Pennsylvania CU Finds Layered Approach Is Best Security Strategy

Register now

Atlantic Credit Union could soon be known as the Alcatraz of credit union information security.

"We're confident that our security configuration will be as secure as can be," said David Reis, vice president of IT at the $279-million CU. "Our layered approach provides us our best chance at achieving security, confidentiality, integrity and availability, or CIA."

The "layered" approach to network security is a concept piloted by Atlantic in cooperation with SecureWorks, an Atlanta-based Internet security service company.

"Think of it as that old arcade game, Pong, where there were different layers to break through," Reis explained. "Here, we're using three different products to verify the blocking action of each."

Cloaking Devices

As far as the technologies that support CIA, Atlantic is cloaked by two network-based intrusion prevention systems (NIPS), which were bolstered last month by a managed firewall, Reis said.

And there's third-party e-mail scanning for both content and viruses, all before messages are delivered to Atlantic's virus software-protected PCs and servers.

Topping off the configuration is the "crown jewel," of the security web-a managed, host-based intrusion prevention system (HIPS) installed in January, Reis said.

Whereas NIPS and firewalls are par for the course for most CUs, these perimeter levels of security can't handle attacks that originate inside the network. Internal attacks are often derived from encrypted traffic, unwitting business partners, dial-up Internet connections or roaming laptops.

HIPS augments Atlantic's firewalls, anti-virus software and NIPS by sitting on the mission-critical Internet banking server.

The "crown jewel" focuses on behavior, not attack activity, occurring between software applications and the server. In a nutshell, HIPS identifies illegitimate server requests, and thus can neutralize potential damage from worms such as NIMDA.

Examining Every Interaction

"The host-based product looks at each individual interaction between each user and the Internet banking server, every time," Reis said.

SecureWorks provides HIPS via Cisco's Okena StormWatch product and the firewall via Cisco's PIX.

Atlantic has used SecureWorks' iSensor product for NIPS since 2001.

Despite its layered front against hackers, Reis still worries about information security. "You're never at ease with security," he said.

Reis worries most about unwitting threats from independent contractors. "Increasingly, we're vulnerable from our business partners." For example, credit unions would bear the brunt of the responsibility for identity theft if member data were stolen from PCs belonging to business partners.

The 33,000-member CU has addressed the threat in part by installing another iSensor on its Virtual Private Network (VPN). "The second iSensor sees decrypted traffic behind the VPN," he said. "We can now validate our strategic business partners on the VPN."

All in all, Reis said that Atlantic enjoys "a comfort level now that we didn't used to have. We know a lot more than we used to. That's huge."

CUJ Resources

For more info:

* Atlantic CU at

* SecureWorks at

For reprint and licensing requests for this article, click here.