The Virtual Bank Vault

Aug 1, 2006 12:00 PM, By Sandra Kay Miller

Walk into a bank and, chances are, you will see the standard vault, complete with massive steel door armed with thick, cylindrical pins. Unseen are the walls of steel-reinforced concrete surrounding the remaining sides and the infrared motion detectors. But they are there.

Today, bank vaults are used mainly for customer safe deposit boxes and storing teller money trays at the end of the day. The real assets, often billions of dollars worth, reside online in the company's data center. With a strict regulatory environment, financial institutions are taking few chances when it comes to protecting customer assets, whether they are in the data center or the vault.

The first step to creating a secure data center is location. One corporate security officer (CSO) for a Wall Street financial institution — who helped oversee the building of her organization's new live data center — stressed the importance of the right geographical location. “9/11 proved to us that locating our facility in a major metropolitan area was risky,” comments the CSO, who asked not to be identified. “Then Hurricanes Katrina and Rita demolished the Southeast. The west coast was out due to seismic concerns, and the Midwest was nixed because of tornados. It was difficult deciding on a location that would meet our initial geographical safety requirements.”

Other factors often taken into consideration are proximity to major highways, railroads, power plants and industrial facilities handling toxic chemicals that could warrant extended evacuations in the event of either a natural or man-made disaster.

“The physical security needs of a data center have not changed much over the years and relate primarily to availability — avoiding fires, getting crashed into from vehicles and natural disasters,” explains a chief information security officer (CISO), who works for a national insurance corporation. “There's a fair amount of hype in the post-9/11 physical security environment for data centers. The reality of the situation is the rate at which these types of events occur has not changed dramatically over the years in the United States.”

In the Data Center Physical Security Checklist published by the SANS Institute (www.sans.org), airports, prisons, stadiums and parade routes are also considered inappropriate neighbors for a data center.

Fires, floods and terrorist attacks aside, financial institutions are integrating advanced security features into the physical structure of their data centers. Similar to bank vaults, walls of the building itself can be more than a foot thick. SANS even recommends Kevlar lining for extra reinforcement.

And advertising should be left to the main offices and branches. Large lighted letters of the organization's name along with the words “Data Center” on the side of a building are unacceptable. “That's like painting a bull's eye on your organization,” says one CSO, who eventually sold the design team on making the data center as nondescript as possible with landscaping to shield perimeter fencing. Although keeping a low profile was a key checkpoint, always-manned guardhouses are located at each entryway through the fence. Inside any of the guarded entrances, digital surveillance cameras monitor all areas outside of the building. Video feeds can be monitored from both on-site and off-site locations. During non-business hours, infrared motion detectors for building entrances are enabled, and physical access is restricted to specific personnel.

Financial organizations are now tightly bound by regulatory compliance requiring extensive audit trails showing when resources have been accessed and by whom. Given the digital nature of data centers, a logbook sign-in at the gate and main building entrance no longer gives an accurate view of who is actually touching the resources in a data center.

“Every day, thousands of our customers conduct online transactions. They are reaching into our data center from all over the world,” the CSO says. To differentiate among customers, employees and outsiders, financial institutions are embracing new technologies for access control, which entail detailed logging capabilities. Increasingly, these technologies are integrating both physical and logical security.

Witnessing the trend has been Suneet Shah, chief technology officer and architect at Diamelle Technologies (www.diamelle.com), a New York-based company that provides IT services to financial institutions such as Morgan Stanley, Deutsche Bank and Solomon Smith Barney.

“The infrastructure we have built for logical security has translated into protecting physical resources as well,” Shah says. That means integrating access to applications as well as physical resources through the use of smart cards, tokens and network-based authentication.

Robert Ross, vice president of Network and Technical Services and CSO for Data Center Inc. (www.datacenterinc.com), a bank technology company headquartered in Hutchinson, Kan., also sees financial institutions moving toward higher-level security and access measures. He points to strong areas such as the linking of physical and logical access and increased surveillance.

Ross explains that financial data centers are increasingly linking a person's physical location to the resources that he or she can access. For instance, a person's card key that enables access to the facility is tied into the network security environment. This means if they have not accessed the building with their security card, they will not be able to log on to the system. “The physical and building security are going to be tied into the Microsoft Domain security or whatever security environment they are using in their network,” Ross predicts.

Although biometric devices such as fingerprint and eye scanners are becoming popular, Ross sees an increase in the use of smart cards and key-fobs. The Federal Reserve (www.federalreserve.gov) currently uses a USB access key as part of its authentication, allowing employees access to the Fedwire Funds Transfer System. The real-time gross settlement (RTGS) system enables participants to make final payments in central bank money.

Ross foresees this model extending into banking customers who are virtually reaching into the data center. “If you're an Internet banking customer and your bank issues you an Internet account, they are obligated to be able to offer you some level of multi-factor authentication other than login and password,” Ross says.

The second area Ross observes growing in data center security is the proliferation of network-attached surveillance cameras. In addition to allowing data centers to simply plug a camera into an available Ethernet jack, such a system also lets the image feeds be viewed and stored at a centralized location. Taking IP-based surveillance monitoring a step further, Ross shared how one financial organization integrated its camera feeds into desktop applications running in conjunction with banking applications.

IP-based data center monitoring equipment available today also includes HVAC controls, fire suppression equipment, water detection systems and power controls.

A CISO from an insurance company, who asked not to be identified, views technology differently. “I don't generally have a lot of interest in products because I think the real issue lies at the people and process level. The tools can be better or worse in terms of ROI, but it all boils down to a person making a decision and as long as that's true, that's the point of failure,” he says.

EDITOR'S NOTE This article quotes anonymous sources because many of their institutions have written policies against publicly discussing corporate security practices.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue