Friday, February 10, 2012
Google  
Web voicendata.com
  RSS | Archive    
 Home > V&D PLUS > Bank Networks: Security is Business
  V&D PLUS
Bank Networks: Security is Business
And the only full-proof approach is that banks put a holistic security system to work
Ravi Shekhar Pandey
Monday, August 19, 2002

The advancements in communication technologies, more than anything else, have influenced the way banks conduct their business today. While globalization certainly has been the other major catalyst of change, in many ways globalization itself has been facilitated by communications technologies like the Internet. Moreover, if globalization, more specifically its by-products like deregulation and competition, has encouraged or forced banks to offer newer and better services, communication technologies have helped them offer those services more efficiently and to a larger number of people, sometimes across national boundaries.

The increasing use of communication technologies, however, has its side effects too—banks, which have always been exposed to various kinds of security threats, have become more vulnerable to threats from diverse and often unknown sources. And this vulnerability increases by the day as banks keep getting connected to new customers and partners through public networks like the Internet. In fact, in many ways the network itself becomes the business. It is in this context that network and information security becomes as critical as the network itself.

Tools That Can Make Bank Networks and Information secure

Public key infrastructure
Strong two-factor authentication
Integrity checking software 
File/disk level encryption
E-mail security
Web page access controls
Types of Attacks
Types of Attacks
Denial-of-service
Virus
Insider net abuse
Unauthorized access
Theft of proprietary information
Financial fraud
Sabotage
System penetration

Why Security Is Important
While Internet banking is still in its infancy in India, banks are surely getting networked to enhance operational efficiency and serve customers faster and better. This essentially means that they are building networks to run business-critical applications and interconnect branches throwing up several security challenges. Today, banks in India are predominantly using leased lines from BSNL and VSATs to connect their branches. Many banks use VPN and IPSec tunnels created on these networks. The private nature of most of the bank networks may make them less vulnerable than an Internet banking network. However, with more and more devices and channels (ranging from ATMs, teller systems in newly ‘wired’ branches, and e-mail systems to connections to online financial hubs) being connected to bank networks even these private networks could be at risk. As Michael Payne of Cisco Systems puts it, "Indian banks face some unique challenges, particularly in the explosion of locations and devices that are being connected to relatively new networks. The projected increase in the number of ATMs and connected or ‘wired’ branches will pose some challenges for the network and application administrators."

V. Mohan
head, IT Infrastructure Services 
NCR Corporation India
To improve security, we need a layered approach of security controls. The controls are presented step by step to manage and mitigate various threats. 

Adoption of Web technologies enabling organizations and customers to interact and transact with banks has increased the complexity of applications and networks. "Increased levels of outsourcing and greater demands being placed on application and network infrastructures now demand that banks take a more holistic and proactive view towards their information security policies and practices," urges Payne.

Banks need security, points out Vaidyanathan Iyer, national manager, security solutions, Computer Associates, to ensure that transactional integrity and protect the privacy of customers’ non-pubic information, to detect and check ATM/credit card frauds and money laundering, protect asset information and regulate access to internally sensitive data.

Where Are the Threats Coming From?
A bank network is vulnerable to both internal and external attacks. Some of the widely prevalent security threats in the financial sector are denial-of-service, virus, insider net abuse, unauthorized access, theft of proprietary information, financial fraud, sabotage, and system penetration. Apart from external agents, even employees of a bank carry out many of these threats. Some of these threats, if executed, could even mean complete loss of credibility and thus the competitive edge. Anurag Srivastava, chief technology officer, Wipro Infotech, observes that in today’s environment, a major threat that any networked bank could face would be from a denial-of-service perspective. "Most of the attacks that are targeted are causing denial-of-service, and thereby disruption of service," he says.

WAKE UP TO SECURITY THREATS
Network connectivity and security should be seen as one
A bank network is vulnerable to both internal and external attacks; rival banks can run down unsecured networks
The need to address those security concerns holistically has not been felt yet
Designing a network and information security policy is as important as deploying a network

"Banking systems with their volumes of data and opportunity for theft are a natural attraction to hackers. By installing direct transaction servers, online banks have in effect opened the door for customers and hackers to confidential internal networks," Suresh Srinivasan, GM, enterprise networking solutions, Ramco Systems, points out.

But Have Indian Banks Realized All This?
Network managers at most of the Indian banks are usually aware of the kind of security threats their networks could be facing. Many banks, mainly MNCs, private banks and some public sector banks, have gone in for security audits, defining security policies, and deployments of security tools. The RBI guidelines on security have also resulted in banks becoming stricter in evaluation of security techniques.

Michael Payne
Cisco Systems
As banks modernize applications, they need to test the security of systems individually and see how the systems interact within the bank as also externally. 

RBI guidelines have ensured that security spending would be a key focus area of the IT budgets of banks. A comprehensive security assessment and user acceptance test is a part of the security deployment procedure. This is reviewed on a periodic basis.

However, the need to address security concerns holistically has not been felt yet by a majority of the Indian banks. Most banks, barring the foreign ones, do not seem to care much about security.

Swapan Johri
busines head , (enterprise networks) HCL Comnet
Although Indian banks are slowly realizing the importance of security, but the fact remains that none has a  comprehensive security system in place,” 

There are many reasons cited for this. The most common excuse made is that the Indian banks, barring foreign banks operating in the country or a couple of private ones, have begun networking or going online only recently. As such, they should be given some time before they think about security. It appears they are either too engrossed in the process of building the network or too enamored by its pros that they have little time to think of the cons of not implementing adequate security. The current approach seems to be—let the networks be in place first, security can come later. While connectivity, the foundation on which any network runs, has been recognized as a critical component of the modern banking business, network and information security is yet to get that recognition. One reason for this may be the fact that connectivity and security are seen as two different things. At the most, at this point, many banks appear to believe that putting up tools like firewall and encryption would make their networks adequately secure. This is best reflected in the fact that most of the tenders put out by various banks inviting bids for building their networks talk only of firewalls or sometimes encryption.

Dr Anurag Srivastava 
CTO, Wipro Infotech
A common mistake that banks commit is that they treat security policy definition, implementation and compliance as three independent activities. 

Then there are others who are sure they do not really face any threat and therefore cannot justify putting up a security system that could be a costly affair. Among other things, this is also because of the fact that banks often do not have any clue when it comes to calculating RoI on security. "Even though Indian banks are slowly realizing the importance of security, the fact remains that not a single Indian bank has a comprehensive security system in place," claims Swapan Johri, HCL Comnet. As someone driving the security business of the leading network integrator, Johri often finds it difficult to convince banks why implementing an adequate security mechanism is as important as deploying and running a network. "Even the large private sector banks that have set up networks are not going into detail as far as security is concerned," Lt Col HS Bedi, MD, Tulip IT Services, the Delhi-based network integration company, observes.

N Rajendran
Assistant Professor, IDRBT
It would be premature to comment on network security in Indian banks as networking is beginning to happen only now. 

However, N Rajendran, an assistant professor with Institute for Development and Research in Banking Technology (IDRBT), is of the view that it would be premature to comment on the security of bank networks in India, given the fact that networking is happening only now. "Banks are designing policies and some have implemented them too," he says. IDBRT has been closely involved in helping Indian banks design and implement security systems.

What Banks Need To Do?
It is true that networking is just beginning to happen in Indian banks. As such, except for a few, most of the Indian banks are neither hooked on to a wide area network nor transacting business on the Internet. It is argued that all this makes them less vulnerable largely because of the fact that they are not connected to the outside world to be prone to hacker attacks or denial-of-service attacks. It would be pertinent here to emphasize that banks also face a major threat from internal sources. The ability to control users on the network is a key challenge and given the increasing technology-savvy employee base, exercising control over them and their activities is challenging. Growing computerization makes them more vulnerable to cyber warriors and data thieves. A 1997 presidential commission on the US defense identified insiders as ‘the most persistent security threat’ to banking and finance. Terrorists known as ‘sleepers’ could get jobs at banks, where they could embezzle or destroy data.

It is because of this that designing a network and information security policy is as important as deploying a network. It is immaterial whether that network is a LAN or a WAN, and whether it is connected to the Internet or not. Whatever the case, a bank needs to have a dynamic network and information security policy in place as the very foundation of its security system. A policy-based security implementation should go along with the deployment of network. Of course, the scale of security deployed would always depend on the size and nature of the network.

Once a policy is in place, it must be ensured that it is implemented. "Most of the banks miss a bigger picture when it comes to security. IT security is not just installing security gadgets but a process by itself. Any security outlook for an organization calls for three things—probing, protecting and policing," Ariya Parasamanesh of NCR emphasizes. Parasamanesh says that many of the banks already have a security policy developed by some vendors and themselves, but they do not have a methodology to ensure that these policy recommendations are implemented correctly and these policies are regularly monitored. "We have seen banks spending millions of rupees in identifying the probable vulnerabilities and develop a thorough security policy but fail to implement these policies," he says.

Vaidyanathan Iyer
National manager, (e-security Solutions) Computer Associates
Security is an ongoing exercise. One has to be always alert. Today’s solutions need not work tomorrow, as the sinister side is also innovative. 

CA’s Vaidyanathan Iyer makes an interesting observation. He observes that since the first computer networks were deployed, financial institutions have focused almost exclusively on protecting against technology threats, instead of helping to solve business issues. "However, security is much more than a network protection issue—it must help the institution to achieve its business goals of providing more online services to a growing number of customers and increasing secure transactions with other banks and organizations," he says. He points outs that the solution lies in an integrated approach that effectively manages security threats by addressing three key challenges—access management, identity management, and threat management.

What Vaidyanathan says cannot be possible unless the top management is involved in the implementation and management of security. The impetus for a security policy must come from the top. "Senior managers must make it clear that an essential part of the bank’s success will come through the proper and best use of information. They should stress that information needs to be properly managed and protected and that senior management will be actively involved in drawing up a security policy to do this," emphasizes Suresh Srinivasan of Ramco Systems.

Suresh Srinivasan
GM (enterprise networking solutions), Ramco Systems
Security mechanisms are not enough to secure e-com Web servers when used alone. In the new Internet model, OS security is prime. 

Management needs to make the policy reflect the ethics and philosophy of the company and to show staff that the board is committed to making it work. They also should make it clear that they expect everyone in the company to share this commitment. In many companies, the IT department does formulating and managing the security policy. This approach can create a number of problems. First, the IT department’s view of security may not necessarily reflect what senior management would want. And second, if IT staff has to implement and enforce the policy, it can put them in a very difficult position. Other staff may simply not recognize that they have the authority to dictate to them and may refuse to cooperate.

Security policies have a number of human, financial and legal consequences. Because of this, great care needs to be taken in formulating particular policies, in creating the standards that will actually carry out the policies, and in presenting that information to staff.

Cisco’s Payne stresses on the need for addressing security from a systems point of view rather than from a products point of view. "Many banks will have an attack, go purchase new products, and then suffer a new attack. The banks need to plan for security as a whole solution, not just a bunch of boxes," he says.

Most banks usually have three separate departments. The first is the networking team, which is usually in charge of the network hardware. They are told to make it fast and cheap. The next team is the applications team, which is in charge of the banking software. They are told to make it fast and simple. The last team is the security team, which is in charge of the firewalls, and other security devices. They are told if anyone breaks in, then they might lose their jobs. "Such approach does not work. You have three independent groups, all with conflicting goals and agendas working to deploy banking," Payne observes and suggests that the bank management should combine these teams to work together to provide a balanced solution.

Lt Col HS Bedi
Managing director, Tulip IT Services
Banks look at connectivity and security as separate aspects. It’s important that they are planned together.

NCR, which has decades of experience in design, implementation and consultancy of security for enterprise networks, states that effective security management practice can be characterized by the preservation of the standard information security services. These would include confidentiality (ensures that applications and data are accessible to only the users intended and authorized to have access), integrity (guarantees the accuracy of the data) availability (ensures that authorized users have access to applications and the data when required), authentication (guarantees that the application users are who they claim to be) and non-repudiation (proves that the originator of the data and user of the application did perform the transaction).

Implementing a comprehensive security system does not always mean costly investment in fancy tools and technologies. Many a time what could work is simply the proper management of existing resources from a security perspective. Investments in tools and technologies should be made depending on vulnerability assessment and the threat perception.

The key message that banks need to lap up is that they should first have a security policy in place, then implement it vigorously in detail and integrate that policy into their business goals. And to successfully achieve all this, the top management must be involved and business managers must be encouraged to realize the importance of security.

Ravi Shekhar Pandey

Page(s)   1  

Print Comment Email DiggDigg DeliciousDel.icio.us RedittReddit
LAN-Telephony: Hassle-free Communication
VOIP - Solutions: Go for Convergence
Case Study: A Tryst with Convergence
 

Subscribe to our Newsletter
Name:
Email Address:




 

Current Issue
Click here to book your copy now






Your Opinion Matters

Does cloud computing cast a cloud on the future of IT professionals?

Is your Accounts Payable Solution working for you? Think Again…

   CIOL Services
IT News | IT Jobs | IT Outsourcing | IT Shopping
 



  For Voice&Data Print Subscription
  [ Magazine Subscription ]  [ Contact Info ]  [ Media Kit ]
 
Other CyberMedia web sites
[Dataquest]  [PCQuest]  [CIOL]  [Living Digital]  [CMR India]
[DQ Channels]  [The DQweek]  [CyberMedia Events]
[CyberMedia Digital]  [Cyber Astro]  [CyberMedia India]
[Global Services]  [BioSpectrum]  [BioSpectrum Asia]  [DARE]
[Computer Shopper]   [College Buying Guide]   [Technology Review

CyberMedia India Ltd

 
  Copyright © CMIL. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.
Usage of this web site is subject to terms and conditions.
Broken links? Problems with site? Send email to webmaster@ciol.com