Banking and Financial Sector companies have come a long way from the conventional banking system to modern means of providing various services to the customers at their finger trips. Long days of wait for cheque clearances, long queues at tellers and the rate of which each transaction used to occur is long gone. Now you have Internet Banking System, Mobile Banking System, and Interactive Video Customer Services. Opening of bank accounts through tablets right from the customer’s home, online transactions through NEFT (National Electronic Fund Transfer), RTGS (Real Time Gross Settlement), IMPS (Immediate Payment Service), payment wallets and several such new features have modernized and simplified banking activities. Technology brings fantastic benefits.
However, the IT teams of these financial sector organizations who are into modernization face tremendous challenges. On the customer front, they need to ensure intuitive, colourful and easy to use customer interfaces that ensure their customers do not have to be computer savvy to use their applications. But on the back-end, it all ends-up with millions of lines of coding, software development and integration to multi-channel interfaces.
Not all off-the-shelf applications can be utilized in all banking environment. Bespoke development is required to meet the specific needs of the local regulations, target customer base and modes of interaction.
Secure coding practices are now incorporated as a first lesson in programming. Any ‘bug’ unintentional or intentional brings risk and exposure that may result in downtime, data loss and financial implications. Constantly evolving threats mean the development team can never conclude ‘Our product is ready to be launched’!
Scanning of source code, identifying vulnerabilities of the code and remediating the gaps are important factors of source code analysis. Prevention of application layer vulnerabilities and Web security breaches mean half-the-battle won.
Banks have realized the need to ensure highest security to the customer data and transactions while adopting the modern technologies. Security begins right from the first step of development of the software application. Therefore, Static Code analysis becomes the first step in Application Security. Similarly, once the application goes online, the behaviour of the application in various scenarios (the running state) need to be tested for any vulnerabilities as well. Together, Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools are key in the Bank’s IT Security armoury. And both these tools should be tightly integrated throughout the Software Development Life Cycle (SDLC).
Here is a simple checklist: Are you launching custom developed web and mobile applications for your customers? Are you handling critical data? Are you fast enough to adopt SAST and DAST?
Happiest days of Networking? Desktop wired to a face plate, wired back to the switches and you must be physically present to access the local or corporate network resources. Then came the flexibility of laptops. You can carry it wherever you want. Presentation at a customer place, no issues. Design your presentation, off-you go, attach to the projector at the conference room and deliver a presentation. But back to the office network, you need that magic RJ-45 Ethernet cable to get hooked to the corporate network. One file server, and one print server, and somewhat advanced networks you used to have mail servers.
Then came the wireless networks. Laptops needed a PCMCIA card to make your connection wirelessly. Yet, some control with the network administrators. Introduction of built-in wireless devices, introduction of smart phones, tablets and umpteen other devices resulted in complete loss of control and administrators now with sophisticated designations as ‘Security Administrators’ started feeling the heat.
Network Admission or Access Control (NAC) is all about right people accessing right resources in compliance to the corporate security policies. No more and no less.
You want your employees to be connected 24×7? Mail clients on mobile, fancy mails tags such as ‘Sent from Outlook for Android or Sent from iPhone’? Now you are talking about what to control. How would you restrict an employee downloading a corporate email attachment to the phone and then sending it back to his or her personal email address?
Access to Corporate resources through mobile apps, Web based applications, Time and attendance, Sales and CRM from anywhere, anytime from any device, you are talking about a wide spectrum to monitor and control.
NAC is not the newest of technologies in the block. It has been there for at least two decades. Now why this renewed focus? Wireless infrastructure allowed employees, contractors and guests to access Corporate network. However, you want to restrict Guests to only access Internet and not the Intranet. You may want to allow contractors to Extranet, but not to access your internal file servers. Employees need to access certain resources, but only when they are in certain locations. Access to corporate applications from an Internet Café means a complete clean-up of session after your complete your work or risk of losing corporate data to outsiders. Organization’s decision to BYOD (Bring Your Own Device) may spell doom to CSOs and may mockingly become Bring Your Own Death (BYOD).
Protecting sensitive data, improved productivity, flexibility in BYOD, ease of deployment and ease of management are the factors a CSO to consider before deciding on a NAC solution.
Simple questions to ask yourselves before picking-up a NAC solution:
Can it provide complete visibility? Do I get detailed reporting for compliance? Can it offer context-aware policies based on user role, time, location and the kind of device he or she is accessing the corporate resource from? How much overhead it brings to the administration and management. Can the process of onboarding a user, enrolment and logging be completely automated to bring seamless experience to the users? How can I integrate with existing MDM (Mobile Device Management) solutions?
Now, we can call its NAC 2.0. A rejuvenated NAC. Or NAC reborn! Whatever you may choose to call, don’t knock-off NAC from your IT security budget. Not just yet!
My grandfather often used to recollect his father’s advice: Never buy lands beyond what your eyes can see! Obviously, beyond your direct vision of your lands, nobody knows who is utilizing them, and how. Drawing the analogy to the modern-day Network Managers, you can’t manage the network you can’t see.
Modern day networks are large and complex with disparate systems, security and monitoring tools. Often, these tools are purchased and deployed to address one immediate requirement with no deep-down thinking or long term thought process. Network managers are left with so many stove-pipe solutions and many places to look at when it comes to troubleshooting. Compliance to various security agencies and government requirements mean more and more security tools.
Put together can these tools are able to still leave them with a good night’s sleep is still a question. Network Visibility is becoming a key discussion point in all IT discussions. How much you know about your network and how well is the question!
From a legacy (is it too early to call it a legacy?) data center where rows of racks are stacked with switches, routers, VPN concentrators, firewalls, Intrusion Prevention Systems and log analysis appliances, to the newer data centers that have hundreds of virtualized components due to the advent of Software Defined Networking (SDN) and Network Functions Virtualization (NFV), getting the complete picture of what’s going where is still a puzzle.
Newer threats such as encrypted attacks, malware, ransomware and even the hardware related bugs that can be exploited by hackers only add to this complex picture of lack of visibility in your networks.
Of course, we have SIEMs, Log analysis and network monitoring tools. But they pose a challenge of media limitations (1G tools in a 10G network), domain or scope of these tools and constant need to upgrade and update them calling for a downtime, and therefore, time gaps in networks being protected.
When networks scale very fast, these security tools don’t. While data at rest is handled through encrypted storage solutions, data in motion remains vulnerable always.
Therefore, the resulting network in present shape, leaves several blind spots, inconsistent view of traffic, veiled encrypted traffic and constant contention for access to traffic.
The solution for these challenges is the Security Delivery Platform (SDP). Instead of looking at point solutions, it aims to provide visibility across the entire infrastructure. You have inline security tools (eg. Firewall) and non-inline tool (eg. SIEM) that needs access to the traffic through TAPS (Traffic Access Points). Limitation of limited TAPS need to be overcome to have better visibility.
Total visibility means not only seeing everything, but also not to miss something that’s very important too. With network traffic growing exponentially, challenges of sophisticated threat patterns and malware that comes in encrypted forms, directing right and meaningful traffic to the right security tools is the only way to have a greater control of your network.
Government agencies, financial sector companies, Healthcare, Media, ecommerce and even technology companies are turning to Secure Delivery Platform (SDP) to address the above challenges. Need to maintain total network visibility on-premises in your data centers and in Cloud means time has come to make way for SDP!