By Mark Hyland, UK Country Manager, Fortinet
Financial services firms are revamping their strategy for better control and visibility on their IT security posture, lower costs and greater ability to enhance business functions
Despite the rampant risk-taking that investment banks often make the headlines for, the financial services community at large are conservative users of IT. And this applies to their information security strategy.
Today, however, many drivers are pushing banks to rethink their traditional network security practices and thus, their loyalty to historical vendors. More than ever, they need to find ways to improve security coverage, performance and visibility while meeting regulatory demands and reducing costs.
There is no denying that the traditional IT security model in the financial sector has reached its limits in guaranteeing the right levels of customer privacy and protection of their sensitive data. Indeed, as mobile devices proliferate, new threats emerge due to the adoption of Web and cloud-based applications, and the bandwidth demand expands, banks have added numerous stand-alone security solutions overtime to fix new security holes. This approach has resulted in an archaic deployment model, which has become cumbersome and costly to manage and maintain. In addition, the absence of an integrated IT security strategy has reduced banks’ visibility on their global security posture, making their protection from internal and external threats less effective.
Fraud, identity theft, spam, phishing and a host of other malicious Internet threats are increasing and becoming more sophisticated by the day. And, with more of the financial business going online, it has become urgent for banks to overhaul their IT security strategy.
Keeping up with the datacenter performance demand
Financial firms heavily depend on real-time data communications and today’s environment of high-speed transactions cannot be compromised by network performance failure or latency. This has resulted in big investments being made into datacenter network upgrades, with demand for high-end 10G, 40G, and even 100G ports outstripping the rest of the network equipment.
In the IT security context, more banks are now replacing their legacy firewalls – both to meet the higher throughput requirements driven by the adoption of Web-based applications and new technologies, and to tackle the growing number and complexity of threats. In doing so, they must adopt technologies that have minimal impact on network latency by permitting rapid deep packet inspection and content analysis, and avoiding a multiple point products approach that adds to latency.
Technologies based on the same source code optimizes security performance by minimizing packet processing, eliminating redundant traffic processing, while being capable of scanning data for multi-vector threats and thus, enabling complete content protection. In parallel, hardware acceleration of the security inspection process helps deliver the necessary power to detect malicious content at multi-Gigabit speeds. Co-processing hardware working with other general processors and accelerated interface modules enable the fast processing of routine network security and the acceleration of security functions, including content processing, IPS, application control and flow anti-virus inspection.
Security solutions based on one single source code and hardware acceleration will help deliver the levels of security, performance and low-latency required by today’s financial environment.
Complying without making more complex
According to Deloitte’s 2010 Financial Services Global Security Study, regulatory and legislative compliance is ranked by financial institutions as one of their top five security initiatives. Banks, however, are challenged by the need to limit the overall cost of implementing compliance, which has been alarmingly high so far.
Achieving compliance is quite complex. Let’s take the example of PCI-DSS: despite its seemingly narrow focus on cardholder data protection, the standard spans most IT disciplines and skills, including the network, database, web applications, file systems and encryption. Multiply the number of requirements posed to the bank’s IT infrastructure by the number of compliance and market regulation rules (such as PCI-DSS, SOX, Basel II/III and GLBA), and it’s clear that banks have no choice but to automate and consolidate. Adopting solutions that simplify and unify their security architecture across every point of the network, including branch offices, ATM systems, and mobiles endpoints, is the only way banks can dramatically lower risk exposure while limiting complexity and costs.
Getting control over the network for security visibility
On top of external Internet threats, financial firms are feeling more vulnerable to the inappropriate use of network resources, which beyond clogging up bandwidth with non-productive data, exposes them to risk of prosecution and litigation, fraud and theft.
According to Deloitte’s study, only 34% of financial services organizations are “very confident” in their ability to thwart attacks that originate internally.
While investments should be put in educating employees on best practices around the use of Web-based applications, data leak prevention, mobile devices’ vulnerabilities and others, granular security policy definition and enforcement down to the user level is a must. Banks therefore need to adopt IT security solutions that enable application control – recognizing traffic by application source and user, not just by port – as well as control of the various endpoints connected to the network.
Banks must also remember that the security issue does not end at the perimeter of the network of their head office. Their challenge is to implement and manage a security infrastructure that extends to hundreds of branch offices that may span across the globe. The consolidation of network security appliances, through the integration of key security functions, virtualization and centralized system management all play an important role in improving flexibility and gaining complete visibility and control over the network. It also helps fulfill compliance obligations and the regular infrastructure audits banks are subject to.
When defining their new network security strategy, financial firms should consequently look closely at management and reporting for effective control of their security deployment, whether it includes a few or thousands of appliances and security agents. Centralized policy-based provisioning, configuration, and update management from perimeter to endpoint security should all be part of their requirement list. In addition, centralized logging, analysis and reporting solutions providing a single view of banks’ network security in real time should be adopted for complete visibility of their security posture.
The end of the silo’d approach
The legacy of the best-of-breed IT security strategy adopted by financial firms for years now consumes huge amounts of money, resource and management time and is increasingly less able to provide the security effectiveness needed by their organizations. In fact, disparate security devices and operating systems come with multiple maintenance and support contracts, multiple upgrade and replacement schedules, multiple licensing obligations, multiple training programs and management resources. All of these add to the cost and complexity of banks’ security infrastructure and can seriously impact on up-time, availability and performance.
Many financial firms have by now realized that they need to move towards a new strategic IT security model based on convergence and greater alignment to business needs. Only by shifting from its traditional focus of simply securing IT assets to protecting and enhancing business functions, adapting to a dynamic user environment, and sustaining manageability, can the IT departments of financial services firms streamline their security deployments, and improve their organization’s operations and ROI.