Virginia Commerce Bank's network firewall is like a tug of war: the protected network is on one side, but a workforce increasingly reliant on mobility, remote access and use of personal technology for work is on the other.
"There's a lot of risk with remote access in general," says Sharon Moynihan, senior vice president of IT and process improvement for the $3 billion asset bank, which serves an area of Virginia near Washington, D.C. "Our sales force spends less time in the office than they do in the field, and we are exposed to risk for data loss. They need laptops or smartphones, and they are also using personal devices, which poses a risk."
Like a lot of banks, Virginia Commerce is allowing staff to use thier own technology for limited work purposes because of added user comfort with their own devices and the expediency of provididing more remote access to more workers faster.
"We can give them a bank-issued smartphone," Moynihan says. "But from a staff perspective, that's limiting. Someone may want a certain phone, or a certain type of laptop."
To respond to an increase in virtual private network (VPN) access and "bring your own device" (BYOD) mobile and PC technology, the bank is deploying a downloadable web shield that isolates the connection between the user's device and the bank from other infections or vulnerabilities that may reside on the device that could expose data to theft or loss.
At the same time, the protective shield also governs which apps on the the public cloud or behind the firewall a user can access. In addition to the user's access privilges, access is also determined by what device he or she is using (e.g. a personal iPhone) and where the connection is being made (e.g. over a wireless network).
The downloadable software is provided by IronKey, a firm that provides enterprise-level data loss protection for internal and remote workstations.
IronKey has updated its Trusted Access enterprise service to accommodate BYOD and software as a service/cloud delivered technology by providing a virtualized workspace that isolates web access in a downloadable application with policy-enforced data protection, access controls and updates. It also includes a "trusted network" that secures the connection to Cisco virtual private networks with out-of-band authentication, content controls and integrated network security.
Moynihan says this allows a risk-based approach to access that lets the bank limit access based on the risk of the work session. "In the past I could only give users remote access to all of the applications that were in our office," she says. "Now we can pick and choose what they have access to remotely."
The downloadable security software will also save money for the bank by replacing the cost of securing the actual devices with the license fee. The bank had planned to purchase new endpoints and supporting network, management and security software and services. The scope of such an investment would have cost the bank about $1,500 per device.