A boutique bank in B.C. is looking to differentiate itself by providing identity management over a wireless network to its 300 employees and 14,000 members.
North Shore Credit Union is rolling out HP ProCurve Control Access technology, using the same wireless local area network for all users, from employees to contractors to members. Security protocols dynamically adjust based on user, location and time of day, allowing for control over each network connection.
The challenge with wireless is that someone could walk into a branch with a laptop or wireless device, plug into the network and start capturing packets and recovering passwords. “That’s one of the primary reasons why we want to have this identity management solution in place, so we don’t really care if our junior techs inadvertently left a connection intact,” said Peter Chau, infrastructure architect with North Shore Credit Union. “It’s protected in the back-end.”
The credit union, which has 12 branches from Vancouver to Whistler, is rolling out a new model of branches designed to enhance the member experience, and was looking to be more proactive in its approach to security. “The days of walking into a traditional branch are no longer part of our vision,” he said. “Our [new] branches don’t have telewickets. It’s all open platform.” In January, North Shore rolled out the first secured wireless offering at one of its new branches; next, it will roll the offering out to its other branches as well as head office.
North Shore selected the HP ProCurve Wireless Network Access Control Server 745wl as its primary point of security for wireless. Making sure that was extensible for IT staff was critical, said Darren Hamilton, partner business manager for ProCurve Networking with HP Canada. “Some people will grow into wireless and it’s not part of their functionality requirements now,” he said. But in this case, North Shore wanted to roll out wireless access, so it was a matter of deploying it securely.
The end goal is to enable the network to identify a client or guest – from what operating system they’re using to whether or not their firewall is enabled. If they aren’t compliant, access is restricted. “You can get that granular level of security and control, and that begins with an intelligent edge,” said Hamilton.
The service is available to employees, consultants and partners, as well as its membership. A guest user might only have access to the Internet, while an employee might have access to the same resources as on a wired connection. Access is based on user name and password (employees already have a physical access badge), while tokens would be part of the solution for remote access. “The token would come into play when you’re actually outside our perimeter,” said Chau.
The technology is based on industry standards, so it gives North Shore the option of bringing in third-party security appliances without having to worry about interoperability (HP introduced the ProCurve Alliance in April, which certifies third-party products on its technology).
The system is centrally managed and ties into North Shore’s Active Directory structure, so there are no separate databases to maintain. The credit union currently has about 14 IT staff, so the idea is to do more with less. North Shore pays an annual fee to HP for patches, updates and enhancements.
The next step will be to quarantine non-compliant devices. “It’s taking the control back for IT and ensuring any end-node that connects to our services complies with our security policies,” said Chau. “That’s the nirvana.”
One area where we’re seeing a big uptake in these types of technologies is in banking, said James Quin, senior research analyst with Info-Tech Research Group. Traditional enhanced authentication is about the user providing a clear demonstration of who they are to the enterprise they’re authenticating to. In the U.S., banks are now required to provide some form of enhanced authentication to defeat phishing, which means that banks must provide enhanced authentication of who they are to the user community. “It’s an atypical use of the technology but it is one that is garnering a lot of sales,” he said.
Most access control systems can be integrated with existing directory structures, so an IT manager can easily add new users. But network resource allocation should always be constrained to the role of the individual, he said. The biggest challenge, however, is putting a dollar figure on security.
“You can never say that a security solution is going to save a business money because you can’t prove that it is the thing that prevented an attack that didn’t happen,” said Quin. “So all you can do with security is look at industry trends of what breaches cost.”
For North Shore, it comes down to being more competitive. In Western Canada, the banking industry is extremely competitive, said Chau, and on any given four-block radius you’ll find three or four banks as well as a couple of credit unions. North Shore’s new branches not only fulfil security requirements, he said, but they’ll give the credit union an edge over competitors. The plan is to have identity management fully implemented next year.
