Workers are more mobile than ever before-they must be in today's 24/7 business environment. Whether it's from a laptop, cell phone or PDA, and whether that employee is sitting at home, in a car, at a client's, or in Starbucks, the need for these employees to access the corporate network and the Internet grows every year. Wireless connectivity has fast moved from a novelty to a must-have tool for conducting business.
But a growing worry among financial services executives is the security of these devices. To what extent are they vulnerable to hackers, theft, viruses, Trojans or insider abuse-and, how can a firm manage their security? Their concerns are well grounded.
Alan Paller, director of research at the SANS Institute, a computer- security organization, says "most organizations secure it by not allowing people to use it - or they accept the risk. Not a lot of people have figured it out yet." The two best ways to break into a bank are both wireless related, he says: either sneak into a building and plug a mobile device into a port, or sit in the bank's parking lot and get in through the wireless network. "Hundreds of thousands of credit-card numbers were stolen this way," he says, though he could not disclose the name of the institution.
According to a survey conducted by FierceWireless-Bluefire Wireless Security this year, more than 80 percent of financial services respondents said their organization's use of handheld devices had increased over the past two years. Meanwhile, 87 percent said they were concerned about the security of email access to corporate server-based accounts and of remote access to corporate networks, and 85 percent said that access to Web-based email had become a significant security concern.
As to specific wireless security concerns, more than 60 percent said their top-ranked worries are viruses or attacks on the corporate network, and the security of data during transmission over wireless or cellular networks. Loss or theft of wireless devices ranked a distant third, with about 50 percent of financial services executives indicating a concern, despite the recent high-profile cases of lost laptops with sensitive customer data.
"A year ago, the chief security concerns revolved around the potential loss or theft of smart phones and wireless devices, but the results of the [survey] clearly paint a very different ... story," says Mark Komisky, CEO of Bluefire Security. "As enterprises increasingly are using wireless devices to create and transmit new data and to access the most sensitive information sitting on their corporate servers, the risks are much greater."
Analysts agree that the mobile device security challenge is a formidable one, and that many institutions have a long way to go. Bob Egan, director of emerging technologies at TowerGroup, says that "in general, the industry is backward from where it needs to go. Throughout the financial services industry, executives are stepping back into the future, acting as if mobile device access is an extension to their existing remote access policies (e.g. working from a home office PC). But smart phones and PDAs offer significant new variables on a number of fronts," given their ubiquity, storage capacity and ability to tap the Web.
"It's a bit of a scary world," says Bill Clark, a research vp at Gartner. "There's not much you have to do to take a PDA or smart phone for personal use and sync it up with a network. There are tens of millions of unprotected mobile devices out there."
Brian Mitchell, VP of technology controls for the investment bank at JPMorgan, says that mobile devices pose two broad challenges. The first is that, by nature, the enterprise does not have physical control of the devices as with PCs, making it a challenge to check and update configurations and software. "In the field, anything can happen, through loss, theft or the employee making changes," he says.
The second challenge, Mitchell says, is the employee's relationship with the device. Even if the bank owns the device, employees tend to take a more personal ownership of their phone, PDA or laptop than their office PC, "and so they may choose do things with the device that they wouldn't do with a desktop PC, such as downloading software [which can harbor viruses or malware]. Since it's not always connected to the network, our control over it is limited."
Given this, it's probably not surprising that about half of banks "have been hesitant to implement wireless support-given their conservative nature," says Jacob Jegher, a senior analyst with Celent.
Take for instance Julie McLacken, IT security officer at First American Bank/Alabama National, who says simply, "we haven't opened up that can of worms." And Kirk Drake, VP of technology at NIH Federal Credit Union, says that the bank permits wireless access on-site to the Internet, but it does not allow wireless access to the corporate network. "I don't think the risk/reward is anything we'll want to mess with anytime soon," he says. "Wireless devices on the network just invite more regulatory scrutiny around security." Both FIs use PortAuthority to monitor wireline data-leak prevention.
But barring mobile access is untenable in the long term, says Jegher, who opines that "in a couple of years, banks won't have a choice-that'll be the trend over the next five years. You'll need a wireless policy in place. Eventually mobile-device security will catch up with you and you'll have to integrate it. It'll become part of your life." Komisky says a bank client with 250,000 employees has recently gone through this evolution, at first wanting to prevent any wireless access to the network, Now, however it's opening its corporate email to wireless devices.
However, Drake's concern about drawing unwanted regulatory scrutiny is well taken. Richard Gibbons, a former SEC/NYSE regulator now with QUMAS, a compliance-solution vendor, says the SEC is clearly watching wireless communications in the financial services industry intently, on guard that institutions do not permit the kind of loose information and disinformation that would have a deleterious impact on the integrity of the industry and the welfare of investors.
Adds Gibbons, "It's a daunting task and a big issue for financial institutions," particularly in material misstatements and omissions of facts when dealing with retail customers. "You can't be with employees all the time, so you have to train them and hope they do the right thing all the time," he says.
The task is complicated by the SEC disinclination to get too specific when it comes to framing misbehavior and solutions. "Regulators do tend to be less than forthcoming. We used to have a saying, 'The more you endorse, the less you can enforce.' But it behooves you to have rigorous policies and procedures in place, since regulators will cite control weaknesses with the same vehemence as actual violations."
In other words the security around mobile devices is not just a competitive issue - i.e., not wanting to lose data to competitors, malicious insiders or hackers; it's also a compliance issue, since mobile devices constitute a communication between financial institutions and their partners and customers. Despite the significance of the problem, analysts also say it's not surprising that many IT groups are just getting around to addressing it. "With all the compliance issues and investment IT has made in having a customer view, they haven't really approached the problem of the laptop, except to say, 'I'm going to encrypt it,'" says Egan.
So what are some of the possible solutions? And what's wrong with simply encrypting data on laptops? As Adrian Lane, CTO of IPLocks, a database security vendor, puts it: "The number of ways for information to leave an organization is mind-boggling-there's almost no way to combat it. But the data has no value if it can't be accessed."
There's no question that encryption can be a good way to protect data, but it can make it very difficult to use the data quickly and efficiently by authorized users. The main problem, analysts say, is that encryption relies on the user having a keycard at the ready, which can be lost, and encryption can make it awkward and time consuming to access discrete pieces of data in a very large database. For instance, a mobile worker in a bank's investment arm might just need three or four data points on a particular company to execute a trade in hurry. The need to download and unencrypt a large database would slow down the process and could result in lost business.
Banks that are committed to mobile access for their workers are turning to virtual private networks that encrypt the whole session. While there are split and non-split VPNs, most banks, including JPMorgan, choose non-split VPNs to prevent an open channel between the corporate network and the wider Internet. What's more, VPNs can scan the device for trouble each time it hooks to the VPN, in case the employee has downloaded malware from the Internet. "The moment someone connects to the VPN we can scan for spyware," says Mitchell. "We can automatically do a push to the devices, and disable the VPN if we need to. Our VPN does not allow general connectivity to the Internet when connected to the corporate network [i.e. no split tunnel configuration]. So even if someone is connected from a public WiFi, the connection is protected through host based firewalls and the VPN tunnel."
With all these measures-hard disk encryption, host-based firewalls, spyware and virus detection and protection, no split-tunnel VPNs - "we have done everything to reduce and all but eliminate the risk of inappropriate data disclosure," he says. "But nothing is 100 percent. The key thing would be to have better security out of the box, so we don't always have to issue patches. That would be nirvana."
As important as encryption and VPNs are, analysts argue that many financial institutions still need a new mindset on mobile security. According to Egan, financial institutions have three main challenges: realizing that old policies and technologies on remote access to the network are not sufficient for mobile devices; understanding that the mobility of data-data in motion versus data at rest-means the perimeter is no longer the device, but the data itself; and putting procedures in place that inspect and protect institutional data.
Institutions should be thinking less about locks and keys and more about information mobility when devising these procedures, Egan says. "Bigger and better locks seem to energize bigger and better lock pickers." Instead, he says, institutions should be thinking in terms of: Where is the data, who should have it, and for how long? For example, a bank might grant access to certain customer accounts for a specific amount of time. Or it might have procedures that respond when a teller, who usually accesses five or six accounts a day, suddenly accesses 100.
The problem with such holistic mobile device security solutions espoused by Egan and others is they require a clear view of all employees and their mobile devices, as well as where the network can be accessed. Most institutions simply do not have that level of organization. Analysts say that a safeguard as basic as turning off unused USB ports so that they are not surreptitiously accessed is beyond the capabilities of most organizations.
It's these rogue access points and the fact that companies are not aware of all of them and cannot detect them that is the big problem, says Johannes Ullrich, CTO for the Internet Storm Center, which is affiliated with SANS. Besides turning off these unused USB ports and jacks if possible. Another strategy is installing wireless sniffers to see if someone is infiltrating the network. The trouble with this technology, particularly in high-density office buildings, is distinguishing between different companies' networks.
Even if a financial institution goes as far as to choose a mobile- security software solution and mandate that it be present on a mobile device to dock with a laptop or touch the corporate network, there are so many different kinds of mobile devices that it's difficult to track which employee has what; yet to create a foolproof system a company would need to account for each device. "The biggest challenge for banks is each system-a laptop, Blackberry, etc.-is different," say Murray Mazer, co-founder of Lumigent, a database security vendor.
Adding yet another challenge for even the best organized financial institutions is the sheer volume of mobile access to track and change as people change jobs-not to mention the cost. Lumigent, which it says works with three of the country's five top commercial banks, says that one of those banks manages 30,000 account changes per year at an average cost of $200 to $300 to reset each account. That's $6 million to $9 million per year. "Some of our clients say they are six months behind," says Mazer. It's no wonder, he says, that "managing user access for transitional users is one of the top IT weaknesses that people are being written up for by auditors and regulators." (c) 2006 Bank Technology News and SourceMedia, Inc. All Rights Reserved. http://www.banktechnews.com http://www.sourcemedia.com
