaction, which adds up to 40-50 million validations per month. If any one of those single validations fail, Clearstream could be financially liable. With transactions exceeding millions of euros, and some even in the billions, the criticality of the Validation Authority solution cannot be overstated. The financial penalty for missing a large transaction could be devastating.
5,000 messages per minute
Clearstream seamlessly handles transaction volume peaks throughout the day globally for different time zones. As important deadlines come up throughout the day, such as closing of stock exchanges around the world, the Clearstream team is fully confident that it can handle thousands of transactions in any single minute.
This confidence is due to Clearstream’s stress test of each component of its security architecture, which proved that Axway Validation Authority can handle 5,000 validation messages per minute.
This means the system has been scaled, through stress-testing, to handle 500 million transactions per year.
“We use hardware acceleration for all of the signatures and we use very resilient hardware,” said Rees. “The testing is absolutely critical. Before any change of software, hardware, or code components, we stress test both the individual components and the end-to-end architecture. We invest huge amounts of time and effort in making sure we can maintain the volumes, and that availability is proven by the year-on-year performance of the Validation Authority application.”
“We have relied on the Validation Authority solution for close to ten years, and we have enjoyed levels of availability that have been unmatched by any other product. We really are zero outage. Unplanned downtime for this product is simply unheard of.”
99.99% Availability Worldwide, 24x7
Stable and secure
Stability and security are both absolutely critical to Clearstream. Axway Validation Authority is by far the most critical and time-sensitive component of the entire PKI architecture. 99.99% availability worldwide, 24x7 is required due to the nature of transactions.
Clearstream statistics show that the service ran at 99.99% uptime for five years. In some years there were no failovers whatsoever, with 100% uptime.
“We have relied on the Validation Authority solution for close to ten years, and we have enjoyed levels of availability that have been unmatched by any other product,” said Rees. “We really are zero outage. Unplanned downtime for this product is simply
Rees continued, “Making the decision to go with Validation Authority’s standard architecture has been a key enabler of managing the business online, and being recognized as a trustworthy application hosting vendor.” Clearstream also provides PKI services for other institutions and even other countries. Through the development of its own offering based on Axway Validation Authority, it has earned a reputation as a PKI hosting center, operating PKI and the Validation Authority solution for geopolitical PKIs and other companies. “We definitely have a reputation as a center of excellence for this type of architecture in view of the fact that we manage our own system, where the requirements and criticality are far in advance of what other non-financial institutions or banks may require.”
A Secure Process
Means satisfied customers
With Clearstream’s standards-based system and classic security model, customer organizations are the sole registration authority for the certificates. The customer can choose to have a four- or eight-eyes principal for validation and release of financial transactions. As a result, no individuals within Clearstream have any ability to generate a customer transaction or to access customer messages. “The PKI administration has no rights for key generation so we know that a signed message coming in from a customer has to be from that particular customer, and we have no ability to bypass the system,” said Rees.
The system goes way beyond any financial requirements from regulators, which means Validation Authority is truly a state-of-the-art implementation of PKI. With standardsbased PKI, Clearstream is able to describe the security of the solution in absolute detail to its customers. “I think a lot of bigger companies nowadays want to know what happens behind the scenes, and want to know what the security components consist of for their own regulatory compliance,” said Rees.
A lot of external auditing takes place, but not only auditing of IT operations in the traditional sense. Clearstream has paid a lot of money to have external, trusted auditors audit the design and the effectiveness of the security controls. “We have standards like ISO 9002 and SAS 70, among others, to make sure that the actual design of the approach and the underlying human elements of the approach are correct,” stated Rees.
Regarding customer satisfaction, Rees summarized Clearstream’s position on security as follows, “Customers are never unhappy unless something fails, so we rarely hear from them. It’s like anything else involving security — if it works, nobody notices.”
Valued Vendor Independence
Relying on standards
Clearstream enjoys trusted partner relationships with it vendors. However, with an open standards-based approach, Clearstream selects only vendors that stick to standards to ensure interoperability. This strategy helps Clearstream avoid any proprietary technology or vendors. As a result, Clearstream can “swap-out” a vendor without having to re-engineer or re-architect the solutions.
“Probably one of the only components that has gone through these past years without being affected is Validation Authority, where we still rely on it today the way we did ten years ago. It’s not that we don’t look around at other technologies. We do. We have tested other OSCP solutions from other vendors. It’s not as if we have this blind faith in Axway — it is a justified faith,” said Rees.
“We know that for every application that comes through the development pipeline, we don’t have to think about security, we don’t have to recruit any consultants, or any security staff. We have a tried and tested out-of-the box approach which is very cost-effective now that we have placed the entire company’s validation requirements onto this architectural backbone,” he said.
Clearstream works very closely with its vendors when testing and simulating a new application. “We ask a lot of questions when we are testing and when we are implementing, so that we don’t have any surprises when we go live.”
In addition, Clearstream has a large team of highly trained and certified internal experts so it does not have to rely on external service providers or consultants. This is key to the company strategy as it enables Clearstream to fully manage solutions internally, and to take full responsibility for service and approach.
External trusted auditors regularly audit the design and effectiveness of Clearstream security controls. The system is completely mastered internally, so in the event of an incident, risk is greatly reduced as qualified staff is in-house and instantly available.