The Westpac Banking Corporation is creating what it calls a virtual enterprise resource directory to manage and automate access control while ensuring information is made available on a need-to-know basis.
“This is easy to say but hard to do,” according to Richard Johnson, head of architecture, research and cybercrime in Westpac’s information security group.
Speaking at Gartner’s IT Security Summit in Sydney last week, Johnson said a lot of money is being invested in access control.
He said the goal is automation by embedding controls and reducing manual input.
“We are working closely with business units to do this; we currently have a number of projects in place and have invested heavily in Tivoli Identity Manager for provisioning,” Johnson said.
“We are trying to get a single source of truth with our electronic HR system but the first challenge is federating all systems to get a single sign-on capability.
“Our current focus is moving to role-based access control as well as self service so users can reset their own passwords; the ultimate goal is an enterprise wide directory.”
Westpac has 27,312 staff and 1,063 branches, which is why Johnson claims IT security spending must be based on intelligent decisions.
Formerly an accountant, Johnson said his business background has been invaluable throughout his IT security career.
“I’m actually an economist but financial audits bored the crap out of me,” he said, adding that a secure system without functionality won’t make money.
Johnson said network boundaries used to be more clearly defined but today it has moved on to remote access, wireless and the use of third party providers.
“It has blurred the perimeter which requires a defence-in-depth approach; we’re talking about a very rich mix of access to your systems,” he said.
“This means thinking about system design and creating a range of architecture guidelines with zones of trust.
“We are organising our assets into zones of trust with different levels of access.”
In recognition of this new landscape, Westpac has made a serious investment in intrusion prevention systems (IPS) with Johnson claiming the bank has created the largest IPS shop in the southern hemisphere.
“An IPS understands threats in real time it is an effective capability to have,” he added.
Out of its seven million customers, 2.9 million undertake their banking online which is why Westpac continually bolsters the security of this channel.
“We have gone through a range of initiatives to maintain trust in this channel. This has ranged from reducing transaction limits and two factor authentication for high value transactions; all of the major banks in Australia are deploying this and looking at additional authentication controls,” Johnson said.
“But finding solutions that are user friendly is the toughest challenge because customers don’t want six dongles to do their banking.
“There is no single solution but a set of solutions, you want your strongest armour at the front of the tank.”
Moving forward, Johnson said there will be more wireless PKI and EMV cards.
His vision for banking in the future is the creation of a “trust centre utility”, which allows the entire industry to share authentication technology and infrastructure.
“This would mean better value for customers and allow greater collaboration between the industry,” he said.
Johnson is a big believer in collaboration claiming it is at the centre of White Hat success when it comes to fighting virus writers, spammers and increasingly sophisticated phishing techniques.
“As an industry our counter-measure capability has really progressed by liaising with overseas law enforcement bodies and industry groups although our success isn’t publicised; a lot of the malware we see today could rival commercial code,” he said.
Johnson said every enterprise needs a senior executive to sponsor IT security and to champion its importance to all levels of the organisation.
In the last four years, he said, the role of security in critical decisions has increased significantly.
“It is important to take a risk-based approach to security to demonstrate value back into each line of business and build a credible governance and management framework to evaluate how you are tracking,” he said.
On the subject of spending, Cybertrust CTO Dr Peter Tippett told conference delegates that enterprises have had enough of buying products.
“Buy all our products to protect yourself, now buy more products to protect yourself. That is what we have heard for years,” Tippett exclaimed.
“We have all had enough of product. We haven’t even come close to tuning and getting the most out of what we have already purchased. There are many things you can do to reduce risk without buying technology; a lot more work could be done around processes.”