Taking control

With a growing number of channels through which banking transactions can take place and the ever-increasing volume of data that goes with that, it has never been more imperative that we ensure the ongoing security of our information and systems. Trevor Dearing Head of Financial Solutions, EMEA, Juniper and Keith Girt, UK Country Manager, Beta Systems Software go head-to-head on the real challenges facing financial institutions today and discuss the possible some of the solutions.

FST. What are the challenges and risks that financial institutions face in securely managing access to their information or networks?
KG. The problem for financial institutions is that in this area it is very difficult for them to balance their books. On one side of the security ledger is the need to implement strict access control policies to meet the increasing demands of regulators and deal with the spiraling threat of computer crime, while, on the other side, the business itself demands timely, flexible access to applications and information for staff, business partners and customers.

As the IT infrastructure gets ever more complicated, the costs of achieving this balance can easily spiral out of control or, worse still, an imbalance resulting in uncontrolled access, can mean severe financial loss and damage to reputation.

Technology, while not itself the solution, is the enabler that, when implemented effectively to support people-oriented business and security process improvements, makes the solutions possible.

TD. Modern IP technology allows an incredible amount of flexibility to be built into the operation of a financial institution. It has become like electricity – wherever a user can gain access to a broadband service, either in an office or remotely, they can have the full range of services and applications. There are two main challenges that go along with this – performance and security. Many people believe that bandwidth alone can solve all performance issues, however, as most applications were not written to work outside of the main office, there is more to it than just bandwidth.

The main risk is that by making access to information easier you open yourself up to threats. These can take the shape of theft or denial of service. This can be theft of confidential information from inside the organisation or the theft of customer information externally, such as phishing.

FST. How does this impact on the cost and efficiency of an organisation’s day-to-day processes?
KG. It has been acknowledged for some time that the direct cost of managing digital identities is the biggest single staff-related cost in IT. Some of this is visible centrally because of the number of people employed as full-time Security Administrators, but much of it is generally less visible, because it is handled by network administrators or business staff as just a part of their work. In reality, user management requires at least one FTE for every 1000 users, a figure quoted several years ago by Gartner.

Another major direct cost burden results from the very high percentage of password related calls to the help desk. The more accounts a user has, the more passwords they need and, unless they write them down or use weak ones (unfortunately very common practices), the more times they forget them. Some studies have shown that this generates as much as 50 percent of the help desk workload.

Of course, the end users are also affected; the amount of productive time they lose waiting for passwords to be reset or for new access rights to be provided when their jobs change, is significant. As regulations such as SOX multiply, the attestation processes often involve very inefficient manual reporting procedures, themselves sometimes open to manipulation.

TD. Security is really about cost and pain – organisations implement security because not to do so would cost money. Equally, if they did not need the security then it would cost them nothing, so there is a balance that must be reached. Institutions should work on a cost verses saving model, a ratio that depends on an organisation’s attitude to risk. The impact on the efficiency of a company really depends on how structured the approach to security is. A piecemeal solution will be costly to manage and difficult to understand by the users. Security should be almost invisible to the user, regardless of where they are working from.

FST. How can those costs be reduced – what solutions are currently available to improve security while also addressing the issue of cost-effectiveness?
KG. Many European Banks have implemented Beta’s IAM solutions and, as they have several years’ full production experience, the benefits in terms of cost savings, improved security, greatly simplified reporting for auditors and regulators, together with an enhanced user experience of security, are fully proven.

These solutions support automated provisioning, often driven by information feeds from HR and enhanced by powerful role-based access control (RBAC), in which Beta is the acknowledged leader. As well as this support for automation, our RBAC is itself a very effective tool for enhancing and enforcing access control policies, such as separation of duties.

For the end users, a new generation of enterprise single sign-on (eSSO) solutions now make the goal of ‘one log-on’ a practical and very cost-effective reality. We also provide this within our IAM suite and it will greatly enhance security while supporting compliance reporting, making it a real win-win solution. It supports any type of strong authentication for the primary log-on, then ensures the use of the strongest possible passwords for secondary authentication to each application, transparent to the user. In the past, eSSO solutions were expensive, insecure, complicated to deploy or did not scale – in some cases all four. Today these problems have gone.

TD. It is important to make sure you don’t choose a security solution based on data sheets. Many vendors will claim that they support all of the features required in a single box or in a piece of networking equipment that you may already own. While the attraction of using a router as a security device by just turning on the features may appear a cost-effective solution, if by doing that the device slows down to an unacceptable level this is a false saving.

The other false saving is to compromise your security by buying products from a non-expert. An anti-virus product from a networking vendor is never going to be as effective as one from an anti-virus manufacturer. Juniper Networks has implemented specialist functions on their products from companies like Kaspersky, SurfControl and Symantec to provide the best possible solutions.

FST. Are there other factors that should be considered – for example, ease of use, or flexibility in the long-term?
KG. Even though the cost-benefits are clear, investment in an effective IAM infrastructure will be significant, and it must be seen as a strategic initiative. Some aspects will directly touch the end users, while some are more related to administrative and management tasks. All address complex business processes and the organisation’s use of diverse technology, including mainframes, mid-range servers, networks, databases, directories and applications. None of these are static over time.

Therefore proper consideration must be given to future-proofing IAM. Some solutions are becoming increasingly focused on specific application platforms and may therefore over time not fully support total integration of a heterogeneous environment. No IAM project team can be certain what new platform or application may be introduced next year or later, so flexibility is certainly key to investment protection.

Proper consideration must also be given to how easy it will be to adapt the solution to existing business processes, rather than go through enforced process changes to fit the product.

As security is more about people and processes than technology, it should also be recognised that if the implementation makes the users’ lives more difficult, they will tend to find ways to circumvent it, so ease of use is vital.

TD. Any solution that is implemented must be easy to use from the aspect of the user and the manager. Most users are not able to understand the process of keeping their workstation in spec so this should be automatic. Equally, security policy should be managed for the entire network and not just individual boxes. If you have a network of 500 sites you do not want to configure each box individually should a policy change happen in the network with a single click.

FST. Can you give any examples of incidences where your solutions have had a proven impact in the financial services field?
KG. A good example of the benefits of the SAM Suite comes from one of the largest German banks, with over 40,000 users and the typical environment of mainframes, Windows, SAP, UNIX and multiple directories. The goal was to deliver enhanced security at significantly lower cost through a combination of automation, where possible, and distributed administration for residual tasks. The result is that 90 percent of all routine administration tasks are automated, with local branch administrators easily able to perform ad-hoc profile changes under strict policy control. The savings amount to millions of euros per year.

Another bank – which manages 100,000 users and 65 separate access control systems – achieved cost savings, illustrated by the fact that they only need one administrator for every 4200 users. The bank’s project manager stated that without SAM they would need 100 more administrators.

SAM’s Provisioning and Password Management components also enabled it to rapidly alter staff’s identity profiles to avoid accumulations of access rights and ensure immediate revocation for leavers.

TD. They way in which financial institutions use Juniper products are wide and varied. Most financial institutions are loath to disclose how they have implemented their security policies. However there are a number of customer case studies, for companies including companies like Handelsbanken, ABSA and OMX, available on our public website www.juniper.net.

FST. Where do you see this going in the future – are any developments or improvements in the pipeline that you are particularly excited about?
KG. It’s true to say that the demands of the market for IAM solutions and the products themselves are evolving rapidly. Right now, regulatory compliance is the hot topic and key driver for many product enhancements. The good news for our established customers is that their original SAM deployments put them in good shape to respond to these issues at significantly lower costs than for many other organisations. Questions of ‘alligators and swamps’ did not arise.

I mentioned earlier the recent emergence of enterprise single sign-on as a counterpart to the well established web SSO and we expect a rapid take-up in the corporate sector over the next 12 months. Beyond that, the picture becomes even more exciting. Technologies such as Virtual Directories and standards such as SAML and SPML will become increasingly important parts of IAM solutions. Federated Identity Management, with all the challenges of the trust model, is beginning to gather momentum and will have as big an impact on inter-company information access as LDAP has done within the company.

Solution providers, systems integrators and large corporations have a very busy time ahead of them!

TD. Increasingly, aspects of security must converge with networking and application acceleration to create a network that is intelligent enough to understand the requirements of both the user and the application. Technologies like RFID and biometrics will allow a user to walk up to any device and gain access. Thin client technologies will remove the need to carry so much processing power with you. Probably the biggest impact will be created by SIP, which will completely change the way that we interact.