The governance, risk and compliance monster has two heads: identification and execution. Beset by security and regulatory burdens, financial institutions want to make these two heads one by mapping fast-changing risk and compliance mandates to their information technology networks so that updates securing the integrity of systems and workstations can happen more rapidly and more reliably.
However, the innovation that accomplishes this is just starting to come out of the lab.
"Closely linking GRC with the automated updates to endpoints is still very new for the tech industry," says Chris McClean, a senior analyst at Forrester Research.
There have long been systems that help banks identify legal and security exposures in databases and networks. But much of the work required to update computers and other workstations to accommodate these changes, such as deployment of new software, patches or upgrades, has been done separately from the identification of risk or compliance changes. In some cases it is still done manually.
"There are a set of GRC companies that have very good capabilities for managing compliance and risk problems," McClean says. "But it takes a lot of integration work to push those controls out automatically."
Most experts say automating GRC end to end (from server to endpoint) is probably the only way to manage security, compliance and other risks facing financial institutions, particularly larger money-center banks. Executing on that concept is difficult however.
"It's hard to get data across business lines, even product lines within the same kind of business," says Nancy Atkinson, a senior analyst at Aite. You need an architecture that can link internal bank systems with external vendor solutions, she says. "It's then possible to get pretty granular."
Here is a summary of emerging GRC technology from companies that target the financial industry. In most cases the technology is designed to detect security threats and changes in compliance and reporting mandates, and allow these changes to be integrated with the bank's IT network or at least to be accessible by chief risk officers. "It makes risk management much less about blocking and tackling. Blocking and tackling are very important to GRC, but the banking industry leaders are now looking at the right way to bring their security providers together so they can see on a continuous basis the risk to their enterprise," says Michael Versace, a research director at IDC Financial Insights.
Juniper: John Moore, a director in Juniper's financial services division, says server virtualization and mobile banking have added new complexities to GRC.
"When you move virtual machines around, the way in which people secure data centers has to change," Moore says. "Firms have put firewalls around check-clearing applications, or around wire transfers. But with virtualization those applications are no longer in a specific server but are in a virtual environment."
Juniper's GRC products include vGW, a gateway that secures traffic between virtual machines. It's a hypervisor-based virtual firewall that protects virtual machine traffic within virtualized data centers and clouds. Another product, Pulse, is installed on mobile phones and laptops. Pulse is an endpoint software platform that provides secure socket layer virtual private network (SSL VPN) connectivity, network-access security and application acceleration through a single interface. "As the user logs into the system, either at home or in a public network, different security policies are automatically applied in concert with the bank's policies," Moore says. Pulse is delivered as a SaaS-hosted (software as a service) offering. It is designed not only to lower costs, but also to enable banks and service providers to address the "bring your own device" trend of employees using their own gadgets.
The firm also offers Mobile Security Suite, for smartphones, tablets and other mobile devices that run operating systems. It protects these systems, such as Apple iOS, Google Android, Research In Motion's BlackBerry, Microsoft Windows Mobile and Nokia Symbian, from viruses, malware, loss or theft.
Juniper's recent financial client wins include Standard Chartered Bank. The bank, which would not make an executive available for an interview, is using Juniper's Virtual Chassis fabric technology, which enables up to 10 interconnected EX4200 switches. These network-access switches have duplexed uplinks to Juniper Networks EX8208 core network switches, which form a 10-gigabit Ethernet mesh that includes the bank's data center switches. The deployment is enabling Standard Chartered to employ a uniform, centrally managed GRC framework that is designed to reduce complexity and cost for managing and executing upgrades across the bank's network.
Enterasys: In a written statement provided to BTN, Enterasys said its network approach to compliance maps GRC to the IT infrastructure and network security, with the goal of protecting sensitive data from unauthorized access or modification and ensuring that the data is available to authorized users when needed.
The company recently introduced Enterasys OneFabric, a unified network fabric purpose-built to deliver business applications. OneFabric Security provides the visibility, enforcement, threat detection and automated responses across wired, wireless, physical and virtual servers, and the converged environment of data, voice and video. OneFabric consists of products such as Enterasys SIEM, Enterasys NAC, OneFabric Control Center (network management), and Enterasys Intrusion Prevention System (IPS). The last has two components: Host Intrusion Detection (HIDS) and Enterasys Distributed IPS. Enterasys Distributed IPS enables threat detection and automated mitigation. Distributed IPS is designed to abbreviate and prevent attacks. Enterasys Distributed IPS identifies a threat or security event, pinpoint the physical source of the event, and mitigates the threat according to a bank's policy.
Enterasys recently increased the granularity of its network-access controls to include location (switch, port, SSID (wireless network), time of day, the user's authenticated role (RBAC), authentication method, device type and OS type. The technology is also designed to provide these services for staff-used devices (called "Bring Your Own Device," or BYOD. Enterasys' NAC can automatically scan for device/OS types (iPhone, iPad, BlackBerry, Android, Windows 7, for instance) on the bank's network, and NAC enables the IT department to provide private/user owned devices different network access than managed corporate devices.
McAfee: McAfee offers a range of risk and security compliance products. These include solutions for application controls, change reconciliation, configuration control, database activity monitoring, and vulnerability assessment delivered as a SaaS.
"A great deal of the response" to the flagging of security of compliance risk can be automated, says Dave Anderson, a senior director and solutions manager for McAfee. It's possible for CROs and other execs to use dashboard technology to electronify the GRC process. "Now with the push of a button, the exec can open an executive dashboard that tells them where they are at a point in time in terms of what controls are put in place and what needs to be done," he says.
Symantec: Symantec's Control Compliance Suite has been updated to include security content automation protocol (SCAP) support; consolidated views across security and compliance views via dashboard; a centralized evidence collection and management system; and an integration with data loss prevention designed to help banks know where their most critical data resides so they can ensure the IT assets on which it resides complies with security and regulatory protocols. The suite also enables banks to detect vulnerabilities in Web applications, databases, server and other network devices and prioritizes them for remediation efforts.
ForeScout: ForeScout provides automated security control solutions and government organizations. In September it rolled out an integration with HP ArcSight that connects the ForeScout NAC platform to the HP ArcSight ESM product to react faster to security threats and compliance mandates. ForeScout and ArcSight cooperated to connect their products using the HP ArcSight CEF (common event format) Connector, Model Import Connector and Rules-based response. All this is an attempt to make the connection between threat and compliance mandate and the execution of updates to end users faster and more seamless. The combined product includes a single administrative console, network-access control, endpoint security intelligence, automated remediation and mitigation and mobile security.
Scott Gordon, vp of marketing for ForeScout, said that for managed devices, such as an employees' notebook, there are often instances where client security software is not up to date, misconfigured, disabled or not present. Additional risks include zero-day attacks and blended attacks.
ForeScout provides real-time information about the compliance status of endpoint devices (i.e., whether they are patched and AV is running, or whether it is a smartphone); (are all systems are configured properly?); and users on the network (whether a user is known or unknown). Following predefined institutional rules, ForeScout can identify and automatically fix endpoint security issues without disrupting the user, such as activating a disabled client, changing settings to a personal firewall or moving an infected system to a VLAN.
"When you talk about the size and scale, and the [big-bank] mergers and acquisitions that have been done over the years, the complexity and scope of GRC is so vast," says Trevor Gee, a principal at Deloitte Consulting. "Keeping those networks connected involves managing hundreds of thousands of endpoints, whether it's circuits or devices."
As difficult as that is, Gee says automating the location, anticipation and response is crucial. "The problem with GRC has been banks putting a control process in place with very little automation," and manual assessment of compliance and security risk, followed by response, isn't fast enough, he says. "Just when you thought the network monitoring was taken care of, we read regularly about banks still getting hacked."