Securing the Digital Perimeters
Given the current state of operational readiness, destroying banks' real estate would represent nothing more than an act of senseless brutality and would pose little threat of a serious, long-term disruption in the operations of the global financial network. That's why a strong defense includes sound information security practices, including extensive countermeasures against cyber-attack and insider damage.
Red Siren (Pittsburgh) provides security consulting, outsourcing and professional education, and serves a broad range of financial institutions. "It is often the case that the security organization is in a pretty immature state," says Tim Welsh, senior director for U.S. consulting services at Red Siren. "There is wide variation in the extent to which best practices in information security are both understood and followed."
Information security doesn't stop at an organization's boundaries. "It's important, in our view, that organizations have some kind of security-related compliance that they impose on their supply-chain partners, vendors and so forth, so that they have assurance that partners are also following an established and recognized set of security best practices," Welsh says.
Mergers and acquisitions also expose new vulnerabilities. "It's incumbent on the security professionals in the financial institutions that are now some mix of acquired companies to have a uniform vulnerability management program across all of the managed entities," Welsh points out. "We would advocate very close attention to network documentation and network mapping as a first step in that acquired environment."
Also, employees have to understand the severity of the information security threat, since the right credentials in the wrong hands could render tons of concrete barriers entirely worthless. Similarly, stolen customer data can be used to open bank accounts used to fund terrorist organizations.
To best combat the insider threat, one thing banks may desire is new legislation. "There are a lot of sticks, but not necessarily a lot of carrots out there for companies to really go above and beyond, and to do all that they can to protect customer data," says Doug Camplejohn, vice president of products and marketing, Vontu (San Francisco), a security software firm that specializes in preventing insider theft.
For example, California's security breach law (SB 1386) requires businesses to disclose to consumers any breach of personal information. But that may have had unintended consequences. "If companies go above and beyond, and are employing technologies and audits, and a lot of things that would come together in what you'd consider best practices around protecting data, they're probably going to find more [breaches]," Camplejohn says. "People question whether they're better off burying their heads in the sand and not looking for problems because of the notification requirement."
"I would presume that's not what the California legislature had in mind," he adds. An alternative, Camplejohn suggests, would be an "official safe harbor" provision that sets minimum standards for guarding customer data and training employees to guard customer data.
In addition to protecting customer data, technology companies have also been helping to lock down user identities and privileges within financial institutions, especially at converged firms that were formed through mergers and acquisitions and support multiple lines of business that each require different applications and identity management systems.
One solution is to centralize security management and authentication using a service-oriented architecture (SOA). Instead of each application having to manage accounts, privileges and auditing, the security function for the entire enterprise can be spun off into a separate, central Web service. That's what Digital Evolution (Santa Monica, Calif.) offers its big-bank clients.
"We look at the information from the requestor, who's saying, 'I would like to make a query to that system,' and we determine whether the system's authorized to make that request," says Eric Pulier, founder and chairman of Digital Evolution. "There's an entire layer of complexity that needs to be abstracted away from the endpoints."
The Digital Evolution solution works with corporate identity management systems, including Lightweight Directory Access Protocol [LDAP], IBM Tivoli and Netegrity SiteMinder, and can also interface with homegrown security databases. Indeed, a single organization may contain several different identity databases as the result of mergers. "You need to be able to traverse between them," Pulier notes.
In order to standardize security-related communications between disparate systems, the OASIS consortium has been developing an XML-based protocol called SAML, or Security Assertion Markup Language. "In the past, every single one of these systems did it their own way," Pulier says. "That creates enormous complexity to manage and maintain."
With SAML and the establishment of a security hub, application developers can focus on business logic rather than access logic. That can help drive simpler technology environments and thus drive cost savings in application development. "If they can actually talk standards, you're going to save an enormous amount of money," Pulier claims.