NAB to revamp authentication, audit and pen testing

Pilots Open Data Center Alliance usage model.

National Australia Bank has agreed to be among the first global companies to pilot a standard that aims to federate identity management between the bank's in-house and externally hosted applications.

The proof of concept is part of NAB's steering committee contribution to the Open Data Center Alliance (ODCA), an initiative led by over 300 corporations including BMW, UBS and Deutche Bank.

The ODCA aims to drive cloud computing standards and overcome key roadblocks around cloud security and the portability of workloads, among others.

At an event at NAB's boardroom in Melbourne, the company announced it would be among a handful to pilot the ODCA's security assurance provider usage model [pdf].

As previously described in iTnews, this model audits and ranks external security providers as either platinum (military grade), gold (financial services grade), silver (enterprise grade) or bronze (standard grade) according to several criteria.

Cloud providers are audited, for example, on how they handle vulnerability management, network and firewall isolation, identity management, security incident and event monitoring, data retention and deletion, and several other attributes.

The bank's IT executives said the usage model will be used to negotiate terms around the monitoring and on-site auditing of external/cloud service providers.

It could define, for example, how penetration testing might be commissioned to test the security of a cloud service.

NAB will also apply this usage model to aid its selection of security standards when attempting to federate identities across internal IT services and those provided by external service providers over the public Internet.

Adam Bennett, chief information officer at NAB said the bank felt it was important to commit its technology staff to the standards project for a number of reasons.

"Whilst vendors have a legitimate view about how cloud computing develops, it is a very different view [to end users]," he explained.

"Cloud computing standards will provide economies of scale. The need will ultimately come to compare one cloud ecosystem to another on their relative merits. It's important for clarity on both the demand and supply side. It will be no one's benefit if one talks in metric and another in imperial."

Bennett said the banking sector was especially interested in security and regulatory standards, "by virtue of our industry", which is regulated by APRA.

"We absolutely recognise the legitimate concerns of our regulators as cloud computing develops," he said. "We recognise that the secure storage of customer data and personal information is very much on everyone's agenda. So we're keen to inject that into the shaping of these standards."

Other organisations in the ODCA effort will conduct proof of concept trials around other announced usage models: BMW, for example, will put into practice a usage model aimed at reducing carbon footprint.

Jason Waxman, general manager of Intel's data centre group and a technical advisor to the alliance said each organisation agreed upon signing up to share learnings from their pilots under a "reasonable and non discriminatory" IP license.

Waxman told iTnews he expected hardware and software vendors and cloud service providers would bend to the requirements NAB puts forward under the proof of concept trial - knowing that US$100 billion of IT spend from 300 other large corporations is likely to be at stake.

New tools

Vendors might also find some of the language from the ODCA's usage models creeping into tender documents under an initiative announced this week.

The ODCA has launched an online tool that allows customers to insert the necessary verbiage from any given usage model into the RFPs (requests for proposal) they take to the market. This will ensure the procurement of new IT goods and services meet ODCA standards.

The "Proposal Engine Assistant Tool" or PEAT allows an organisation to select the hardware, software or cloud service to be procured and be presented with the relevant clauses to include in their RFPs and contracts.

Denis Curran, head of strategy and innovation at NAB said standards will help reduce transaction costs when dealing with suppliers.

"When every transaction is unique, the cost of sale - be that the  legals and controls, gets higher," he explained. "If you can compress that work effort with a common language, everything gets easier."

NAB's Denis Curran will be a guest speaker at iTnews' Executive Summit at the Grand Hyatt in Melbourne on Monday March 19. Register now to guarantee your seat!