A couple of years ago, good security meant a good firewall at the periphery of your network. Today, given the wide range of threats that are coming at financial institutions, both internal and external, that is no longer enough.
Instead of installing security appliances at key locations, forward-looking banks are turning their entire networks into security systems.
One such firm is Arkansas-based ANB Financial. Founded in 1994 and growing to $650 million in just over a decade, ANB has always been aggressive with new technology, being an early adopter of imaging, Internet banking, mobile ATMs and VoIP. And to stay ahead of the security curve, the bank's rolling out biometric ID. The biometric identification, such as a fingerprint scan, will be used in conjunction with another security measure such as a passcode or a keychain-sized security dongle.
Biometric IDs are part of an enterprisewide security overhaul that includes revamping the communications network to include safeguarding more than just the network's perimeter. The bank has installed a system from Enterasys Networks, with the help of VeriSource, its technology consulting partner.
The system, called the Enterasys Secure Network, consists of switches and security routers, as well as a central management console. The bank can manage its entire network from a single location, monitor usage, and detect abnormal behavior. The system covers about 250 workstations, twelve locations and over 250 users in Arkansas and Utah.
The switches, which help dictate which systems people can get to, were installed about six months ago. Bank employees, for example, will have a well-defined set of behaviors based on the needs of their jobs. "We call it 'least privilege'," says Cris Carter, the bank's svp of electronic data processing. "They only have access to certain programs and, within those programs, to only those aspects that they need to do their job. And that access is reviewed each year and locked down."
Part of the strategy is to combat the threat of internal sabotage, a problem that's growing even faster than external attacks. "By locking down the security on the internal network, it would reduce the possibility of someone physically getting onto one of the computers that they shouldn't have access to," says Don Goff, COO for VeriSource.
The bank was using internal detection, but wanted to beef it up to meet an increasing threat. For example, the Enterasys system is capable of intelligent behavior, learning and responding to new problems on the fly. "It's getting better and better as it learns the intricacies of our system," says Carter.
The fact that the security functions are distributed across the network means that it can pick up complex and hard-to-detect threats, says Enterasys CTO John Roese. "Almost all of the complex threats are very difficult to deal with with one device, in one place, with one function."
By distributing security functionality, threats can be detected quicker, he adds. "There's a linkage between the ability to detect incredibly complex security events and respond where the event is actually occurring, rather than at an aggregation point." The system can also respond automatically according to pre-set security rules and policies. That allows the technology to respond immediately by, say, quarantining a site of a suspected virus outbreak, before it spreads.
These benefits are enhanced by a simple and intuitive interface, adds Nat Bothwell, ANB's evp for marketing. "A single platform means that you can manage it efficiently with a limited number of staff," he says. "That's one of the advantages."
The security upgrade is the latest project between ANB and VeriSource, which have a relationship that dates to 1996. At one point, VeriSource was a subsidiary of the bank, but was spun off. They handled the construction and maintenance of the bank's Web site and run a help desk for the bank's desktops. They also handle other programming projects that might come up.
"They know the business in and out and they're capable and can explain the situation to us and do a very good job," Carter says. "From our perspective, being able to partner with someone like VeriSource has been the number one thing that I would advise."
The bank keeps some technology projects in house, including a data processing department, and a front-end Web site developer. "But for a mid-sized bank, a relationship similar to what ANB has with VeriSource could be a win-win situation," Bothwell says. "It gives us redundancy and a constant flow of expertise that we would not be able to afford, especially in the early days. We've been able to do more with less as a result."
Enterasys is one of several vendors that are working to embed security into communications networks. According to security consultant Nick Lippis, president of Lippis Consulting, Enterasys faces competition in the space from Cisco Systems, Nortel and Juniper. 3Com also bought a security company earlier this year, Austin-based TippingPoint Technologies, and are now integrating their software into their switches.
"Enterasys got security before security got really popular. They've invested in security technology at multiple levels within their product - in their chip sets, in their modules, and also in their software. They have distributed security features throughout," Lippis says.
