Under lock and key

By Julian Rogers, Deputy Editor

With hackers and criminals doing their utmost to infiltrate financial institutions and compliance regulations becoming ever more stringent FST looks at the business of data storage.

Banks have a mind-boggling amount of data swishing around their systems – much of it belonging to customers. Reliable and secure storage of that data is, of course, paramount. For the financial institutions archive, backup and recovery has become big business. Compliance regulations, including Basel II and anti-money laundering (AML) legislation, have added to the tide of data that the banks must store, while the proliferation of online banking has hardly made the job any easier.

As well as this, criminal gangs and even rogue employees are going after customer information like never before, intensifying the chance of data falling into the wrong hands. Despite reassurances from the banks, Jim Reavis, Executive Director of the Information Systems Security Association (ISSA) suggests that they could do more when it comes to holding data securely. “Banks generally have put a lot of effort into information protection, although you could certainly argue that several initiatives have not been very effective. They could always do more to protect customer data, but an inhibitor has been an inability to quantify the amount of customer protection that arises from any given security initiative.”

Reavis argues that the banks could approach data storage as diligently as other parts of the business. “Financial institutions are very good at using risk analytics to identify the costs and benefits of financial products as well as being able to quite accurately determine the interest rate that must be used when lending money to a customer with a given credit score. They need to use this considerable risk management expertise to build better metrics for their information security programs.”

Comply or die
As well as security threats, compliance regulations have had a major impact on storage. Indeed Basel II, which introduces new requirements with regard to measuring credit and operational risk for European banks, asks them to retain historical data for up to five years, and have it readily available for inspection - to ensure banks retain sufficient capital to cover their risk. In the US accounting compliance regulations surrounding Sarbanes-Oxley have hit the banks’ balance sheets hard, not to mention the costs associated with adhering to AML legislation.

Matthias Werner is Director of the Board at the Storage Network Industry Association (SNIA) Europe. He suggests that sheer volume of data is a major challenge for the banks. “Every single transaction creates data and financial institutions, in most cases, have to keep that data for a long time – years or even decades. Secondly, customers have come to expect account statements from months or years ago to be easily retrieved by the banks, so more data has to be kept online.

“Another great challenge is the compromise which has to be made between maximum protection and application performance. Banks and insurance companies would prefer to keep datacenters hundreds of miles apart in order to gain maximum protection for regional disasters. For physical reasons this is not possible in most cases, so they often choose so-called three-site concepts where two adjacent sites are kept in synch while a third site runs asynch a couple of seconds or minutes behind. Of course this is not cheap but it's one of the best options.”

Any information built or derived from corporate data is becoming an increasingly important factor when competing for customers – storing data about customer behaviour, purchases and preferences allows companies to use applications like CRM to gain a competitive advantage. “In the financial sector, this is even more crucial because it is not just information about customers that needs to be stored as customer assets are also handled using IT,” Werner explains. “Unlike 50 years ago, your bank account today only exists in the digital realm, while most people no longer keep and update their cheque books. This fact forces financial institutions to add even more levels of redundancy and security to protect client assets, and storage technologies provide the means and methods to do so. Add compliance and regulations requirements with a global 24/7 economy and you get an idea about why banks and other financial companies today cannot afford to loose a single second worth of data.”

Another reason for ensuring adequate storage of information is in case of emergency. Banks need to archive it, protect it and back it up in case disaster recovery is ever required. In fact, adequate continuity planning has come to the fore in recent years following the 9/11 attacks. In Lower Manhattan 30 percent (28.7 million square feet) of floor space was damaged or destroyed. The institutions needed to get the operations back up and running with the minimum disruption and archived data fully intact.

Cracks in the defence
Today, many of the major European banks have outsourced operations to places like India, especially in IT and customer service. The banks make huge savings with the cheap labour but the risk to data increases, as has been highlighted by a worrying spate of security breaches. In 2005 four US Citibank customers were given a shock when US$350,000 was stolen from their accounts by staff working in an Indian call centre. Also, an undercover journalist working for a British newspaper claimed he bought personal details of 1000 UK bank customers for UK£4.25 each from a Dehli-based IT worker. And in June a Bangalore employee was arrested in connection with UK£233,000 stolen from bank accounts belonging to HSBC customers. The banks sat these are isolated incidents but the truth is these security breaches do very little for customer confidence.

Reavis says some banks lose control over parts of the business through outsourcing, leaving rogue employees to get their hands on confidential data. “Many bank security officers have expressed to me concerns that they lost the battle against outsourcing a critical function. They made many very good arguments, but could not get past the cost issues. To me the issue is not India or any other outsourcing hotspots, the problem lies with the company doing the outsourcing, in that they forget that they need to manage the outsourcing arrangement, develop robust contracts and service level agreements. I think the problems can be just severe when outsourcing across the street, although global outsourcing problems make much better press.”

Werner stresses that the threat of security breaches forces some banks to restrict which parts of the business are outsourced. “This (outsourcing) is in fact a very valid concern and in some cases, banks are forced to restrict outsourcing activities to confine to country borders. In other cases, they may outsource management of IT and storage systems to low-cost regions, while keeping the storage systems hosting the data in-country. For the same reasons there's an increasing focus on encrypting data at rest and data in transit in some cases to make sure, that data, if it should fall into wrong hands, is useless.

Occasionally, potential security breaches can be laid firmly at the door of the banks themselves. In September Chase Card Services dumped tapes containing customer account details in a landfill site. Around 2.6 million customers were affected by the bungle. Also late last year several UK high street banks were accused of putting account details in bin bags for the refuse collectors to remove. Although these isolated incidents grab headlines, more importantly, they highlight the need to properly dispose of bank paperwork and virtual data.

Despite this, Reavis suggests that hacking is still perhaps the primary concern for the institutions. He also argues that not enough data is protected through encryption. “The concern I have is that we don’t move quickly enough to counteract threats brought on by new hacking techniques that are able to subvert traditional information defences. One basic concern I have is that banks don’t do enough encrypting of data.

“All mobile computers, all backup tapes and many other system areas need to be encrypted. When data is actually being used by an application, it is more difficult to keep it encrypted, but any time a file is not being used, it should be safely stored in an ‘encrypted container’.” He adds: “Another big concern I have is that many of the security flaws we are seeing today are occurring in the web server application logic. Many e-banking sites of financial institutions have web application problems that could be exploited by criminals, they just haven’t been discovered yet.”