Financial Institution: First Tech Credit Union
Problem: Two credit unions — First Tech and Addison Avenue — were merging and needed to secure info.
Solution: The credit unions agreed on one data loss protection system for the combined entity.
First Tech Credit Union and Addison Avenue Federal Credit Union had a problem. They were about to engage in what would be the largest interstate credit union merger in U.S. history. Executives knew guarding against data leakage was a vital requirement to ensure smooth execution of the deal, to meet compliance demands and to maintain what they viewed as optimal security postures. But the two credit unions had different systems aimed at protecting sensitive documents and electronic communications.
Before the March 2010 merger announcement, during deal discussions, Addison, of Palo Alto, Calif., had secured any messages related to the transaction with the firm's data loss protection solution from Websense. As the merger progressed, it became obvious that a single data protection solution for the combined company would be in everyone's best interest. At the very least it would reduce complexity.
Information and security groups from each credit union jointly analyzed the functionality, usability and capabilities of their data security and secure Web gateway content filtering systems. Addison's Websense software came out on top.
"We felt that the Websense product was more robust and manageable," says Phil Romero, senior security architect at the now-merged institution, called First Tech Federal Credit Union, which has assets of $4.9 billion and 326,000 members.
Data loss protection solutions aim to prevent confidential data from being transmitted to unauthorized counterparties, whether through email, Web postings, file transfer, Internet-based chat or instant messaging. The tools typically work by identifying sensitive data through content analyses that involve keyword searching. Such documents can be "fingerprinted" or "watermarked," in which files are analyzed, then marked confidential, usually by keyword or contextual database queries with hash marks (sets of letters or numbers) that identify documents as sensitive. Secure Web gateway solutions are site blockers that filter out high-risk external Web content considered either malicious or inappropriate to the workplace. Most vendors focus solutions on one of the two disciplines, although some offer tools that seek both to protect from data leaks and block websites.
Romero would not say what systems First Tech, of Beaverton, Ore., used. Press releases say First Tech used a data loss protection solution from Code Green Networks, known for offering integration with Blue Coat's Web-filtering tools. Code Green did not return requests for comment. Blue Coat did not comment.
After the March 2010 merger announcement, Addison deployed Websense's data loss protection tool, the Data Security Suite, from April through November to secure 50,000 merger-related emails through AES encryption. The messages sent between Addison, First Tech and West Monroe Partners, the Chicago consulting firm advising the credit unions, were all password-protected. Addison had used DSS and Websense's Web security gateway since 2007. "Before there was public knowledge, there was internal senior management knowledge of the merger activity," Romero explained. "So we configured our system to ensure every one of those messages sent to anyone at FirstTechCU.com went through secure transport." Websense's data loss protection also protected file transfers as the merger progressed.
Romero says executives decided in the third quarter of 2010 that the combined entity would adopt Websense's data loss protection software and its Web security gateway. Since January, these tools have been offered through what Websense calls Triton, which the San Diego vendor describes as a content security solution with Web, data and email security. Those features have since April been manageable with a single login. First Tech FCU uses Websense's data loss protection and secure Web gateway tools with Triton's unified security module.
Vendors of products for data loss protection and secure Web gateway that made both Gartner's most recent Magic Quadrant lists include McAfee, Symantec, Trend Micro and Websense. A thorough list of top DLP-focused vendors, according to August research from the Gartner Magic Quadrant authors Eric Ouellet and Rob McMillan, includes CA Technologies, Code Green Networks, Fidelis Security Systems, GTB Technologies, Palisade Systems, McAfee, EMC's RSA, Safend, Symantec, Trend Micro, Trustwave, Verdasys and Websense. Ouellet and McMillan estimate the average enterprise DLP deal at $350,000 to $800,000. Gartner's Lawrence Orans and Peter Firstbrook published a list of top secure Web gateways in May. Those said to have either at least basic data loss protection capabilities or partnerships were Actiance, Barracuda, Blue Coat, Cisco, Clearswift, M86, McAfee, Optenet, Safenet, Sangfor, Sophos, Symantec, Trend Micro, Websense and Zscaler.
