When Chow began considering how to manage and archive data securely, he tapped Redwood City, Calif.-based Decru, a provider of networked data storage security solutions. By adding Decru DataFort T-Series storage security appliances, BECU can encrypt customer data that is written to tape. This ensures that member information is protected against theft or unauthorized access, regardless of where the tapes are stored, Chow notes.
"Rather than compromise data, BECU is taking measures to protect its customers," says Kevin Brown, vice president of marketing for Decru. Decru also supports BECU's shared file improvement project initiative. The system, which resides at BECU's corporate data center, detects how users create files and access and use data.
By linking information life cycle management software with a visual storage resource management solution and Decru's storage encryption, BECU can manage data throughout its life cycle, "from the time the data is useful to the point that it needs to be archived or destroyed," Chow says.
On the Alert
Data protection is not reserved for historical information. In fact, banks are demanding software that records, reports and analyzes ongoing security behaviors at the branch and corporate level. Called network monitoring software, these applications monitor network devices and user behavior and alert executives to potential problems.
"The ability to report and analyze trends, capture baseline behavior, identify concerning behavior and demonstrate corrective action is essential to maintaining system integrity," says Randy Lahti, managing director for Southlake, Texas-based Optin Security Corp., a provider of on-site and remote network perimeter security solutions. "Similarly, these actions are essential to keeping management, regulatory and consumer confidence strong."
A key to information security management is to create a system that consolidates status and behavioral information within a central location. "The software acts as a centralized platform that audits operations," says Matt Stevens, CTO, Network Intelligence, a Westwood, Mass.-based provider of security event management solutions. "The application taps into a bank's infrastructure and enables a company to understand where its security holes are on a holistic level."
Network Intelligence's solution captures information from operations performed across a bank's mainframe or operating system and all applications that run on these platforms. "The software provides an efficient method for security teams to analyze event records," contends Stevens. "By automating the auditing process, the IT team is free to tackle other issues."
M&T stays abreast of potential problems enterprisewide with the help of netForensics, an Edison, N.J.-based firm that provides security information management systems. "We utilize their security event-monitoring platform to correlate and normalize security events from a variety of disparate systems," the bank's Speare explains.
Unlike M&T, Castle Rock's limited resources made it difficult to tackle the project internally. Instead, Castle Rock Bank turned to Optin Security to manage its network.
Despite the plethora of available security solutions, the industry's journey toward information protection has only begun. "Banks are investing in the appropriate technology, but what is still lacking is awareness," says Edward Schwartz, netForensics' senior architect.
M&T is taking steps to improve awareness among its employees, according to Speare. "The weakest link is people," he says. "That said, our training efforts are much more aggressive than in the past." Using its corporate intranet, M&T requires its entire employee base to complete security awareness training on an annual basis. Further, awareness tips and alerts are provided to employees periodically.
"Banks need to merge their policies, education and technology, then use data to recognize when there is a potential critical problem and take action in a timely manner," netForensics' Schwartz adds. "That is the Holy Grail."