Each of us, who has opened a bank account or applied for a loan, knows first-hand how much private information banks require from their customers. These include addresses, PAN numbers, credit-card numbers, driver's license information, email IDs, phone numbers, salary slips and loads of other financial data. While some of this is required for carrying out transactions, others mandatory by law.Information is mandated by regulatory bodies and compliance norms.
Enter the banking of the new millennium, where the information in a bank's computer can be more valuable than the cash in their vaults. With the exponential increase in internet services provided by banks the quantity of such stored information is massive.
Here come in the modern day data thieves. Banks and financial institutions become their potential one-stop shops for large-scale data theft. An Anti-Phishing Working Group, which tracks Internet fraud, found that scampers target financial services more than any other industry. In December 2007, 89.3 percent of all identity-theft attacks targeted the financial industry, including banks, credit unions and credit-card associations.
So nothing is being done?
While regulatory and compliance norms have been the main drivers for bringing focus onto the concern of data security, much more needs to be done from the legal perspective. Data theft is no theft by law. Kaviraj says “it is reiterated that our laws need to be updated expeditiously, with a view to ensure maximum protection to 'Data', which is critical, for retaining the creditability of the Indian I.T. industry.
However, Banks have taken initial steps to address it. Multiple initiatives have been adopted which are a combination of processes and technology. Within the bank, most resort to rigorous access control policies and controlling distribution of information using approaches like DLP. But with the new age mantra of outsourcing, sensitive data is no longer resident within, but often has to be shared outside the organization for outsourced data processing. Data transfer is often through secured messaging and is encrypted too. In fact some go a step further and control the network of the vendor.But all these are just partial solutions that too at unreasonable cost.
Where is the real problem?
Conceptually, most of the initiatives adopted currently enable controlling access to information. For example, in retail banking much of the personal information of customers is stored digitally and access is provided to those who are authorized. But the authorized user is often the culprit, knowingly and sometimes unknowingly too. Also while outsourcing, often the last mile of the data's journey is open to vulnerabilities. After the secured data transfer has occurred, most of the times, the data is manually uploaded into an application for processing. Once the processing is completed, there is no control on the usage of the raw data and that continues to be accessible to the vendor organization.
What needs to be done?
While strong regulations and new norms are coming into play, financial institutions themselves need to change the approach to data security. The stress on sharing information within and outside of the enterprise is increasing. So are the methods of sharing it. It is going to become more and more difficult to monitor all entry and exit points for disseminating the information. A fundamental shift from context based or perimeter security to a more information centric security mindset is necessary. Information Rights Management approaches are built on this principles. Using IRM, granular security control can be made to travel with the information wherever it goes, instead of securing just the environment in which the information is used. Also, this control is dynamic and can be aligned to dynamic business relationships. A document shared with a vendor earlier can be made inaccessible remotely, in case the vendor moves out of the approved vendor list (AVL). Data outsourced can be made inaccessible through inbuilt expiry. The benefit in all this is that the owner organization retains the control to allow / disallow specific usages of information, in spite of freely sharing it. And this is how the information economy of tomorrow needs to be managed and governed
To know how such information security management can be achieved today read about FileSecure and InfoSource.
Enter the banking of the new millennium, where the information in a bank's computer can be more valuable than the cash in their vaults. With the exponential increase in internet services provided by banks the quantity of such stored information is massive.
Here come in the modern day data thieves. Banks and financial institutions become their potential one-stop shops for large-scale data theft. An Anti-Phishing Working Group, which tracks Internet fraud, found that scampers target financial services more than any other industry. In December 2007, 89.3 percent of all identity-theft attacks targeted the financial industry, including banks, credit unions and credit-card associations.
So nothing is being done?
While regulatory and compliance norms have been the main drivers for bringing focus onto the concern of data security, much more needs to be done from the legal perspective. Data theft is no theft by law. Kaviraj says “it is reiterated that our laws need to be updated expeditiously, with a view to ensure maximum protection to 'Data', which is critical, for retaining the creditability of the Indian I.T. industry.
However, Banks have taken initial steps to address it. Multiple initiatives have been adopted which are a combination of processes and technology. Within the bank, most resort to rigorous access control policies and controlling distribution of information using approaches like DLP. But with the new age mantra of outsourcing, sensitive data is no longer resident within, but often has to be shared outside the organization for outsourced data processing. Data transfer is often through secured messaging and is encrypted too. In fact some go a step further and control the network of the vendor.But all these are just partial solutions that too at unreasonable cost.
Where is the real problem?
Conceptually, most of the initiatives adopted currently enable controlling access to information. For example, in retail banking much of the personal information of customers is stored digitally and access is provided to those who are authorized. But the authorized user is often the culprit, knowingly and sometimes unknowingly too. Also while outsourcing, often the last mile of the data's journey is open to vulnerabilities. After the secured data transfer has occurred, most of the times, the data is manually uploaded into an application for processing. Once the processing is completed, there is no control on the usage of the raw data and that continues to be accessible to the vendor organization.
What needs to be done?
While strong regulations and new norms are coming into play, financial institutions themselves need to change the approach to data security. The stress on sharing information within and outside of the enterprise is increasing. So are the methods of sharing it. It is going to become more and more difficult to monitor all entry and exit points for disseminating the information. A fundamental shift from context based or perimeter security to a more information centric security mindset is necessary. Information Rights Management approaches are built on this principles. Using IRM, granular security control can be made to travel with the information wherever it goes, instead of securing just the environment in which the information is used. Also, this control is dynamic and can be aligned to dynamic business relationships. A document shared with a vendor earlier can be made inaccessible remotely, in case the vendor moves out of the approved vendor list (AVL). Data outsourced can be made inaccessible through inbuilt expiry. The benefit in all this is that the owner organization retains the control to allow / disallow specific usages of information, in spite of freely sharing it. And this is how the information economy of tomorrow needs to be managed and governed
To know how such information security management can be achieved today read about FileSecure and InfoSource.
Posts
2 comments:
Many banks use the services of IT outsourcing companies, but not all customers feel secure that their personal information is kept confidential. Outsourcing employees need to be trained to make sure that all personal information and transactions are kept between the customer and the company.
Agree completely here .. but people / process and technology have to go hand in hand ..
Post a Comment