Bank outsources security to the cloud: service provider option reduces costs, provides technology flexibility and covers compliance requirements.Ken Emerson was concerned. As director of strategic planning Strategic planning is an organization's process of defining its strategy, or direction, and making decisions on allocating its resources to pursue this strategy, including its capital and people. and CIO CIO: see American Federation of Labor and Congress of Industrial Organizations.
(Chief Information Officer) The executive officer in charge of information processing in an organization. of Boiling Springs Boiling Springs is the name of several places in the United States:
An SAS 70 Type II is a specialized audit that verifies a company's operational and internal controls over the processing of user transactions. Boiling Springs Savings Bank had the choice of engaging an independent firm to conduct a review, at the bank's expense, or of doing business with a company that already had one in place. At the time, Emerson was working with an ISP (1) See in-system programmable.
(2) (Internet Service Provider) An organization that provides access to the Internet. Connection to the user is provided via dial-up, ISDN, cable, DSL and T1/T3 lines. that had security offerings but did not have an SAS review in place.
Boiling Springs, a $1.1-billion thrift with 14 locations in northeastern New Jersey and the people on its IT staff, also needed to engage an independent firm to conduct an annual penetration test A test of a network's vulnerabilities by having an authorized individual actually attempt to break into the network. The tester may undertake several methods, workarounds and "hacks" to gain entry, often initially getting through to one seemingly harmless section, and from there, of its networking environment. In addition, the bank wanted increased protection for its entire network infrastructure from the ever-growing occurrence of IT security threats and to minimize risk to its business.
Emerson decided to embrace a security-in-the-cloud approach, working with managed security services Security services are state institutions for the provision of intelligence, primarily of a strategic nature, but also including protective security intelligence. Examples include the Security Service (MI5) and the Secret Intelligence Service (MI6) in the United Kingdom, and the provider (MSSP (MultiService Switching Platform) A high-end Cisco router that supports high-speed optical connections in the core of the network. See MSPP and MSTP. ) Perimeter Internetworking to meet these requirements.
"Security in the cloud Refers to the operation taking place within a network. See cloud. makes a lot of sense for us," says Emerson. "The security game is one of constant catch-up to stay ahead of the latest threat or compliance requirement, and outsourcing is a good solution to this. Our security-in-the-cloud provider has experts on staff that have to think like thieves and prepare for the worst."
For Emerson, convincing the bank's management and board that this was the best solution was not hard to do.
"We could show benefits clearly," he comments. "We saved on full-time staff costs, security technology and network integration costs, and on the required penetration tests. We easily met the SAS and FDIC FDIC
See: Federal Deposit Insurance Corporation
See Federal Deposit Insurance Corporation (FDIC). examination requirements, showing a positive ROI (Return On Investment) The monetary benefits derived from having spent money on developing or revising a system. In the IT world, there are more ways to compute ROI than Carter has liver pills (and for those of you who never heard of that expression, it means a lot). on this investment. Our board quickly bought in on the concept of having security in the cloud in place as an insurance policy."
Emerson considered traditional MSSP solutions involving CPE (Customer Premises Equipment) Communications equipment that resides on the customer's premises.
CPE - Customer Premises Equipment monitoring as alternatives to the security-in-the-cloud approach.
After evaluating them, he decided that their services became out of date too rapidly. He found that with these alternatives he would still have to provide the staff time to install and maintain the CPE and then weed out false positives. The provider also did not fulfill his requirement for an SAS 70 Type II review or meet any other compliance requirements Compliance requirements are a series of directives established by United States Federal government agencies that summarize hundreds of Federal laws and regulations applicable to Federal assistance (also known as Federal aid or Federal funds). .
"We selected Perimeter because they had been examined by the FDIC, had conducted their own SAS 70 Type II audit and because they did their own penetration tests," Emerson says. "Because I use service bureaus, there was a concern that someone could get into my network. So we were looking for Looking for
In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. a more complete, overall network security solution."
The bank connects to Perimeter for all of its inbound and outbound traffic Traffic originating in the continental United States destined for overseas or overseas traffic moving in a general direction away from the continental United States. . Perimeter filters the bank's data traffic and returns clean bits in both directions. Using its Business Aware Infrastructure, Perimeter sets up policies and assesses risks based on the importance of various elements of the bank's business, not the technologies used in its network.
The bank has centralized network configuration, with a dedicated frame relay A high-speed packet switching protocol used in wide area networks (WANs). Providing a granular service of up to DS3 speed (45 Mbps), it has become popular for LAN to LAN connections across remote distances, and services are offered by most major carriers. connection to Perimeter from its headquarters. In a hub-and-spoke architecture, each branch also has a dedicated frame connection to Rutherford. The bank also opted to use Perimeter as its ISP and had Perimeter implement a secure VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. tunnel for it rather than a direct connection into the security infrastructure.
Boiling Springs implemented Perimeter's intrusion-detection services, including network IDS, VPN remote access, secure Web hosting, spam filtering, hosted e-mail, IP masking and reporting features. Perimeter also provides the bank with multilayered Checkpoint firewalls and signature-based, anomalous and behavioral intrusion-detection and intrusion-prevention services to detect aberrant behavior and guard against professional hackers. This includes spam filtering, and a third level of defense for spyware, Trojans, viruses and worms. In addition, the bank outsourced its e-mail, e-mail archiving and Website to Perimeter, and is using Perimeter's gateway e-mail defense and antivirus.
The bank uses Web content filtering to stay on top of employee utilization of the internet. It receives real-time reports from Perimeter showing employee activity on the Internet.
"One of the benefits of using their IDS system is the ability to monitor the performance of our various data pipelines," Emerson comments. "This enabled us to identify and exclude points of possible congestion The condition of a network when there is not enough bandwidth to support the current traffic load.
congestion - When the offered load of a data communication path exceeds the capacity. impacting network performance."
Access to this security utility infrastructure provides the bank with access to a broader range of security technologies. It can take advantage of a layered security defense because it does not have to standardize on a single technology.
Emerson estimates that the bank saved approximately $20,000 per year on Perimeter's services compared to hiring an IT security expert and engaging independent firms to conduct the penetration tests.
"There is no way that any but the largest of banks or businesses could afford to build this type of world-class Fortune 500 infrastructure, plus three shifts worth of trained security experts," he adds.
For more information from Perimeter Internetworking: www.rsleads.com/512cn-256
RELATED ARTICLE: How to work with an MSSP.
Managing the growing list of security threats facing organizations today can be difficult, time consuming and expensive. Unwanted spam, computer viruses, spyware or sophisticated phishing scams all have the potential to seriously impact business continuity and compromise an organization's intellectual property. Additionally, organizations need to be more sensitive to how data is transmitted, to ensure compliance with industry regulation and privacy law.
Today, managed security service providers (MSSPs) are available to help implement hosted solutions-to identify and stop threatening or uncontrolled content. Traditionally, MSSPs deliver a range of network-based services and applications. Often viewed as a "hosted solution" or a type of outsourcing, focus areas can range from secure messaging solutions (spam, viruses and content control) to intrusion detection and firewall services. The one characteristic these services have in common is that they are performed outside the customer's network.
Among the possible benefits of using an MSSP are:
* flexibility and scalability;
* no affect on bandwidth, security or business continuity since e-mail traffic is routed through the MSSP, where it is filtered of malicious content;
* little is required of the customer during the installation process, as these services are designed to leverage a customer's existing technology environment;
* customers do not need to worry about additional bandwidth costs, scalability challenges or business continuity;
* updates, upgrades and maintenance are all centrally managed by the MSSP.
With increased regulation, such as HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, or Sarbanes-Oxley, organizations also are turning to MSSPs for content-control services, designed to monitor inbound and outbound e-mail for confidential, offensive or sensitive data. This also protects organizations and their employees from being bombarded by inappropriate content (pornography) or from sending sensitive data by accident.
With content-control services, administrators set policies and rules to search for certain keywords and attachments as they pass through e-mail. Additionally, administrators can set policies to manage the attachment characteristics and monitor what documents are sent and received via e-mail. Inappropriate images can also be managed through a content-control service.
In most cases, administrators should have the opportunity to work with the MSSP to customize and tune the service. This ensures the solution is in line with business and technology goals, as well as company policy.
Buyers that choose to adopt the managed services approach should expect to sign a service level agreement (SLA (1) (StereoLithography Apparatus) See 3D printing.
(2) (Service Level Agreement) A contract between the provider and the user that specifies the level of service expected during its term. ), a contract that details the performance criteria the MSSP will meet during the time period of the agreement. It also includes details on the customer's rights in the event a service fails. A buyer should have its legal counsel review the SLA before signing.
The cost of a hosted solution varies based on the type of service that is being provided. In most cases, the cost is based on a variation of time and the number of people using the service.
Buyers should consult third-party resources, including industry analysts who are experts in their respective market areas. Lastly, before making a final decision, request to speak with a customer reference of comparable size in a related industry for first-hand insight into their experience.
For more information from MessageLabs: www.rsleads.com/512cn-261
This article was provided by Mark Sunner, chief technology officer at MessageLabs, New York New York, state, United States
New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of .