In June, more than 40 million Visa and Mastercard accounts were exposed to potential fraud when a security breach occurred at a third-party processor of payment card transactions. The breach, which took place at the Tucson office of CardSystems Solutions, was the latest in a slew of reports of customer account information being leaked or stolen using a variety of ‘transport’ methods. Not only are these methods numerous, but they are quick – due to today’s terabyte culture, a large bank’s customer account database can be duplicated in a matter of seconds.
In all kinds of organisations, including banks, USB mass storage devices have replaced the floppy disk, which used to be able to carry about only a megabyte of information. Storage devices, such as flash drives, Ipods and other MP3 players can store anything from 16 megabytes to 60 gigabytes (hard drive-based Ipods) of information.
Additionally, your most valued employees will probably be carrying your most valued information on their personal digital assistants (PDAs), such as Blackberries. Laptops can be left unattended in bars or left behind in the back of a taxi, allowing confidential information to fall into the wrong hands. The proliferation of wireless technology such as Wifi and Bluetooth means that a device needs to be only a few feet away from a laptop to delve deep inside its folders for confidential data.
Finally, let us not forget how susceptible e-mail is to leaking of information. Despite the horror stories and advice about not putting confidential information on e-mail and unprotected word documents, people still do it.
Security conscious
Banks are constantly exchanging sensitive information with one another. Because two completely separate organisations can often have completely incompatible security policies and systems, portability of both the format and the security policy is being seriously looked at and applied within banks, says Jay Heiser, a security analyst at Gartner.
“When information was based on paper records, there was a limit to how much an individual could copy by hand. That changed with the introduction of the Xerox machine. Today, banks are facing a greater threat,” he says.
So where are the cracks through which so much information can leak? According to Todd McLees, VP of international business at security and compression technology vendor, PKWare, it is volume processing of information that leads to large breaches.
“The end-of-day processing that takes place, whether internally between the branch office and the head office or between banks, often happens in a batch and a variety of transports are used,” said Mr McLees.
The reality of business today is that corporate boundaries in the financial services sector are difficult to define as most banks outsource a great deal of their day-to-day duties that formerly they would have done in-house. Besides call centres, outsourcing can include various back-office duties as well, so it is usual for confidential information to travel beyond the corporate perimeter. Therefore, control is not only difficult to implement, but even ownership of the document is difficult to ascertain.
Banks generally have very stringent security controls on their network. However, it is clear that in the modern banking environment, where information has to travel beyond the corporate firewall, another approach must be considered.
The answer appears to come from the music industry, which has embraced digital rights management by building it into their music files. Enterprise rights management, as it has been coined in the corporate world, could provide the level of granularity of security protocols and policies that are built into the actual document. This has the potential to mitigate the harm that could arise if information ends up in the wrong hands.
Importance of portability
The most important aspect of any document is that it has to be portable as banks deal with other banks, and the security policy has to be transportable with the document. It also has to be operable in vastly different corporate environments.
This is where the main document production vendors, such as Microsoft (with its Office products) and Adobe (via the Acrobat application) may benefit in this burgeoning market.
Whereas most banks may use Microsoft Office to produce documents, a bank may decide that the information may not be archived or transported in this format because information could be manipulated. This is why many banks prefer to transport and archive documents in Portable Document Format (PDF), which is becoming the standard format of archiving documents.
Microsoft Office and PDF – which is comprehensively supported and promoted by Adobe with its Acrobat Software – are the most common document formats within enterprises and banks are not bucking this trend. This is why Adobe and Microsoft are transforming themselves into serious contenders in the document security business.
Two years ago, Microsoft released a new security technology that allowed businesses more control over who accessed documents and information stored on their computers. This was its Rights Management Services (RMS) package.
The focus of RMS is to secure data stored on corporate portals, intranets and documents transmitted over the internet between companies. It has the potential to give banks tight control over the permissions that apply to their business documents and customer records. It does this by issuing a licence that must be authenticated by the server for the user to access the document. Essentially, Microsoft is putting protection into the document itself.
Equally, Adobe is playing on the strengths of the PDF, such as its platform independence, its portability and the fact that it holds the integrity of the information very well. Adobe has added new enterprise rights management features to PDF distillation (the process of converting a document to the PDF format).
Just like Microsoft, Adobe has beefed up the encryption capabilities of the document itself. Users can define policies centrally to limit or time-out user access, prevent copying and pasting, and deny access by non-approved recipients.
However, if you want the advantages of both applications, you might want to look at a small Massachusetts company called Liquid Machines. Its product, Document Control 5.0, allows customers to use existing Microsoft Office 2000 and Office XP applications to view and modify RMS-protected documents created in Office 2003.
All these systems depend to a great extent on proprietary security implementations. However, as Pieter Kasseilman, senior research engineer at managed security services provider Cybertrust, points out – there are open standards which can be used to add security policies to documents, such as Word and PDF documents.
“Most policy based security systems, such as Microsoft and Adobe use some type of PKI (public key infrastructure) which is invisible to the user,” says Mr Kasseilman, who believes banks should be wary about being locked into a particular vendor’s solution.
Simpler approach?
All these systems rely on centrally managed, if not totally defined, security policies in relation to documents’ workflow. Since most banks already have (or are about to implement) internal identity management systems on their own networks, it could be argued that they simply need to secure the data when it is being transported outside the firewall. Perhaps a simpler approach would be desirable.
PKWare is the originator of the widely adopted ZIP standard. The company recently extended the ZIP file format to include tough security, and incorporated its security technology in its entire product range. Last year, it launched a server-based product so that the security protocols are more easily handled centrally. The main advantage of Securezip is that virtually any document can be compressed into a secure file and ‘unzipped’ at the other end using a free Securezip reader. The recipient can then open the document in the application that created it.
Recipient’s responsibility
However, the onus is on the recipient to store the file in the Securezip folder. If he or she chooses to store it elsewhere, then the content becomes vulnerable.
Enterprise rights management technology is still evolving. As with any new technology, it will take a few years for a clear methodology for protecting documents to emerge within the banking community.
The result is likely to balance the user’s desire for fast access to content with the financial services industry’s need to satisfy tougher compliance, privacy and confidentiality standards.
The banking industry leads other sectors in what some might think of as a paranoid approach to information security. The number and size of security breaches in the past year within the sector, however, has demonstrated that this is a wise attitude to have.
CASE STUDY: NATIONAL AUSTRALIA GROUP EUROPE
National Australia Group Europe (NAGE) decided in 2003 to replace its mainframe system with a customer relationship management system integrated by Siebel. The project also involved the implementation of the Adobe Intelligent Document Platform.
Besides supporting bank branches, the solution had to support more than 400 mobile users. NAG’s European operation also wanted the solution to include the ability to carry out central processing in case it became a requirement in the future. And finally, the bank’s employees needed to be able to create documents in both on-line and off-line environments.
These capabilities were required to allow staff to work with customers on their premises, to be connected directly to the corporate network and still provide a complete end-to-end solution.
The bank wanted to make document creation as easy as possible for staff using the system as it would be used to create and print mortgage applications, which would be immediately presented to the customers to sign.
Darren Gage, senior analyst programmer at NAGE, says: “Customers expect to go into the bank for a product, apply, and get a decision on the process there and then. Now we can do that. This means our customers are happier and we can close more deals faster.”
It took six weeks to implement the infrastructure and the training elements of the print solution. Secure communications was then enabled with the Siebel Server. The system had to be compliant with the European Data Protection Directive and the UK Financial Services Authority’s regulations, which require banks to keep copies of all customer correspondence securely. At the same time that printing takes place, the Siebel/Adobe based system writes the material to disk and onto the server to archive the information.
NAGE worked with Mark Williams, Adobe’s financial services practice manager. He firmly believes that many more banks will want to distribute secure PDF documents – not just in an interbank environment, but also to their customers.
"The issue of identity theft and fraud using stolen or illegally obtained statements and bills is growing,” says Mr Williams. He suggests many customers will come to prefer receiving invoices and statements in a secure format that they can store offline on their own PC.
