Banking on security

Commercial Bank of Dubai (CBD) follows stringent processes for its security investments to ensure that threats do not compromise the bank's network.

  • E-Mail
By  Sathya Mithra Ashok Published  November 8, 2008

Commercial Bank of Dubai (CBD) follows stringent processes for its security investments to ensure that threats do not compromise the bank's network.

Being a bank in the Middle East is never easy. Not only does any financial institution have to juggle the various wants and needs of communities from different parts of the globe, but they also have to be constantly on the alert and protect themselves against the differing usage patterns of the same.

Following the recent spate of ATM frauds affecting banks across the UAE, most financial institutions have stepped up their security procedures. One bank that claims to be beating this trend consistently, simply because they have planned on security measures from the beginning, is the Commercial Bank of Dubai (CBD).

With enterprise single sign-on, we try to provide one single set of credentials, with which users can have the right access to the systems.

"We are a bank - a proper, local bank. We have 25 plus branches and around 1300 employees. And we have, you can say, a mixed Windows and Unix environment that supports all the critical systems and all the core banking systems for our bank," says Rinaldo Ribeiro, head of IT security at CBD.

"We have a central datacentre, from where we provide all the services to the branches and to the business. This is located in the headquarters in the office.

So in this primary datacentre we have centralised all the IT infrastructure and main servers, and services are being provided through our head office. For disaster recovery, we have a site in Sharjah, which is up and running.

We have also invested in several back-up solutions, including SAN systems, to ensure that our data remains secure," adds Ribeiro.

CBD prides itself on planning for, implementing and offering the highest levels of security to customers, and its employees.

"We handle everything related to security in a risk-based approach. We need to identify first what the top risks for the business are and we need to provide controls accordingly.

And this process will include looking for the best products, vendors and the best infrastructure in terms of the technology that we have available in the market.

When it comes to internet access for example, we have to provide all the services through the internet and these have to be done with the right kind of controls. We have to provide the best service to the right person while at the same time keeping all these services secure," points out Ribeiro.

He continues: "This is done as I said using a risk based approach where we see what is the risk of having these services and what kind of controls we should put in place to have that service up and running.

This is done across several areas. So we have risk management processes and we do have priority projects in terms of implementation of controls for the whole year. And this is basically how we do it."

The bank works on risk management as a continuous process. It has various processes and different technologies deployed just for this.

When any solution is found to be necessary, keeping business needs in mind, or when a new technology is implemented, the bank's security staff always check on controls that are necessary, and that should be present from the first day of the project.

What's more, they check that the relevant controls are being properly implemented. The security team also checks on technical standards and compliance with the same.

In this fashion, the bank has controls in place for the different technology streams in use within the organisation including servers, databases and so on.

The IT team, and the security team within it, bring strict procedures to the table when selecting the vendors to work with for various solutions.

"The benefits and the price of the solution are key factors. Another major factor is the local support and presence of the company or the group in the region. We look at similar cases and projects done, experience in the region and also how good their teams are.

We do not consider a company if it has few projects or no experience and no consultants in the region. We try to identify, whenever possible, the solutions that are being globally implemented, especially when it comes to newer solutions.

At the same time, we might find very good solutions but no local support, through partners or even through the vendor's office here. Again, this is a risk based thing.

I mean, we always question ourselves - do we really have to deploy that solution? Do we really need to select that partner or is it just another buzzword that everybody is talking about? Do we really need to implement that particular control or solution?" says Ribeiro.

Safe access

With all these processes to guide them, CBD has been at the forefront of security implementations for sometime now. One example of this is the enterprise single sign-on solution that was implemented by long-term partner, Paramount Computer Systems in 2007.

"The main reason for the solution was to have more control over password and policy management, as well as access to core systems. The average pattern will be the normal user with five to ten different passwords to remember and use on a daily basis.

So there is a network password, with various policies attached to it, and core systems and package systems and other systems. Each and every system would be asking for a password and maybe a change of password every ten days. Each of them will have a different kind of password as well - eight or ten characters long - and so on," says Ribeiro.

"So the complexity of the access required for different systems would require a normal user to remember many passwords and remain compliant to different policies.

And this might possibly cause some problems when it comes to selection and recall of passwords, as well as access to other systems. So you might find people sharing their passwords, you might find people using the same passwords in many different systems and causing at the end of the day a problem for the security of the bank," he adds.

"With enterprise single sign-on, we try to provide one single set of credentials, with which users can have the right access to the system. Of course, these credentials should be very strong, because if you compromise this access, you will be compromising all the other access to all the other relevant systems.

So what we have done is basically implement single sign-on with one time passwords, in the form of time based tokens combined with fingerprint analysis.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code