We recently talked about the growing demand for managed services for banks and credit unions in Part 1 of our blog – Managed Services for Banks & Credit Unions: Patch Management.
In this posting, we will discuss the different types of security challenges that financial institutions face today and the many security services options available to them. Parts 3 and 4 of this series will examine hosted applications and backup & disaster recovery solutions.
It may not make sense for every bank or credit union to control the entire managed services package. However, the ability to pick and choose a combination of services that fit their own unique needs allows them to have flexible and efficient operations.
Part 2: Security Services
As part of a full managed services offering, it is common to include security services, which may be in the form of “managed security” or a combination of intrusion detection and firewall configuration. There is no one size-fits-all solution. Let’s take a look at a few examples below where we have helped our customers find successful security solutions, each unique to their particular needs, size and circumstances:
Case 1 –Small Three-branch Community Bank in a Rural Area
Being a very small institution, they do not have a lot of options for anything, and certainly cannot afford to spend a lot of money. Their telecom provider offers managed security services as part of the contract that includes the Multiprotocol Label Switching (MPLS) circuits. In this configuration, all traffic flows through the carrier, including Internet traffic, so that is a viable solution for this bank. The carrier manages the firewall and provides full service security monitoring at a very low price. The bank has very limited ability to configure the firewall and must submit a request to the carrier for any changes. The firewall strips out any detected malware, so it also serves as an additional protection to the antivirus software.
The difficulty the bank has is in managing the flow of Internet traffic. The carrier does not provide bandwidth throttling and so users that have been watching Netflix tend to slow down the network. While bandwidth monitoring is not strictly a security service, it is needed in cases where the bank chooses to let the carrier provide the managed security function.
Case 2 – Large Regional Community Bank with Multiple Locations
This large bank with multiple locations in a wide area also chose to use the telecom carrier for managed security services since they also provide the MPLS network services and the price was attractive. The setup was much the same. Except in this case, it was more complex because there are multiple firewalls. Also, there are multiple paths to the Internet (primary and backup circuits), and the need to manage the bandwidth called for a solution. The bank decided that WebSense
was the choice for that function, but there are other similar products.
Case 3 – A Ten-branch Urban Bank
This large bank chose to go with Dell SecureWorks
because of their concerns for solid security management, and they did not want to abdicate that responsibility to their telecom carrier. The network configuration also did not lend itself to a carrier-based solution very well. Dell SecureWorks provides an appliance that sits between the router and firewall to watch all traffic. If a concern is detected, Dell SecureWork’s Network Operations Center (NOC) will alert you that an anomaly occurred, but otherwise they handle all lockdowns without you having to do anything. Previously, the bank used an IDS/IPS (Intrusion Detection and Intrusion Prevention) appliance, but found that it was just too much to actually keep it up-to-date and actually review the reports frequently enough to satisfy themselves and the examiners that they were really paying attention.
Case 4 – Small One-branch Bank
This bank focused on email security and secure file sharing. Like most banks that run Exchange server in-house, It selected Zix
. But as the bank considered moving to SilverSky
for hosted email, they decided to opt for SilverSky’s security services as well – a simple decision. But this did not resolve the question of security for file sharing – the bank ultimately chose a secure file sharing system for the bank’s board of directors’ board portal that was useful as a general file sharing tool.
Case 5 – Large Community Bank
The bank felt that their security was locked down very well and had experienced no problems and had gotten good remarks from the IT auditors. However, their website became a victim of a distributed denial of service attack (DDoS) that shut down the site for the better part of a day. Partnering with ATS for website management, including a DDoS prevention tool, the bank was able to avoid future such attacks. Read more about three effective techniques to prevent DDoS targeting financial institutions
In the course of conducting a penetration test for this same bank, we discovered that the bank’s website was vulnerable in ways that had previously gone undetected by their scan service. Since the scan service was simply scanning the IP addresses provided to them and generating an automated report to the bank, the bank was unaware of vulnerabilities caused by knowing a combination of information about the bank’s sites. While unlikely, the vulnerability exposed the bank to a determined hacker armed with too much information about the network and the hosting center.
- A comprehensive managed security service should include the use of a combination of vendors and tools, not just one thing. The pieces start with a good patch management program, which we discussed previously. To the extent you want to manage things yourself, you will need a solid firewall with a configuration that is checked and rechecked at every entry point into the network, plus a log analyzer system with intelligent filters to watch for patterns. For those who prefer to outsource this function, an outside vendor like SecureWorks can give good value and peace of mind.
- Email security and all other methods for moving data in and out of the bank must be examined, and good tools put in place (and kept up-to-date.) Then the access rights and network access for users must follow an effective policy that is reviewed and validated by the Certified Chief Information Security Officer (CISO).
- All new hires and terminations must be done in accordance with a sound policy and process for giving and taking away access rights, including the core, all network access, email rights, VPN access, and of course mobile devices. The ability to wipe mobile devices is absolutely critical, but fortunately, products like Air-Watch and MaaS360 help tremendously.
It is easy to hire a company that provides all these services as part of your compliance solution, but the danger in following an all-in-one solution is that you abdicate control, and perhaps get lulled into a false sense of safety. You can assume that they are doing everything for you, but you still have to verify. And in most of the all-in-one compliance offerings, there are gaps between how your network is configured and how their services are set up. The phrase we often hear is “we don’t know what we don’t know.” If that is how you feel, start with a network assessment and security review to see where the gaps are.
What’s your take on security policies and solutions? Share with us or sign up for our newsletter. Stay tuned for our Part 3 in this Managed Services series: Hosted Applications