A Flat Network or a Secure Network? Why Not Both.

By Bob Olson, Mark Feverston, and Stephen McCarney, Unisys Corp.

Thanks to continued advances in the emerging space of software-defined security, banks no longer have to choose a cost-effective flat network at the expense of security.

For the first time last year, the Office of the Comptroller of the Currency singled out cybercrime as a top bank risk. This year regulators went further, specifically targeting potential network intrusions. Our own research conducted with the Ponemon Institute found that nearly 70% of critical infrastructure organizations surveyed have reported at least one security breach that led to the loss of confidential information or disruption of operations in the past 12 months.

Cybercriminals are increasingly turning to bank networks – to data in motion – to tap into lucrative troves of information as it moves within the bank (between branches and data centers, among employees) and outside the bank (to and from vendors, the Federal Reserve, customers, correspondent banks, traders, regulators, and more).

It’s hard to overstate the sensitivity of that data. Personnel records, sometimes including payroll and medical information are passed about. Finance sends and receives sensitive messages with Wall Street, and Compliance does the same with regulators.

Moreover, it’s not just intruders who pose security risks. The number of people with legitimate access to bank networks has exploded thanks to employees who self-serve via the bank network, customers who use the bank’s online offerings, and the growing use of mobile banking.

“We worry about hackers, certainly, but I have nightmares, too, about an innocent bank employee logging on to file an expense report on his tablet from a fast-food place and encountering data that should be segregated. Accidental exposures are bad for reputations and good for hackers,” a bank security official said.

For the most part, up until now many banks seeking greater network agility and cost efficiency have had to do so at the expense of security.

In recent years, several banks have responded to cost pressures by flattening their previously layered and complex networks. This has reduced the configuration complexity and number of devices that must be managed and lowered the cost of maintaining their networks. It has accelerated their ability to make changes (no small advantage in today’s competitive marketplace) and reduced latency by streamlining traffic between source and destination.

But the trade-off has been a broad attack surface and visibility of information that otherwise legitimate users have no right to see. These flat networks typically fail to segregate information, so attackers can see all the endpoints for the data in motion and potentially access every system involved. If they have the skill and enough time to execute their attacks, they can do a lot of damage.

Other banks have resisted the pressure to flatten their networks by opting for layered networks in the hopes of gaining better protection. However, cybercriminals are not only getting better and faster at their trade, but layered networks present a different kind of vulnerability: unintended consequences.

Those complex, often disjointed networks are challenging for the banks themselves. They make what could be a straightforward change performed by network administration – say, a product upgrade, or a new bank online feature – a time-consuming, exacting, and laborious effort involving multiple teams. The more layered and complex the network, the greater the possibility that a step will be missed and a connection will be vulnerable to intrusion.

“You know there’s something wrong with your network set-up when you realize your most valuable players are those who document your changes,” a bank network executive said. “When you’ve got essential processes that you can’t automate, you are vulnerable to costly mistakes.”

So how can banks achieve the best of both worlds? How can they flatten the network without exposing a broad surface to intruders, or segment the network without creating a costly, complex monster?

The key lies in exchanging physical segmentation for logical segmentation. Software-defined security makes it possible to partition a network using logic. Instead of physical, infrastructure barriers like virtual LANs, routers, and firewalls, users who get behind the firewall encounter virtual barriers. No matter how flat the network, they are prevented from traversing the network by logical barriers that confine them, through pre-defined “communities of interest” segmented by cryptographic keys.

Those cryptographic keys separate users into groups and allow access to only those corridors and doors where the user’s work and purpose entitle them.  Tellers don’t see finance information. HR doesn’t see CRM data. Hackers don’t see payment messages.

Not only is the user prevented from going elsewhere, but elsewhere is not even visible. Other places on the network are cloaked from view. This makes it possible for network administrators to make access fast and easy; there is no need for draconian log-in measures if off-limits areas are not even presented.

Mr. Olson is Vice President, Global Financial Services, Mr. Feverston is Vice President, Data Protection Solutions, and Mr. McCarney is Director, Global Security and Cloud Portfolio for Blue Bell, Penn.-based Unisys Corp. They can be reached at robert.olson@unisys.com, mark.feverston@unisys.com, and stephen.mccarney@unisys.com.