Carol Wheatcroft | The Asian Banker | 12APR2012
Traditionally financial institutions have placed the highest emphasis on avoiding data security breaches especially beyond the perimeter of the four walls of the bank. Known as the perimeter based approach, the stress has been to ensure that no matter how data is accessed – by mobile devices such as laptops, by customers accessing the bank by logging into accounts or, through the use of cloud computing technologies - data is transported in a secure fashion. In other words the security focus has been the transport of data from the perimeter to the destination by relying on encryption technologies such as Internet protocol security (IPsec). But this still leaves the data inside the organisation unencrypted and prone to breach.
A new data centric approach that addresses this issue is gaining some ground. Called the data-centric model, the focus is on encryption at the data level rather than on data transportation methodologies including when mobile devices such as laptops and smartphones are used. It ensures that any sensitive data is encrypted whether it is in transit or at rest within the walls of the bank. This approach means institutions need to identify and classify the types of data that they handle in terms of its sensitivity and the losses that could result if it is divulged. In return organisations no longer have to manage and detect data when it leaves the organisation as it is already secure.
This has significant implications. If financial institutions are able to manage encryption at the data level it makes delivering products to the increasing array of mobile devices less risky and the cost and time saving benefits of technology deployment through cloud computing much more appealing. Chief Security Officer’s current concerns about data breaches by customers and third parties with the subsequent reputational impacts are significantly reduced. The loss of encrypted data carries far fewer ramifications than the loss of un-encrypted data from a laptop, smartphone or data hacked from servers.
So why are more financial institutions not rushing to encrypt their data? The reasons are wide and varied and not least because of the time and effort required to locate, trawl, classify and encrypt the huge amounts of data held by financial institutions. Furthermore there is a perception that many encryption solutions are too difficult to use or that they require too much user involvement.
Are such concerns grounded in fact? Encryption solutions have become more user friendly as suppliers have understood and tried to address the concerns of the financial service industry. For example, Singapore-based Rune Information Security, based their R&D approach on the premise that people creating sensitive data should be empowered to protect it. The resulting product, Deadbolt, is made directly available to the creators and users of sensitive data. When asked why they think this is a better approach, Lance Gaines, president-CTO at Rune Information Security Corporation stated that “Rune’s thinking is that when someone creates sensitive data they should be a part of securing it; they should not just trust their IT departments to magically protect them. Deadbolt was developed with this approach in mind - if you can select it, Deadbolt secures it.”
This seems sensible but are there any parts of the banking world likely to see the need? After all large retail or commercial banks may justifiably continue to take the view that changing their data model to accommodate such tools is simply not cost effective given the enormity of the task. But could a data centric approach offer real benefits to private banking with its wealthy but smaller client base? At first glance this seems highly unlikely. It is within this arena that the issue of data security breaches is at its most acute; high net worth clients demand highly personalised services from discreet private banking institutions with untarnished reputations. Security breaches carry a very heavy reputational cost and changing the data model
carries many risks. But the argument cuts both ways; the data centric model offers better data security as institutions seek to adapt and manage their products and services within highly dynamic environments. The question is will new encryption technologies such as Rune’s speed up the adoption of data centric models?