04:30 PM
Jonathan Gossels, President, SystemExperts Dick Mackey VP, Consulting, SystemExperts
Jonathan Gossels, President, SystemExperts Dick Mackey VP, Consulting, SystemExperts
Connect Directly

System Experts: Security Management Goes Front Stage in 2007

Regulation and privacy-conscious consumers up the security ante for banks.

Perhaps nowhere in the banking technology space is change occurring more rapidly than in the area of information security. Several overarching trends will shape the landscape in 2007.

Identity and Access Management

Identity and access management (IAM) is becoming increasingly important, particularly within the banking industry because of regulatory compliance requirements. Sarbanes-Oxley has led many organizations to deploy IAM to allow better accountability and control over their financial systems. They also have looked to these solutions to centralize management and reporting, and provide more-consistent access control to systems and applications across the enterprise.

Security Comes Out of the Shadows

No longer are product managers of online banking services concerned that raising security as an issue will dampen acceptance of the electronic channel. An increasingly security-aware user community, highly publicized incidents of disclosure of personal information and regulatory pressure have combined to catalyze a fundamental change -- users are comforted by well-integrated security measures.

Standards-Based Security Assessments

Today, many organizations are interested in demonstrating due diligence in the security realm. Instead of one-time exhaustive testing, they embrace ongoing, periodic independent assessments and audits that are standards-based.

FFIEC Guidance

Though the deadline for substantial compliance was Dec. 31, 2006, the banking industry will continue to deal with the ripples of the FFIEC's guidance throughout 2007. Fortunately, the FFIEC's guidance allows each bank to ground its authentication decisions within its own overall information security framework and allows the selection of authentication methods to vary with relevant business risk. The guidance also addresses the importance of customer security awareness -- many banks still have a long way to go in rolling out customer security awareness programs.

Stricter Management of Service Providers

FFIEC regulations and other security guidelines spell out the need for understanding and taking responsibility for the security practices of service providers with access to customer data. Banks must have a program in place to assess the risk of compromise of the information provided to their service providers, evaluate the adequacy of their security practices and monitor their performance.

Tech to Watch: SOA

The promise of reduced development costs and faster time to market through code reuse makes deployment of service- oriented architecture (SOA) technology inevitable in the banking industry. Securing SOA environments is going to be a long-term challenge, and it is important to create a governance structure up front. There are big issues that need to be resolved, including data confidentiality when data is communicated among services and stored within a service, how services authenticate one another, and whether it is important to track various services' changes to transactions as they flow through a system that has no defined beginning or end.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.