ME Bank bakes security into core overhaul

Doles out role access to staff.

Members Equity Bank has identified security and identity access management as a "foundational piece" of its $57 million technology overhaul.

The bank is currently a year into the four-year transformation program, which aims to upgrade its core systems to be able to handle up to four times its current 250,000-strong member base.

It has begun rolling out a new core banking solution based on Temenos and webMethods, and recently finished rolling out several IBM role-based identity access tools to clamp down on unauthorised or unrevoked user access to applications.

Lachlan McGill, ME Bank's information security manager, said the IT team approached bank executives with security as one of three core pillars underpinning the core overhaul.

"We went to the board and said 'systems transformation, we know we've got to put it in otherwise we're not going to be here in five years' time'," he said.

"'If we want this transformation program to be a success, we need to put in the core foundational pieces - business process modelling, integration across the service bus and the other one was identity and access management.'"

ME Bank's core systems overhaul was approved alongside an IT security project that aimed to provide greater control over applications and systems access for internal staff, former employees and the bank's managed services provider.

Former employees were particularly worrisome for the bank, as they sometimes retained access to legacy applications after leaving the bank.

McGill said the information environment had become a security "nightmare" for both the IT team and staff who often had to remember more than 20 usernames and passwords for individual applications.

"Without fail when we were rolling out some of this, we'd go to people's workstations and we'd say 'log into this application for us' and they'd go to their top drawer, grab their diary or take their post-it note off the monitor and type in their username and password," he said.

The tools, rolled out earlier this year, provided the bank with enterprise single sign-on and self-service password resets for applications, significantly reducing the 25 to 40 percent of service desk calls from employees asking for password resets.

"The amount of good will we had coming back from the business just from the single fact of single sign-on and self-service password reset was incredible. They're really easy technologies to deploy, I'm amazed we didn't do it earlier, quite frankly," McGill said.

The bank rolled out single sign-on to its ActiveDirectory database as well as most Unix and Linux applications but decided against providing similar access to legacy applications.

McGill said assigning and maintaining role-based access for staff had since become a significant part of the IT team's day job, in addition to reworking the application after implementation to "get it to the way we actually wanted it to work".

However, he said the security functionality now allowed the bank to provision a workstation and email, along with some applications for new staff within a day, as opposed to the two weeks many often waited prior to the transformation program.

Technology transformation

ME Bank expects to roll out the business process management and service bus integration components of its $57 million transformation program this year.

McGill told iTnews that with business process management in particular, the bank would be able to take a personal loan application and "refer that onto the right people and right system".

"You'll be able to just automate that process from end-to-end," he said.

ME Bank joins a number of banks currently undergoing core overhauls with the aim of achieving real-time banking and seven-day payment clearance capabilities.

"When we looked at who we were going to use for our core banking product, we did speak to a numbers of institutions around their experiences with the different vendors," McGill said.

"We'll be relying on trusted service integrators to provide that insight or get that information from other organisations such as CommBank."