“The increasing complexity of the products and channel interaction with customers means financial institutions have to be more vigilant than ever, especially as they move into providing more and more electronic interfaces for customer interaction,” cautions Blake Hanna, a partner in the Toronto-based financial services group at Accenture Inc.
That’s the message he thinks financial services firms can’t hear too often as they face security and business continuity challenges on a number of fronts.
One front is their typically product-centric vision of their various accounts which results in information systems aligning customers with products instead of one overall view of the customer. “The proliferation of products and customer interaction channels — telephone banking, Internet, walking into a branch, private banking with a personal representative, buying mutual funds over the phone — translates into things like ‘how many passwords do you have? What do you have account access to?’”Customer interaction complexity necessitates complex tasks to make sure that each of those clients, products and channels of interaction is safe and secure…Text Customer interaction complexity necessitates complex tasks to make sure that each of those clients, products and channels of interaction is safe and secure, all the while giving customers the most convenient access to their information only, he adds.
Meanwhile, other threats include even curb-side recycling in terms of the information available on accounts and balances.
The debit card fraud taking place is like cat burglar movie plots come to life, he says. “The banks never considered people would wipe PIN pads in advance of an ATM customer’s use and then figure what keys were used. People have been installing cameras over the PIN pads on automated teller machines and recording in real time using wireless transmission of that data for theft of identity. It is a huge area of loss for the banks. We’ve done surveys of Canadian financial services firms and it is a significant problem getting worse fast.”
He suggests if it continues unabated and unchecked, it may speed up what he sees as otherwise a three-to-five-year wait for smart cards to be deployed.
He says some financial institutions have looked at biometrics-based security but the cost is very high and the number of end-terminal devices and points of sale in retail makes it impractical. Instead, smart cards for debit cards could use the existing infrastructure of card readers and terminal devices.
“A lot of this comes under the broader heading of risk management,” he adds. “The challenge is that historically it has tended to be a product-by-product view of security. Now you need an envelope for security for all the products and all the interactions. That’s what a lot of financial institutions are focusing on now: how do I put that overlay in place when I didn’t really evolve from it?”
DBRS finds two hosts are better than one
Dominion Bond Rating Service (DBRS) knows it is prudent not to have all your eggs in one basket. The company has been that route before with a hosted data centre whose bad financial situation necessitated the fast removal of DBRS’ servers.
DBRS is a Toronto-based global rating agency providing credit markets with accurate, timely and prospective credit opinions. Based on the expanding needs of its global clients, DBRS provides financial ratings on commercial paper, bonds, long/short term debt, and preferred shares, as well as asset-backed securities. DBRS also offers industry analysis, ratings reports, and ratings indices for issuers throughout North America, Europe and Asia.
If a market development occurs, DBRS customers expect the company’s financial analysis as fast as possible, explains Mike Burns, managing director of systems. “Our business is providing information to customers. This information must be timely and accurate. If they can’t access this information, they’ll look elsewhere. So, it is vitally important to ensure that we’re always providing our services to our customers.”
DBRS now has two mirrored sites to ensure the world has access to its Web site without fail. “Being involved in financial markets, we know that companies often have financial difficulties so we don’t want to have all our eggs in one basket or everything with one vendor,” Burns explains. “We have to accept that these things happen and we have to plan for it.”
The company has outsourced its Internet infrastructure and related managed services to Q9 Networks Inc. since 2002, he says. About six months ago, DBRS also engaged Fusepoint Managed Services to provide fully-mirrored, high-availability disaster recovery services.
Burns counts on both Q9 and Fusepoint to provide redundancy every step of the way so even in the event of a disaster, “our public face will always be available.”
But that’s not all. Burns expects that within the next three months when both sites are fully clustered, DBRS will benefit from the flexibility of working with two sites. “You can keep both sites active or you can take one offline and use it for other reasons such as upgrading hardware, introducing new systems, rolling back changes if problems occur.”
Dunn hopes to benefit from a global load balancing service Fusepoint offers. “We’re using a clustered WebLogic environment [from BEA Systems, Inc.] for our Web services. This is new territory for us and we intend to have it transparent to the user as to what location they are actually accessing — Fusepoint or Q9. They will just access our site, then the load balancing that Fusepoint is offering will handle moving half the traffic over to one or the other site. We’re looking forward to using it and seeing how it works for us.”
He expects that capability will allow DBRS to expand into other geographic locations and handle the traffic in a more local manner. “If we head into Europe or Asia or wherever, we could get a local presence and faster access to our services,” he says.
Heartland wields two malware weapons
The increasing hassle of spam prompted Heartland Credit Union to double up its layers of defence against e-mail hazards. The credit union serving about 14,000 members in southern Manitoba uses both VirusScan Enterprise from McAfee Inc. and an MDaemon mail server from Alt-N Technologies in Arlington, Tex.
IT manager John Klassen says the McAfee product was the credit union’s original antivirus software and dates back to before his time at the company. Currently Enterprise Versions 7 or 8 are running on 80 workstations, depending on the computer. The software protects against virus attacks, prevents malware intrusion and serves as a firewall at the individual PC level.
The company began using MDaemon mail server about five years ago for added security. Klassen appreciates the mail server’s ease of use and that it can be completely standalone off the network. “We could do the same thing with our existing software without the MDaemon, but I like the fact of having it not on one of my major servers,” he says. “It can be on a separate workstation so that gives us extra security in that our outside [Internet] mail access is through a completely separate box. Should we get a virus attack, I can just shut down the one box and it doesn’t affect any other functionality.”
The MDaemon sits on a Windows 2000 server, but Klassen says it will run on most platforms, which is another advantage. “I can move it from station to station and as our hardware changes, I don’t have to worry about it.”
Always keeping it current like the McAfee software, Heartland upgraded to the recently released MDaemon 8.0 version that includes SpamAssassin 3 anti-spam software. Klassen gives the spam and virus filters top marks, saying they block more than 1,000 messages a day with only a half dozen false positives in the last few months.
A bounce-back system alerts senders when their email has been blocked and saves Heartland the time-consuming hassle of scanning junk e-mail. Although MDaemon and McAfee are compatible, he cautions that problems arise if you have them both scanning in the same folder. “We have the McAfee on the workstations and the MDaemon virus scan just runs on its own,” he adds.
VanCity gears up its data protection
“A monitor costs $400; a PC: $1500; a server: $20,000. Data? Priceless.” That take-off on a MasterCard TV commercial comes from Tony Fernandes, vice-president of IT operations for Inventure Solutions Inc., the information technology subsidiary of Vancouver City Savings Credit Union (VanCity). Protecting data has been the focus for Fernandes and his team for about a year since they began mirroring data to the company’s disaster recovery site about 100 miles away.
“We’re focusing on our key systems, prioritizing them and getting the hot copy of the data out there, one system at a time,” he explains. “As we add more systems, we’ll understand how much more bandwidth we’ll need between here and there. As we put each system up, make sure everything is working perfectly and it restores okay. We want to make sure it doesn’t create other ‘entertainment’ for us. It’s going to take a couple of years because there are a lot of systems.”A synchronous solution means that your network has to be up and running all the time.Tony Fernandes>Text VanCity began using EMC CLARiiON CX700s for networked storage in 2003 in its two data centres. Recently, it took part in EMC’s beta MirrorView program and subsequently selected it for data mirroring the CLARiiON storage area networks (SANs) at the data centres.
“It integrates better with our environment,” Fernandes explains. “Being able to leverage the expertise of your staff has great wins. Once we did our test with the EMC product, the feedback from my staff was that it is just a small extension of the knowledge they had gained in managing the SANs that we have from EMC. That was a key driver and the fact that it performed and did everything that we needed it to do.”
Fernandes says he wanted an asynchronous solution for mirroring at staged intervals. “A synchronous solution means that your network has to be up and running all the time,” he explains. “If there are any problems with the network, then things start to back up and they can have an impact on your production environment.”
The current asynchronous setting mirrors the core banking system every half hour, recording all the changes and databases from the 30 minutes. “Our maximum exposure is a half hour of missing changes. That works best for our environment.” Inventure can also now mirror VanCity’s data in two directions “which helps set us up for evolving our disaster recovery site to being able to use it as a second data centre down the road,” Fernandes adds.
Eventually his team could add development servers [at the remote site], work out there and then mirror changes back to the main office for a synchronized copy of data at both sites.
But, how far is safe and how close is unsafe?
To confirm that the remote site about 160 km east of Vancouver is indeed far enough away, Inventure had a professor from the University of British Columbia study the risk of a disaster such as an earthquake befalling both locations at once. “The big one” is expected to happen several hundred miles off the coast of Vancouver Island, so it would be very unlikely the remote site would be affected.
The conclusion was that the greatest risk — an earthquake of substantial magnitude to happen dead centre between the sites — is a very, very remote possibility. “Based on that study, we’re satisfied that the distance and the location of the two data centres is appropriate,” Fernandes concludes.