September Cover 


Cabling Infrastructure

CommScope

Hitachi Cable

HyperlineSystems

Panduit

Cable closures

Fiber Instrument Sales

Cabling Raceways

ADC Telecommunications

Pre-terminated cabling

Corning Cable Systems

HellermannTyton

WAN Services

Masergy Communications

Media conversion

Transition Networks

Network Security

Juniper Networks

Power over Ethernet

Transition Networks

Power Management

Eaton/Powerware Pulizzi

Remote Monitoring

Network Technologies

Sensaphone

Switching

Transition Networks

Voice over IP

Microsoft

TC Communications

VoIP Testing/Analysis

GL Communications

Wireless

Canon Broadcast

Oberon

OFS

Features

December 2005

SPECIAL FOCUS: MSPs/INTEGRATORS

Bank outsources security to the cloud

Service provider option reduces costs, provides technology flexibility and covers compliance requirements.

Ken Emerson was concerned. As director of strategic planning and CIO of Boiling Springs Savings Bank in Rutherford, N.J., he needed to address a host of regulatory compliance issues, especially regarding security of the bank’s sensitive data. A Level II Statement on Auditing Standard (SAS 70 Type II) review was required, for example, in order to be in compliance with regulations such as Sarbanes Oxley and Gramm-Leach-Bliley.

An SAS 70 Type II is a specialized audit that verifies a company’s operational and internal controls over the processing of user transactions. Boiling Springs Savings Bank had the choice of engaging an independent firm to conduct a review, at the bank’s expense, or of doing business with a company that already had one in place. At the time, Emerson was working with an ISP that had security offerings but did not have an SAS review in place.

Boiling Springs, a $1.1-billion thrift with 14 locations in northeastern New Jersey and five people on its IT staff, also needed to engage an independent firm to conduct an annual penetration test of its networking environment. In addition, the bank wanted increased protection for its entire network infrastructure from the ever-growing occurrence of IT security threats and to minimize risk to its business.

Emerson decided to embrace a security-in-the-cloud approach, working with managed security services provider (MSSP) Perimeter Internetworking to meet these requirements.

“Security in the cloud makes a lot of sense for us,” says Emerson. “The security game is one of constant catch-up to stay ahead of the latest threat or compliance requirement, and outsourcing is a good solution to this. Our security-in-the-cloud provider has experts on staff that have to think like thieves and prepare for the worst.”

For Emerson, convincing the bank’s management and board that this was the best solution was not hard to do.

“We could show benefits clearly,” he comments. “We saved on full-time staff costs, security technology and network integration costs, and on the required penetration tests. We easily met the SAS and FDIC examination requirements, showing a positive ROI on this investment. Our board quickly bought in on the concept of having security in the cloud in place as an insurance policy.”

Emerson considered traditionalMSSP solutions involving CPE monitoring as alternatives to the security-in-the-cloud approach. After evaluating them, he decided that their services became out of date too rapidly. He found that with these alternatives he would still have to provide the staff time to install and maintain the CPE and then weed out false positives. The provider also did not fulfill his requirement for an SAS 70 Type II review or meet any other compliance requirements.

“We selected Perimeter because they had been examined by the FDIC, had conducted their own SAS 70 Type II audit and because they did their own penetration tests,” Emerson says. “Because I use service bureaus, there was a concern that someone could get into my network. So we were looking for a more complete, overall network security solution.”

The bank connects to Perimeter for all of its inbound and outbound traffic. Perimeter filters the bank’s data traffic and returns clean bits in both directions. Using its Business Aware Infrastructure, Perimeter sets up policies and assesses risks based on the importance of various elements of the bank’s business, not the technologies used in its network.

The bank has centralized network configuration, with a dedicated frame relay connection to Perimeter from its headquarters. In a hub-and-spoke architecture, each branch also has a dedicated frame connection to Rutherford. The bank also opted to use Perimeter as its ISP and had Perimeter implement a secure VPN tunnel for it rather than a direct connection into the security infrastructure.

Boiling Springs implemented Perimeter’s intrusion-detection services, including network IDS, VPN remote access, secure Web hosting, spam filtering, hosted e-mail, IP masking and reporting features. Perimeter also provides the bank with multilayered Checkpoint firewalls and signature-based, anomalous and behavioral intrusion-detection and intrusion-prevention services to detect aberrant behavior and guard against professional hackers. This includes spam filtering, and a third level of defense for spyware, Trojans, viruses and worms. In addition, the bank outsourced its e-mail, e-mail archiving and Web site to Perimeter, and is using Perimeter’s gateway e-mail defense and antivirus.

The bank uses Web content filtering to stay on top of employee utilization of the Internet. It receives real-time reports from Perimeter showing employee activity on the Internet.

“One of the benefits of using their IDS system is the ability to monitor the performance of our various data pipelines,” Emerson comments. “This enabled us to identify and exclude points of possible congestion impacting network performance.”

Access to this security utility infrastructure provides the bank with access to a broader range of security technologies. It can take advantage of a layered security defense because it does not have to standardize on a single technology.

Emerson estimates that the bank saved approximately $20,000 per year on Perimeter’s services compared to hiring an IT security expert and engaging independent firms to conduct the penetration tests.

“There is no way that any but the largest of banks or businesses could afford to build this type of world-class Fortune 500 infrastructure, plus three shifts worth of trained security experts,” he adds.

For more information from Perimeter Internetworking:
www.rsleads.com/512cn-256