
With seven banks and more than 300 branches across New England, People's United boasts $21 billion in annual assets. It recently acquired a new bank, bringing employee numbers to around 5000. And the bank has plans for future growth, says Kyrytschenko. With that number of employees, the bank needed a way to grant permission to only the data an employee needs to get their job done.
When a user opens or touches a file, the application makes a record of it. With those records in hand, IT can review all the files an employee opened or created, as well as see from which IP address they accessed the data. A home address may raise a red flag. IT can also search any number of an organisation's file servers when reviewing data.
“This provides very rich forensic detail that would come into play if you had to demonstrate unwarranted activity or over-activity by a user,” says Varonis' Konstantas. People's Bank began assigning file rights and collecting file-view data in March.
“Right now we're identifying forensics and cleaning up some of our access. Where there's been global access, we're scaling that back,” Kyrytschenko says. “And where there's been over permission, we're getting the visibility we need to understand the impact of any changes we make before we make them.”
The solution also ensures permissions to data are revoked when employees change position or quit the bank. Permission revocation is an oft-overlooked aspect of security clearance, Konstantas says.
The audit at People's United pointed out the need for the employee-permit solution. But while Leuenberger of Credit Suisse champions continued security assessment, sometimes those assessments determine things are fine just as they are, he says.
For instance, Credit Suisse constantly monitors the process by which its customers access their own data. For more than a decade, the Swiss corporate customers of Credit Suisse have used security tokens, in addition to passwords, to authenticate themselves for online account access. The physical tokens work in conjunction with a password or personal identification number to provide a reliable level of user authentication, Leuenberger says.
The token hardware generates an authentication code at fixed intervals. Credit Suisse uses the RSA SecurID authentication mechanism from RSA.
But the financial institution assumed the tokens – threatened by the continuous evolving capabilities of potential hackers – would have to be replaced in the future. It recently decided to conduct a security assessment of the tokens. The bank assessed how vulnerable the token-protected sites were to attack and asked customers how secure they felt about the multilayer protection the bank offered.
The security assessment found that the tokens could offer a sufficient degree of security for the next several years. It also found that customers were comfortable with the tokens, finding them simple to use and portable. They also were likely to resist solutions perceived as being less convenient, flexible or safe, Leuenberger says.