NSCU protects its 24/7 access

Aware that a concern about security and privacy is the key deterrent to people buying online or doing online banking, Ron Cann is deliberately doing more than he sees is necessary to protect the online presence of North Shore Credit Union (NSCU).

As senior manager of eCommerce and Direct Service, Cann is in charge of the Vancouver-based credit union’s direct channels. As well as ATMs, automated telephone banking and indirectly the call centre, the largest component of his area of responsibility is the Web site and Internet banking.

NSCU’s customer data is kept in a secure facility with Credit Union Central in B.C. served by Vancouver-based Datawest Solutions Inc., protected by what Cann reports are “multiple, multiple layers of security.” Even so, he admits that the recently stolen hard drive at the ISM facility in Winnipeg struck terror in his heart as it would with any person who manages customer data in any way, shape or form.

“It definitely was one of those things where you kind of take a little bit of a gulp and go, ‘ok, are we vulnerable?'” he says. “We’ve done the due diligence and we do the audits and all sorts of things regularly. I think it shows and hopefully motivates other IT professionals to make sure they’re doing the due diligence.

“For people like myself who are trying to convince our customers that doing business with us online is safe and secure, every time something like that happens, you sort of go two steps back. We need to make sure that incidents such as that don’t happen.”

For more than a year, NSCU has been leasing a server from Fusepoint Managed Services Inc. who hosts part of NSCU’s Web site at their facilities. NSCU moved from another provider who “couldn’t really provide the service that an organization such as us requires both from a customer service perspective and a security perspective,” Cann explains. “We were looking for two things: really great security to meet your needs and great customer service because as an outsource, these people are essentially a part of your organization.”

Cann checked out several vendors. He was most impressed with Fusepoint’s security precautions, which included having a person in their network operations centre, monitoring 24/7 for a breach or oddity of some sort. “At a lot of other firms, someone will get paged and they’ll drive down to the [operations centre] and two hours later there’s finally someone looking at the issue. But with Fusepoint, they’ve got somebody there all the time.”

His detailed tour of Fusepoint’s facility convinced him that regarding security, “they knew exactly what they were doing and they were meeting our requirements. We basically wanted to have an isolated solution with our Web site hosted on its own server, in its own area where no one else could get to it either virtually or physically. And that’s what they were able to provide for us.”

It was also a case of matching needs with cost.

“We went to other vendors who were more deluxe, but were way more expensive,” he recalls. “Comparing them to people like Telus, we felt that Fusepoint was offering an equal, if not better, solution for a lot less money.”

Cann reports that Fusepoint seemed financially stable so saw the company not having “a huge portfolio of customers” as an opportunity to get a lot of attention rather than a concern. “That has definitely proven true,” he says. “We have dealt with them a lot, but it’s more just with the management of our site as we’re evolving it and changing it and adding features. With Fusepoint, we have never been down in the year and four months that we’ve been with them.”

That’s gold to Cann.

“I believe that as a financial institution, if we are making a promise to our customers and potential customers that we are available through the Internet, we are a 24/7 operation and being down at all is unacceptable, although it’s impossible because sometimes you have to do maintenance. If we ever have to take the site down, it’s usually done between 1 a.m. and 2 a.m. and it’s maybe done for 15 minutes – maximum an hour. But I’m uncomfortable even with that. And, I’m uncomfortable if we do that more than once a month.”

Cann notes that although their 40,000 members joined while living locally in North Vancouver, many still access the NSCU site even after they have moved all around the world. “When I look at my traffic, there is not a time in the day where the traffic goes zero. I’ve actually got a guy who lives in a lighthouse that accesses our Web site via his cell phone. So, we’ve got diverse users all over the world and we’ve got to make sure that this service is up because they may be very busy people and may only have an hour a month to pay bills or whatever. If we’re not up during that hour, it’s a major inconvenience for them.”

He views their public Web site hosting at Fusepoint as going beyond what is essential. “You never know who’s motivated to embarrass your company or whatever. Because Fusepoint is only hosting our public site, not the actual part where you do your online banking, our biggest risk on that side is someone breaking in to our Web site and doing some sort of virtual graffiti. That totally shakes the confidence of your customers and it would take years to recover from the negative effects of something like that. That’s what I’m trying to avoid. It’s really a public trust thing that I’m trying to build and I’m not letting anything get in the way of building that trust.”

NSCU chose a high availability solution with a backup server in the Fusepoint data centre and a process and procedure for failing over onto the secondary site. With offices and data centres in Toronto and Vancouver, Fusepoint provides services that are redundant across two data centres, offering security, availability and expertise that is not cost effective to exist within every financial institution, explains Robert Offley, Fusepoint president and CEO.

Founded in 1999, Offley claims Fusepoint has ‘five nines’ infrastructure, experienced people up to speed and the process to “co-source” or outsource high availability solutions for business continuity.

“We have a number of products which are in place to try to eliminate the disaster in the first place and to provide resilience through the whole infrastructure,” he says. He helps clients determine how much – if any – downtime each of their applications can bear in the event of a disaster.

“It all hinges around the time you have to bring the application back up and online,” he explains. For less critical applications where one to three down days are acceptable, Fusepoint offers what Offley calls “quick ship services.” There seem to be variations on this, including the client shipping their computer systems to the Fusepoint facilities to replicate the environment that was there before. Fusepoint would then bring in the backup tape from vault storage and replicate a financial institution’s environment within a certain period of time, typically within two days. Or, Fusepoint could provided dedicated hot desks, matching at Fusepoint the systems at the customer so the customer could bring in their backup tapes and restore the application within a specified amount of time. The company will also put remote trailers with hot desks into customer’s premises.

“It’s not just about having the infrastructure, but also having the people and process in place,” Offley adds. “Look at the recent Slammer worm that brought down a number of the large financial institutions. All our customers didn’t have to worry about that because we have a team who is focused on intrusion detection. It’s a full-time job to keep up with these threats that accompany this environment. We employ a whole team to do that. It doesn’t make sense for a company to go out and get their own dedicated team when they can buy it from us on a utility basis. We can provide at a lower cost a more secure environment than Fusepoint clients can.”

Offley estimates that for a single server doing Web transactions, to provide the high availability of a fully redundant server at another site with the bandwidth is probably three to four times more expensive, but he argues that the impact of downtime more than pays for itself. It comes down to matching the cost to how critical the application is. In some cases, five minutes of downtime could have paid for the solution, he claims.

“I think sometimes in Canada people feel safer but it’s not necessarily the case,” Offley adds. “Ice storms. Floods. Fire. Weather. Who knows what else can happen? It is a case where the probability can be low but the impact very high.”