11:55 AM
Outer Defenses
In May, a Department of Veterans Affairs data analyst brought home a laptop containing identifying information for millions of veterans -- the device subsequently was stolen from his home. In July, Old Mutual Capital, a distributor of mutual funds, reported that a company laptop housing clients' names, addresses, account numbers and Social Security numbers had been stolen. And in March, Fidelity Investments said a laptop containing information for almost 200,000 Hewlett-Packard employees (Fidelity manages HP retirement plans) was stolen.
Stories like these are becoming all too common, leaving clients with a deep sense of foreboding and insecurity regarding financial institutions' stewardship of personal data. The Privacy Rights Clearinghouse Privacy Rights Clearinghouse reports that nearly 90 million data records of U.S. residents have been exposed due to security breaches since February 2005. But Wall Street is by no means sitting idly while incident after high-profile incident flashes across the front pages. In fact, according to many industry observers, the degree to which firms safeguard personal client data now is a differentiating factor among their offerings. Sooner or later, pension funds and other large corporate entities looking for money managers will add a question about remote hardware security to their vetting processes, most experts agree.
Jonathan Gossels, president of Sudbury, Mass.-based SystemExperts, says firms are just starting to catch up with a rapidly evolving mobile workforce. In the past, he relates, only a few employees needed access to client information on the road; now, almost all employees require remote access at one time or another. "Even though the reality has changed, the conventional wisdom around mobile technology hasn't changed at all," Gossels laments.
Shoring Up the Laptop
At San Diego-based money manager Nicholas Applegate -- a buy-side firm that manages assets for institutional investors, including corporate and government retirement plans -- SVP and CTO Steve Rapp Steve Rapp is working hard to ensure the firm's remote hardware is as secure as possible. First off, when an employee is issued a laptop, the organization reviews the acceptable-use policy and stresses the importance of company data stored on the device. Further, every laptop issued has a hard-disk-lock password that must be produced each time the machine is turned on. "The first thing you see is the need to enter that password, which will unlock the hard drive," says Rapp of Nicholas Applegate's IBM laptops.
At JPMorgan Chase, Brian Mitchell, technology controls officer, says security on laptops is pretty straightforward. "Every one of our laptops has been built with hard-disk-encryption software," he notes. The machines also are set up with personal firewalls and access company information through a virtual private network (VPN) using no-split tunnel configuration, which, according to Mitchell, ensures that a remote worker hooked into the VPN and the Internet at the same time doesn't put the company's network in jeopardy. Mitchell notes that JPMorgan Chase does not support 802.11b wireless networking, as the company finds existing security controls around the protocol to be lacking.
Still, Mitchell is confident that the firm has sound measures in place to prevent unauthorized access to its network. When it comes to an unattended or stolen laptop, Mitchell notes that after 10 idle minutes, a screen saver comes on that requires a password to unlock the machine.
Additionally, the minute the laptop loses power, the password is required to restart it. "That will get you to the operating system login and then, if you want to do a remote connection into our VPN, you have to sign on to the operating system and VPN client, authenticating with two-factor authentication," he says.
At Nicholas Applegate, remote access to the network also requires two-factor authentication. The company uses Bedford, Mass.-based RSA Security's secure ID technology. "If you want access to an application or a data store, then you have to prove to us in two ways that you are who you say you are," Rapp asserts. E-mail is the only exception, which is accessed through OWA (a remote extension of Microsoft Outlook) and requires only one factor of verification.
PDAs & Smart Phones
But laptops no longer are the only devices used for remote access. All JPMorgan Chase BlackBerrys (from Waterloo, Ontario-based Research in Motion), for example, are password-protected. But don't get the password wrong too many times, the firm's Mitchell warns, because that will result in all contents on the device being obliterated. Further, the company's BlackBerry devices are being upgraded, he adds, to include encryption. And JPMorgan supports smart phones with software that, again, provides password protection.
The Palm (Sunnyvale, Calif.) Treo smart phones in use at Nicholas Applegate are fitted with several levels of protection, according to Rapp. The first is the phone itself, which is password-protected. Additionally, the firm requires that all smart phones have "remote wipe" capability -- essentially the ability to send a signal to a lost or stolen device that will delete any information. With Treos, the remote kill is accomplished by GoodLink software from Santa Clara, Calif.-based Good Technology. For BlackBerry devices, the remote-kill function is handled by the BlackBerry service provider.
"The minute we detect the device has been turned on through its wireless antenna, a command is issued to wipe out all the data on that device," Rapp says. "We won't allow smart phones to be used that don't have that capacity."
Still, Rapp admits there is one weak link in smart phone security -- the ability of a thief to disable the antenna before a remote wipe instruction has been sent. "So that is one little wrinkle in the remote-wipe process," Rapp concedes. "If you talk to people who say it's perfect and has no vulnerabilities, that's not really the case."
Just how serious is the vulnerability created by that wrinkle? Not very, Rapp says. Even if such steps are taken, he notes, the thief will come up against the device's password protection. Further, Rapp explains, the effort/reward scenario offered by such a theft is minimal. "If someone wants to go to all that trouble and expense to get my contacts ... on my smart phone, well, that's quite a lot of trouble," he says.
Remote Access, Not Remote Data Storage
Todd Christy, CTO of Waltham, Mass-based Pyxis Mobile, a provider of wireless applications to the investment industry, says that firms can stay out of trouble by limiting the volume of data they allow on remote devices. Instead of keeping information on the actual device, he recommends leveraging the wireless network. "Through wireless technology, you are putting very small amounts of data on the devices that is only available in real time," Christy says. So a limit on the amount of data that can be stored on the actual device, combined with remote-kill or wipe technology, is important, Christy explains.
But whether a firm is trying to secure its laptops, smart phones or BlackBerrys is not the issue, contends SystemExperts VP Brad Johnson. "Companies that are doing this well aren't making a big distinction between different types of devices," he says, because what were once considered minor remote devices can now hold massive amounts of information. Instead of focusing on the hardware in question, Johnson says, policies and security controls should be driven by the use and nature of the information with which the device is dealing.
With an eye on the future, Nicholas Applegate's Rapp says he's fond of Palm's new Treo 700w with mobile Windows Version 5 because it offers the remote-wipe function. The architecture for those devices, he relates, is simpler. "So at some point we are going to mothball the GoodLink architecture," which will save the company money, Rapp says.
Among other projects being examined is adoption of an application from Pyxis Mobile that helps with customer relationship management and access to CRM data. The Pyxis product was piloted at Nicholas Applegate, "But I guess the timing was not right or the interest level not sufficient to want to take the plunge" at the time, Rapp says.
The firm also has been looking at a tool from Santa Cruz-based Onset Technology, which has partnered with Nicholas Applegate's CRM vendor, LexisNexis. "So we're looking at those technologies to extend what people are able to access from a smart phone or PDA in a mobile format," he says.
At JPMorgan Chase, Mitchell says the firm recently implemented malicious code scanning to further prevent compromised remote devices from infecting the network. The software -- from Austin, Texas-based WholeSecurity (which recently was acquired by Cupertino, Calif.-based Symantec) -- works to identify keystroke loggers and other malicious code. If such code is detected, the software drops the connection.
When it comes to selecting software, Mitchell warns that the "best" solution may not always be the right one for a particular firm. "I may have the best bit of software that ever secured a laptop, to the point where it's trusted 100 percent of the time," he says. "But deploying that out to 70,000 laptops and keeping it functional and operational from a support perspective is a challenge." Doing so, he explains, depends on the scalability of the application and having the core infrastructure needed to support vast global workforces.
Future security work at JPMorgan Chase, Mitchell says, will revolve around improving the firm's ability to do more-frequent updates to its remote workstations. For example, today employees must log on to the network by authenticating, then their machines are checked for the latest antivirus software. In the future, he says, remote machines will be scanned and updated with the proper antivirus software before authentication can even be attempted.
A Balancing Act
Firms also are faced with ensuring security while not making authentication so onerous that employees throw their hands up in frustration. Nicholas Applegate's Rapp notes that executives at his firm pushed back when asked to create passwords with a high degree of complexity. "When we tried to put in what is called password complexity, ... some of our important and highly placed people felt it was too onerous, and so we went back and refreshed it."
Vance Bjorn, CTO with Digital Persona (Redwood City, Calif.), a provider of fingerprint-based identity solutions, says excessively complicated password requirements only will result in employees writing them on Post-It notes next to their computers. "You can always put in place a policy that says your password has to be 23 characters long with uppercase and lowercase letters, but then people will just work to circumvent the process and that won't do anyone any good," he says. Biometric solutions, such as fingerprint sensors, he says, require very little on the part of the user, and thus are more likely to be embraced.
Initially, remote workers at JPMorgan found the authentication too intrusive, Mitchell admits. "But people have become aware of why we do it. I don't think it's too onerous," he says. "They see it as a necessary evil."
But it may not seem evil forever, Mitchell explains, as advances in software look to give IT control while reducing the security burden felt by employees. Examples of such developments, he says, include Web sign-ons and giving people access to their desktops at home in the same manner they would have access in the office.
According to Nicholas Applegate's Rapp, the best advice is: "Don't get your laptop stolen." Users, he says, have to understand the importance of the information they are carrying around on their laptops and smart phones, and treat those machines with the corresponding level of care. Technology, Rapp adds, is only one essential element in the fight to protect data. But with an increasingly mobile workforce, "Human behavior is always the bottom line of these things," he asserts.
The most important things, SystemExperts' Gossels says, are awareness and education. "The best policies and technologies are useless if they are being undermined by inappropriate action," he says. Remote security, in particular, depends on employees being aware that they have an obligation to keep secure the confidential information they are carrying around, Gossels stresses.
Pyxis Mobile's Christy says the right policies can go a long way to supporting IT security solutions. "The basic policies you impose on your staff are almost equally important as any kind of technological barriers you put into place," he says.
While some short-sighted firms might see remote hardware security as lacking a return on investment, most are wise enough to see that not spending can result in far greater financial damage to their institutions. But the question firms must continually struggle with is: How much is enough? Does it make sense to spend until every eventuality, no matter how remote the possibility, is 100 percent mitigated? When is a firm safe enough? "The mantra at Nicholas Applegate," Rapp says, "is we are going to spend enough to attain what we think is the right level of security for our data."
Over at JPMorgan Chase, Mitchell suggests, spending on remote hardware security isn't all about ROI, because you can't put a price on the firm's reputation. "We're doing what we have to do to protect data, especially customer data, because customers expect us to protect it," he says. <<<