John Meakin just might be the face of the future for banking network security. If that’s so, don’t look to the industrious software cocoons of Silicon Valley and New York for answers. Look to a bustling port southeast of Beijing.
It’s here where Standard Chartered Bank, a London-based firm with $120 billion in assets, recently put the final touches of its most important venture of the last year: the Tianjin data hub and call center. This is ground zero for the firm’s new renminbi operations in the People’s Republic. Meakin, the firm’s group head of information security, and his team watched over the tech requirements for the call center and signed off on the total build operation, which connected the new local Chinese operation to the firm’s existing Hong Kong centers.
Meakin, a former physicist, is an outspoken advocate for tearing down walls, for the de-perimeterization of network security. This is the notion that contemporary large-scale enterprises—increasingly amorphous, de-centralized structures with outsourced operations, ad-hoc employees and armies of consultants—can no longer contain their entire data networks behind secured barriers. The firewalls have too many holes and the network borders are too blurry. Security must be moved to the data level, to the packet level—and networks thrown open to the wide world.
Putting aside the firewalls at a time when hacking has grown into a professional, well-funded enterprise is a radical notion, and it’s been a subject of fierce debate in data security circles in recent years. Now it’s coming into the mainstream. In Meakin the banking industry has a sharp, motivated researcher on the front lines to show whether the ideas really work.
Last year Standard Chartered became one of the first banks ever to gain a charter to incorporate as a local business in mainland China. This means being one of the first foreign institutions allowed to set up retail banking operations on a local level, trading in local currency. It also meant creating data security in the middle of the world’s largest malware factory. “That part is business as usual...with a few hairy bits,” says the affable Meakin, over the phone from London. Meakin’s firm is the model for the far-flung, inherently decentralized, cross-border bank: it’s a very old retail firm based in London, but does most of its business in Asia. Its data centers are in London, Hong Kong, Kuala Lumpur, Singapore and Chennai, India; it faces geographical and socio-economic obstacles in its business from one side of the world to the other.
“The traditional model is saying the data only goes on my network because I know my network is secure, wherever it is. We can’t afford that any more,” Meakin says. “Equally, there’s the approach that says the data can go all sorts of places, but only because I’ve been there first and checked the place out—that is saying data can only exist on bank laptops that the banks build themselves. The real shift is taking the pains to protect the data on the data level. Then wherever the data goes, whether it’s on your network or going to a laptop that’s been transported to an out-of-the-way place and goes down a VPN tunnel—you can guarantee the data is always secure if you’ve really done the job at the data level.”
This is very much a work in progress—it remains to be seen what “security at the data level” actually looks like. And though the rallying cry is around pulling down firewalls they’re not quite gone yet. “It’s about having thinner firewalls,” he says.
The firm turns to QualysGuard for network mapping and vulnerability scanning and reporting, for scanning the configuration of work stations. There is monitoring software at the endpoint. The concept is to move away from prevention toward detection. But he’s confident enough already in the bank’s security at the data level to take some actions. Last year it meant putting thinner shells around network bandwidth in the China build-out, more quickly and at a lower cost. “If you take the traditional approach, you’d be forced to put artificial constraints on the way the data center would use e-mail to liaise with the core business units,” he says. “The way forward is technologies which allow us to assign a value to the information each time the information is accessed and used. If you are a member of staff who’s accessing some data out of an application, and you’re about to e-mail it along or use internal instant-messaging capability to share that data, that staff member needs to be prompted if that information is of value. Once prompted, you want the ability to apply a security wrapper to that information so they can be sure it remains secure, from workstation to destination.”
China has confronted Standard Chartered with challenges of speed and scale of growth, forcing the firm to use technology that is light and easy to deploy. But it’s a global issue. “The way business is done today means we can’t rely on a security model that says ‘it’s secure because it runs on my stuff,’” he says. “Why shouldn’t we use the Internet between our branches in China, for branch-to-branch and branch-to-head office communication? We need to guarantee reliability. But the security model we’re implementing would allow us to go off our own network—to remove our network if necessary.”
Another way to look at it is in the firm’s business ventures. Standard Chartered is working with mass retailers and telecommunications providers, in Indonesia for a start, where the bank enables remote financial services by using someone else’s network. “In essence, we’re saying value-bearing transactions which are on the bank are being carried off our network, passed through aggregating systems that are not ours, and being settled by virtue of having a high-level interconnection between our network and the telco,” Meakin says.
Meakin also points to some of his corporate fellow travelers, on the board of the Jericho Forum, a think tank and evangelizer for de-perimeterization. British Petroleum has taken some 18,000 of its 85,000 laptops from its local area networks and allowed them to connect directly to the Internet.
Paul Simmonds, a Jericho board member and chief information security officer of a FTSE 100 manufacturing firm, says the evolution of large enterprises demands changes in security thinking—you can’t put a big wall around something that no longer has borders. “The sheer number of third parties, consultants, external people—everyone from Accenture wanting to connect with your network, to auditors, to the person who manages a particular server—you name it. It’s an everyday thing, and it all requires connectivity,” Simmonds says. “It is a necessity for successful business operations.”
What does the end result look like? In Simmonds’ ideal world, it’s 400 sites on a corporate network, and 20 of them are primary sites—running SAP, Hyperion, or banking apps. Those primary sites live on a private network, paid for in order to guarantee traffic—the rest are on DSL lines. Professional ones, but DSL just the same, residing on Internet addresses. The corporate sites are exposed to the Internet, sitting behind thin firewalls that really only protect uptime, fending off vandals and script kiddies. “I’m going to allow any corporate-authenticated traffic free will, in and out of this Internet connection.” Still, this is only a concept. Simmonds hasn’t gone quite this far at his home base.
Dave Aitel, who’s chief technology officer at New York-based, attack-focused data security company Immunity, Inc. (a former NSA scientist, he also publishes the well-known DailyDave list), says it’s far too early to declare that the firewall has fallen. “The perimeter model is going to stay because it’s cheap and easy,” Aitel says. Also, it’s easier to cleanse network traffic if it all goes through a choke point. “Complete de-perimeterization is going to be a pipe dream,” he says. “Open networks would mean providing the Internet at your employee’s desk, running through that instead of your Intranet. I...don’t know what that means.”
Dan Geer, vp and chief scientist at security firm Verdasys and a longtime technology gadfly, isn’t quite sure about open networks but he does figure the perimeter is gone. Four years ago he penned “The Shrinking Perimeter: Making the Case for Data-Level Risk Management,” and he says when considering what an open network might look like, look not to what Meakin and Jericho are up to, but the nation’s big universities.
“We don’t have a firewall,” Arlene Yetnikoff, director of information security at Depaul University and an IT security instructor at Chicago University, says cheerily. Actually, there are firewalls, just not where you’d expect them. “We don’t really have a perimeter. We have an Internet demarcation, a place where our last-owned piece of equipment stops and the ISP begins, but that’s not a meaningful place to put a heavy control.” Inside the demarcation are 26,000 students, 4,000 employees and guests of the university. The students all bring laptops or desktops from all over; they all get accounts on the portal to see grades, enroll for classes, pay for tuition. “We don’t own all the equipment that’s on our network. I don’t believe corporations own all the equipment on their network. They just have a harder time accepting this,” she says.
Yetnikoff was a long-time IT and risk management expert at Arthur Andersen. Her concept is to put firewalls around production data centers; at the place where Depaul stops and the Internet starts do extrusion detection, looking for misbehaving machines inside the demarcation. “I can’t even tell you how often our doors get rattled by people scanning us. There’s nothing I can do about the outside. But the inside, I can do something. I can immediately shut them off.”
