Mobile Security Case Study
Bank Focuses on Secure File-SharingWhen a Massachusetts bank implemented a file sharing application for mobile devices, it chose to host it internally rather than outsource it to a cloud provider to improve security.
Banks must decide if they're "going to be a vendor management shop or an IT shop," says James Gordon, a vice president at Needham Bank, in an interview with Information Security Media Group (transcript below). "Is it technology we manage, or is it vendors we manage? The lines are being drawn along that framework, and I'm going to be on the technology side. I believe the vendors have not vested enough interest in my own security."
Ensuring secure file-sharing is a top priority for Needham Bank because its employees rely heavily on mobile devices to get their work done, Gordon explains.
The bank needed software that could allow it to integrate its iOS mobile devices with legacy file-sharing systems, such as Microsoft's SharePoint, as it ramped up content collaboration, he says.
"We learned it's more about managing content than managing the device," Gordon says. The bank chose a secure mobile content collaboration and file sharing application from Accellion, which it manages internally under the brand NB Exchange.
During this interview, Gordon discusses:
- Why companies need to ensure secure file-sharing when using mobile devices for work;
- 2014 will see an explosion of content collaboration activity over mobile devices, which requires specialized security measures; and
- Why banking institutions should be leery of outsourcing to the cloud
Gordon, who serves as the bank's first vice president, joined Needham Bank in 2007. He focuses on implementing technology initiatives that positively impact lines of business, the customer experience and the bottom line. Previously, he served as network administrator of South Coastal Bank.
Mobile Device Challenges
TRACY KITTEN: Can you give our audience some background about the challenges that your institution faced where mobile device security and file sharing are concerned?
JAMES GORDON: Well very early on we were an early adopter of the IOS platform, iPhones in 2008 and iPads in 2007. So we have been on the frontlines for the battlefield of deploying those devices, and utilizing them in different capacities. Certainly first was the low-hanging fruit of just e-mail. Currently, we're having more and more discussions about how to have more committee meetings over iPads, how to be taking notes over iPads, how we can use these for more than just an e-mail device. So, as that shift started to happen. we had to react in tandem and make sure we were able to satisfy those users. We have researched a number of different solutions to satisfy the file sharing requirements, collaboration requirements, and really I see the whole world going mobile in terms of collaboration.
SharePoint was a great tool for its time, but still people were relegated to their desks. Now with the advent of things like, well what we use internally is Accellion, it really lets people free up their time and from a BYOD perspective the requirements. We really slowed down on managing the devices and have really picked up our game on managing the data and the content, which is where all the risks are. There is no risk inherently in the device, but depending on the data that is on the device, that introduces risk.
BYOD Policies
KITTEN: What types of policies does your institution have to address from a BYOD perspective?
GORDON: It really runs the gamut of brokering that deal with the end user of what they can do, what they can't do, what we can do as the bank, what we can't do. First and foremost are things like, who is responsible for the device? If it gets run over, if it gets broken, if somebody takes it to the gym, that's no longer our responsibility, and the end users know that. It used to be in past years the end users would break a device off-hours and then expect the IT department to replace that. Fast forward to now, we made it very clear that we're going to pay for the initial device type, but should something happen, accidents or damage unrelated to the bank, that those are not are concerns any more.
And some of the other policies that we've enacted, they have given the users a moment of pause if they didn't quite understand them. For example, we have a wireless network here at the bank, and that wireless network is protected with certain sites you can get to, certain sites you can't get to. We still want to be productive, and when these phones are on the bank's wireless network, we do that to augment their own data charges. They are not incurring a data charge per say while they are at the bank because they are on this wireless network, but there are certain things they can't get to.
A good example of that [is] I had a user that came to me and he wanted to look up last night's lottery and that was blocked due to gambling. I very easily explained to him that it's blocked due to gambling. But if you were to walk away from the bank, step out of the bank's doors for example, that wireless network is no longer present and you'll be able to get to that gambling site or be able to look up the lottery numbers very easily. It's just that during banking hours, when you are on the bank's network, using a bank's subsidized device, you're not going to be able to get to that content. But we're not going to restrict that content when you are off the premises, at home, doing whatever you want to do. That is up to you and what you want to pay for. So those are some examples of things we've looked at, and certainly managing the data in the devices without telling people what apps they can and can't have. But we say, "Here, if you do have a bank-owned app, here is how the bank-owned apps are going to function and here is how they are not going to function." That has been key to having a good adoption; letting people know exactly where the boundaries are and what we can and can't do.
Compliance Issues
KITTEN: What types of regulatory and/or compliance issues did you have to consider?
GORDON: The biggest thing is can we erase the user's phone? Can we, should we, will we, won't we? The net reality of that is, we probably can't erase the user's phone, nor do we want to erase the user's phone. Most importantly, we don't need to erase the user's iPhone anymore. We'll certainly have policies from a compliance standpoint, we call them lost or stolen policies, which are if the device is lost it will initiate erasing after "x" number of failed passcode attempts. That is not the IT department erasing the phone, but the end user has lost control of their device through some means, no longer remembers their password to get back into the phone, and thus something else happens to erase the phone. No longer when people terminate employment will they be erasing their phones or their iPads, but now we have the capability to essentially do what is a selective wipe. We remove the applications the bank has installed on those. They are bank-sponsored applications, and thus that separates any ties back to the banking systems and separates the data in essence. Those are the chief regulatory concerns that people have had. We've been through many in audits and have had no problem. They pretty much understand why users don't want to carry around two phones anymore, so the need for BYOD is very clear. It is just determining where that separation is and who is responsible for what situation.
Mobile Content Collaboration
KITTEN: Now Needham opted for a secure enterprise solution. Can you explain a bit more about this solution?
GORDON: The solution is called Accellion. We actually renamed it and rebranded it ourselves ... to call it NB Exchange, Needham Bank Exchange. The solution does many things, actually, but one of the things it does, and one of the chief reasons I bought it, was it played very nicely on the iPhones and iPads, and had a very strong tie-in to our existing MDM partner, MobileIron. Essentially what happens is mobile content collaboration and file sharing. So users who have the app on their iPads or iPhones have essentially all the same file access that they would just as if they were sitting in front of the computer in the classical LAN/WAN scenario, except they are mobile and wireless; free to do what they want.
Where Accellion comes in is we're able to containerize that content and make sure there are policies and rules so that content can't be exfiltrated to other unknown third-party applications. When the content is in the iPhone or iPad, they can edit the content just as they would in Microsoft PowerPoint, Microsoft Excel or Microsoft Word. Accellion has applications that are fully compatible with that right down to the track changes features. So a user could still be assessing it in the mobile world, in the physical world, and it will behave very, very similarly.
Additionally, one of the things we found a lot of strength in are PDF annotations. We have a lot of committee meetings and need to actually share the same PDF, or sets of PDFs, that we're all going to take notes on and then destroy shortly after the meeting. But now we're able to do that electronically. Not only does it save some paper and time, but it really eliminates that last-minute rush to the copier where 30 people are all going to print out that same 30- or 40-page document. Now they can just grab it on their iPad, review it, and then when the meeting is done, they can just securely delete it. So there are some cost savings of the paper, but really the time efficiency of not having that last-minute copier scramble.
Legacy File System
KITTEN: So how did this solution that you chose address integration concerns with legacy file systems such as SharePoint?
GORDON: One of the reasons I chose it is it's a data-anywhere product. They have something they call workspaces, and that's their own proprietary sharing technology. It actually plugs right into SharePoint, and anybody that has an existing SharePoint repository; it just reflects that right on to the iPad or iPhone, or [other type of mobile device, including Android]. So there is no extra work to do and it doesn't create more data silos. It actually, for us, eliminates a lot of the data silos and gives us a single pane of glass to where users can, if the document is in SharePoint, pull it up. If the document was in a native Windows File Share and they had access to it before, then in the mobile world and the Accellion world they will have access to it then as well. For us it's a single pane of glass where they can look at their documents, whether they are in SharePoint on a file share or in a traditional Accellion workspace.
Hosting Locally
KITTEN: Were there any third-party risks that you had to address from a vendor management perspective?
GORDON: Well for us, one of the things I'm very strong on and one of the things I am encouraging a lot of my peers to do is, instead of outsourcing the risks via a cloud provider, to build their own internal cloud. There are a lot of things that are going to be attractive to some banks, and they'll want to use and leverage these services that are basically a third-party cloud risk. For us, it was about finding a partner that [would enable us to] have software installed in-house, where we didn't have to ... look at the cloud computing guidelines because this is an on-premises solution. So that was huge for us, finding the solution that was feature-rich allowed us to do all the things we wanted to do, gave us control of the data, and still made us responsible from a risk management standpoint without outsourcing it to a third-party IT provider like Drop Box. You can't outsource risk. I would rather have the data in-house and know exactly what's going on with it myself so that was key.
In-House File Sharing
KITTEN: Did you consider any options for managing file sharing in-house?
GORDON: With the file sharing technology, there are not a ton of vendors that have been in the game as long as Accellion has. My prediction for 2014 and 2015 is an explosion of content collaboration. Everybody now has one of these [mobile] devices and they are [asking]: "We've done e-mail, now what? Now where does the rubber meet the road? CIOs are going to be wise to look to content collaboration as the next logical alternative to say, "Well, OK, here we go." This is what we're going to do next.
Vendor Management vs. IT Shop
KITTEN: What final advice would you like to offer to other institutions?
GORDON: Pick your partners wisely. Make a decision early on if you're going to be a vendor management shop or if you're going to be an IT shop, because that is the decision that is going to loom for a lot of CIOs in the next coming 18 to 24 months. Is it technology we manage, or is it vendors we manage? Because the lines are being drawn along that framework, and I'm going to be on the technology side. I believe the vendors have not vested enough interest in my own security, as we can see from some of these recent breaches, Target or any others. It's incumbent upon every CIO to manage their security risk and vendor risk. For me, I'm going to try to choose a solution first that puts the software in-house and then manage it from there.