Banking on security

The Middle East banking and finance industry has never been under more pressure than it is now. NME looks at the measures organisations have put in place to protect their valued assets and what they plan to do over the next twelve months.

  • E-Mail
By  Sean Robson Published  February 3, 2009

The Middle East banking and finance industry has never been under more pressure than it is now. NME looks at the measures organisations have put in place to protect their valued assets and what they plan to do over the next twelve months.

Amidst the financial crisis that has engulfed the region and the world in recent months the banking and finance industry (BFSI) finds itself under immense pressure. As organisations struggle to survive the crisis, IT budgets are bearing the brunt as they are drastically reduced.

However, the security area of IT might prove to weather the storm of budget cuts better than others. This is so because, following the series of high profile attacks on many institutions in the recent past, IT managers have been working to keep their security on high alert.

As more data is made available and shared electronically between banks, customers and businesses, the cost of security will increase, both financially and in terms of human resources. The challenge has always been balancing security with accessibility and usability.

"We have seen a number of major attacks on banks in recent times and even towards the end of last year there was a real scare with the attacks on customer accounts. Security in banking has become one of those things that may not have been held to be very important four years back, but has of late become very important," says Paul Sherry, regional director at F5 Networks.

While budget cuts are sweeping across organisations, banks find themselves having to look at how to best upgrade and protect their internal and external data with limited scope for investment.

Putting up barriers

The security issues that BFSI organisations face are unique given that they deal not only with their own internal information, but interact daily with multiple customers. This complicates not only security investments, but also managing and maintaining them across physical as well as digital arenas.

Physical security cannot be under-estimated when protecting a banking organisation's assets. In a typical financial institution, physical security at the customer level includes everything from cameras at ATM machines, to fingerprint scans when they access online accounts.

Internally, as awareness increases on the growing incidence of attacks from within organisations, IT managers are forced to increase preventive measures from the desktop to the datacentre.

"The location of our datacentre is very secure, it's buried under ground and you can only gain access after passing by a security guard and then through the access doors. This is coupled with surveillance cameras within the room," says Mohammed Al Khatib, chief information officer at the Amman Stock Exchange.

Al Khatib also points out the fact that the datacentre is immune to bombs and missile attacks, while also being equipped with fire resistant doors and fire fighting equipment.

Srood Sherif, chief information officer at the National Bank of Abu Dhabi (NBAD) also believes in the necessity of establishing a wide swathe of controls. "The physical access is controlled through multiple layers, including amongst other things, physical card technology," he explains.

"In terms of physical security what you usually see is a form of access control that is typically done via picture tags, and for the datacentre a pin or password can also be used. This is for smaller datacentres; the bigger ones need to have even more stringent security safeguards," adds Dino Ganda, EMEA IT manager at a major international bank.

Biometrics, largely related to fingerprint and iris scans, have been gaining in popularity the last few years, both at the client and datacentre levels. In more recent times, these technology options are being considered by BFSI organisations even for customer level access checks. However, many IT managers, like Sherif and Al Khatib, remain unconvinced of their viability yet though interested in the possibilities of the solutions.

Sherif says, "If the solution can provide clear and tangible benefits we will definitely consider it. Having said that, we believe that iris technology is still not very practical and user friendly for banking applications. We always have our customers in the back of our minds when we select solutions to ensure that they are practical, simple and acceptable to our customers."

"We have been looking into identity access and, in my opinion, the products available on the market on a mass scale are still not good enough. Retinal scans still have to be stored somewhere and if you can provide that as a feed then you can steal somebody's retinal identity. Biometrics is in the end still a digital process and digital products can be hacked and stolen," warns Al Khatib.

Digital warfare

Even if physical security is handled with any success, IT managers will still be left to face the arguably more difficult prospect of defending their digital and network security.

According to Al Khatib, there are a number of different aspects to digital security that need to be considered.

"The first aspect is network security and we have two layers of firewalls by different manufacturers. I personally consider the trick of digital security to be in the design. If the design is very well thought out, so well that you would need an insider with prior knowledge to penetrate it, without which breaking the network would take too long or remain impossible, then your work is well done. Apart from the network we also have security on the databases we use, along with necessary security on the applications," Khatib says.

Sherif is hesitant to reveal much of what he has put in place but states that security is part of all systems. and that NBAD believes in implementing and adopting most of the best practice standards in the industry.

3108 days ago
John Du Bois

I read with interest with the approach to securing BFSI orgnaisations but wish to pint out that there was no mention of Enterprise WAN encryption, which is where many Cybercrimminals gain entry and then legitimately enter via the firewall. Most organistaions still believe that Fibre Optic cable is safe and or Dark Fibre and its all a myth. Check out www.Senetas.com and see a video we did 3 years ago. This is not difficult. I would like to see an extension of Enterprise WAN hardware encryption that is accredited across FIPS and Common Criteria(EAL) to the highest level securing these networks. The cost of doing so is surprisingly low.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code