Industry Insights: 2011's Banking, Security Challenges
In a look ahead to banking and security challenges in 2011, Tumulak discusses:
- Top security threats to banking institutions;
- Challenges and opportunities in tokenization, cloud computing and key management;
- How to prepare today for 2011's greatest risks.
Tumulak joined SafeNet in April of 2008 as part of the Ingrian acquisition, and is now SafeNet's vice president of product management. In his role at SafeNet, he drives product direction for enterprise data protection, working closely with the engineering and sales organizations.
During his seven-year tenure at Ingrian, Tumulak most recently held the position of vice president of product management and engineering. Prior to Ingrian, he held several leadership positions at E-Stamp, where he was responsible for the company's electronic postage products. He managed security and payment related activities, and worked closely with the USPS to launch certified product nationally. He was also part of the engineering team in the server division at Netscape Communications.
TOM FIELD: What are the top security issues for banking institutions looking toward 2011? Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking about banking and security in 2011. We are talking with Derek Tumulak, Vice-President of Product Management with SafeNet. Derek, thanks so much for joining me today.
DEREK TUMULAK: Thank you for having me today. Tom.
FIELD: Just to get us started, Derek, why don't you tell us a little bit about yourself, your background, and of course your role with SafeNet.
TUMULAK: Sure, I'm the Vice-President of Product Management for SafeNet's data encryption products. I have been working in information security for more than 12 years with a large focus on financial institutions, payments and retail. I work closely with engineering teams on implementing encryption and key management solutions, but I've also been working closely with the customers and partners on helping them achieve compliance and implementing security best practices.
SafeNet -- just a little bit about the company -- we are a global leader in information security. We protect identities, transactions, data and communications, and so we secure online financial transactions, payment information, intellectual property, networking communications, pretty much any sensitive information asset throughout its life cycle.
FIELD: So, Derek, data protection is the big issue today. When you think about financial institutions and data protection, what do you see is the biggest trend impacting these institutions?
TUMULAK: I think two large trends are happening today. One is man-in-the-browser and the other is data protection, really, from a data-centric protection. So, let me talk a little bit about man-in-the-browser. Essentially, it's a type of malware and is one of the largest growing threats to online banking services. Essentially, an end user's web browser is infected and the pages and the transaction content itself can be modified completely unknown to that end user. So, obviously that financial transaction can be modified, and it's obviously a very significant threat today to the financial services community. Financial institutions can actually counter some of these attacks by utilizing transaction verification, and that can be in the form of some kind of out of band transaction. So, picking up a phone and validating that a transaction has occurred properly. There are several other techniques as well, but I would say that is definitely one of the top of mind issues that the financial community is seeing today.
The other area, data protection and, again from a data-centric prospective, the way I view it is really the challenge of realizing complete control over all the information assets that exist within a financial institution. Now that may sound like a very large goal, but when you think about it: If you're holding information assets, whether it's credit card numbers, account numbers, customer information, it could be employee information, but when you're holding this information, there's really a responsibility to ensure that the information can't flow freely outside of the financial institution or into the hands of hackers, ultimately. So what I've seen is several banks are really taking a position on how to obtain that control and take a more serious look at where they are storing information and what they are doing to provide the necessary controls. Some of it is being driven by compliance, so PCI compliance is a pretty big area, but also by risk mitigation and security best practices.
FIELD: Well, Derek, that is a great overview of some of the trends, and as we look at the calendar today we're just over halfway through 2010. Broadly, what do you believe that financial institutions need to be doing today to prepare for 2011?
TUMULAK: So, looking at man-in-the-browser, really looking at what can be done to implement transaction verification, and along with that looking at stronger multifactor authentication solutions, so going beyond user name and password. Whether that's using an external device like a token that you plug into your computer, or if it's using your mobile handset as a means of authentication -- really implementing stronger security measures in the areas of transaction verification as well as authentication.
Then on the data protection front, as I mentioned earlier, is really gaining control of those information assets. Now, a moment ago in describing that kind of high level view of taking control of your data, but the important thing to understand is that the data lives everywhere. It could be in your databases ... could be on your file servers, then obviously end up on your laptops, but it can move out through email on to your removable media, so thumb drivers. And of course they can leave the enterprise, so they can go up into managed services. Obviously, I think everybody around today has webmail accounts such as Google, Hotmail, and Yahoo. So all of these represent areas that information can move, and it's really up to the financial institutions to gain the necessary controls so that they can assure that the information doesn't move in an uncontrolled manner to some of these other locations.
Then at the last point, really looking at disaster recovery and business continuity, because you know implementing security measures is one thing, but you also have to be able to ensure that if there is a failure you can properly restore your systems. So I would say all of that is where financial institutions need to be looking toward as they move into 2011.
FIELD: Now I want to talk to you about some specific challenges now or in some case really opportunities. The first one is one you touched upon a few minutes ago, tokenization. What is important for financial institutions to know about tokenization?
TUMULAK: The way I view it is a new tool or approach to information protection or data protection. The basic idea around tokenization is rather than storing a credit card number as an example, because I think credit cards are really one of the drivers around tokenization -- particularly in the payment industry. But rather than storing a credit card number for example in a server database, what I do is I store a token. And what that token is: It looks like a credit card number, but it's not actually the true credit card number. So what that means is if I'm going through some kind of audit like a PCI audit, if I'm not storing the actual credit card number in that database, I no longer need to go through PCI compliance on that database server, which is very nice for many of our customers that we speak to. What happens is the actual credit card number is stored in another location, typically centralized, and the appropriate controls are put in place over in that database. So encryption, access control is put in place, and so the basic idea is if you have five or ten different systems that are storing credit card numbers or any other type of sensitive information, you can move that sensitive information away from those systems and move it into what we would call a -- some people call it a data vault, maybe a tokenization manager. But really consolidating all of those sensitive information assets in one place and applying the proper controls there. Obviously, it reduces audit scope and gives customers more flexibility in terms of how they deploy their applications. So let me give you an example. One thing that a customer can benefit from is if there is an application that is really just taking this credit card number and passing it along, it doesn't really care if it is a token or not. So you know that application is taken out of PCI scope, and no changes need to be made there. Now, the only thing I will say is that tokenization is not necessarily the silver bullet in all instances, but it is certainly a tool that can provide a lot of value to many of our financial customers.
FIELD: Another topic for you Derek, and it is one you hear come up an awful lot these days when you are talking with security leaders, cloud computing. What's important for financial institutions to understand?
TUMULAK: Absolutely. So, cloud computing or managed services -- whatever the term is nowadays -- obviously is a very large topic. This year at the RSA Conference in San Francisco, cloud was everywhere. So whether you're talking about software as a service, platform as a service or infrastructure as a service, a lot of it comes down to trust. So when you get into these managed services, the whole notion that comes into play is, "How do I know that I can trust this service provider that is giving me the service?" So if I'm a financial institution and let's say I want to store some of my information, like my backups for example, up into cloud storage, I'm really just using you know this service provider for storage capabilities. On the other hand, I might have something that is a little more advanced ... and think about it; the real challenge is that they're holding your financial institution's sensitive information assets. And how can you trust or ensure that the data that they're managing isn't necessarily compromised? Another thing that I've seen as well is when you go across country boundaries ... obviously, different countries have different regulation in terms of how data is managed, and so that definitely comes into play. If you're an organization based in the US or in Canada or some other country, you have to think about the legislation and the laws for each of those local governments.
So, a lot of implications when it comes down to cloud computing. I think the basic concept, coming back to the data protection topic that I spoke to a moment ago, is if you are really able to take a data-centric approach to locking down your data. So if you actually protect the data itself, and you make that the boundary, then your data can really flow anywhere. So out to another country, up in the clouds somewhere, because you don't necessarily know what a cloud provider is doing. You know they may store their information in some other geographic location. Obviously, you can have SLA's that you put in place, but really if you can take control of the data yourself, that puts you really in the best position when it comes to cloud computing.
FIELD: One last topic for you is one that I don't hear banking and security leaders talking a lot about, so I will be eager to hear your perspective. That is key management.
TUMULAK: Sure, so when I spoke a moment ago around data-centric protection or locking down your data or gaining control, one of the key elements or the key capabilities that comes into play there is really the concept of encryption. So if you encrypt your data and you move it up into the cloud or send it off into the ether somewhere, the basic idea is that you can't decrypt that unless you have the necessary key to unlock that information. So this is where key management comes into play. So this actually ties in very nicely to the previous topic, cloud computing, but key management has really evolved in the sense that historically people have had keys relating to identities. All right, so I'm a particular user whether I have a certificate, but now in the last, I would say five to 10 years, we've really seen key management evolve, and I'm starting to see it explode around data at rest protection. So, I've got storage systems, I've got files, I've got information in databases, and how do I manage all of the keys that are used to lock down and protect that information?
Obviously, we see each of the different systems, whether they're for identities, or if they are for databases or laptops, they obviously rely on some form of key management. And where I'm seeing the key management evolve is really toward an enterprise key manager. So, we're seeing certain standards evolve. So we're seeing a lot of action there and a lot of success actually in its early stages. There is also the IEEE 16.19.3 standard, which is taking a little bit longer to get going, but we're seeing those standards are really going to help the industry move forward, so that financial institutions and other organizations can really better manage all of their keys centrally from one location.
But going back to your main point around banking, I started to see -- and I've traveled a fair amount internationally in the last couple of months -- and banks are starting to ask that question around key management. And it really comes down to the fact that they're trying to figure out how to lock down their data, and they completely realize that if they want to be able to properly secure their data through encryption, they also need a better approach to how they do key management.
FIELD: Derek, just one last question for you. We've talked about a lot of topics, and you've given us some great information. If you could boil it down to a single piece of advice, how would you counsel banking security leaders to best prepare for the challenges in 2011?
TUMULAK: I think going back to that concept or philosophy around taking a data-centric approach, so that you've got control of your data at all times. Part of the way that I look at it is it's really looking at the information lifecycle, so not really thinking about locking down the perimeter or locking down a storage system or locking down a network, but really thinking of the boundary as the data itself. So, from the point when I create data, if I create a word document or an excel spreadsheet that might have sensitive information all the way through the point where I destroy the data, really ensuring that you have full knowledge and control and being able to report on who is accessing that sensitive information. That philosophy is where financial institutions need to be thinking as they go forward. You can't always predict what the next biggest hack will be in the financial community, but to the point earlier, if you're protecting the data, at least you'll have very fine grain control over that information. There are a lot of disruptive technologies -- we talked about cloud computing, a lot if happening the mobile space right now if you're look at, obviously new version of the iPhone, Android, Windows Phone 7 is coming out later this year. With all of these new disruptive technologies, you never know what is going to happen next; actually locking down the data is really one of the best ways of solving a lot of problems that we are seeing today.
Then to add to it, I would really recommend thinking strategically in terms of this data-centric or data protection approach, really, so that your short-term, tactical decisions are at least influenced by your longer term goals. So if you're looking at implementing technology, you're thinking that longer term you really want to take that data-centric view that we've been talking about through this discussion.
FIELD: Derek, very good. I appreciate your time and your insights today. Thank you so much.
TUMULAK: Thank you, Tom.
FIELD: We've been talking about data protection and banking and security for 2011. We've been talking with Derek Tumulak, Vice-President of Product Management with SafeNet. For Information Security Media Group, I'm Tom Field. Thank you very much.