We noticed you're blocking ads.

Keep supporting great journalism by turning off your ad blocker.

Questions about why you are seeing this? Contact us

Font Size

- Aa +

Sun 9 Nov 2008 04:00 AM

Font Size

- Aa +

Banking on security

Commercial Bank of Dubai (CBD) follows stringent processes for its security investments to ensure that threats do not compromise the bank's network.

Commercial Bank of Dubai (CBD) follows stringent processes for its security investments to ensure that threats do not compromise the bank's network.

Being a bank in the Middle East is never easy. Not only does any financial institution have to juggle the various wants and needs of communities from different parts of the globe, but they also have to be constantly on the alert and protect themselves against the differing usage patterns of the same.

Following the recent spate of ATM frauds affecting banks across the UAE, most financial institutions have stepped up their security procedures. One bank that claims to be beating this trend consistently, simply because they have planned on security measures from the beginning, is the Commercial Bank of Dubai (CBD).

With enterprise single sign-on, we try to provide one single set of credentials, with which users can have the right access to the systems.

"We are a bank - a proper, local bank. We have 25 plus branches and around 1300 employees. And we have, you can say, a mixed Windows and Unix environment that supports all the critical systems and all the core banking systems for our bank," says Rinaldo Ribeiro, head of IT security at CBD.

"We have a central datacentre, from where we provide all the services to the branches and to the business. This is located in the headquarters in the office.

So in this primary datacentre we have centralised all the IT infrastructure and main servers, and services are being provided through our head office. For disaster recovery, we have a site in Sharjah, which is up and running.

We have also invested in several back-up solutions, including SAN systems, to ensure that our data remains secure," adds Ribeiro.

CBD prides itself on planning for, implementing and offering the highest levels of security to customers, and its employees.

"We handle everything related to security in a risk-based approach. We need to identify first what the top risks for the business are and we need to provide controls accordingly.

And this process will include looking for the best products, vendors and the best infrastructure in terms of the technology that we have available in the market.

When it comes to internet access for example, we have to provide all the services through the internet and these have to be done with the right kind of controls. We have to provide the best service to the right person while at the same time keeping all these services secure," points out Ribeiro.

He continues: "This is done as I said using a risk based approach where we see what is the risk of having these services and what kind of controls we should put in place to have that service up and running.

This is done across several areas. So we have risk management processes and we do have priority projects in terms of implementation of controls for the whole year. And this is basically how we do it."

The bank works on risk management as a continuous process. It has various processes and different technologies deployed just for this.

When any solution is found to be necessary, keeping business needs in mind, or when a new technology is implemented, the bank's security staff always check on controls that are necessary, and that should be present from the first day of the project.

What's more, they check that the relevant controls are being properly implemented. The security team also checks on technical standards and compliance with the same.

In this fashion, the bank has controls in place for the different technology streams in use within the organisation including servers, databases and so on.

The IT team, and the security team within it, bring strict procedures to the table when selecting the vendors to work with for various solutions.

"The benefits and the price of the solution are key factors. Another major factor is the local support and presence of the company or the group in the region. We look at similar cases and projects done, experience in the region and also how good their teams are.

We do not consider a company if it has few projects or no experience and no consultants in the region. We try to identify, whenever possible, the solutions that are being globally implemented, especially when it comes to newer solutions.

At the same time, we might find very good solutions but no local support, through partners or even through the vendor's office here. Again, this is a risk based thing.

I mean, we always question ourselves - do we really have to deploy that solution? Do we really need to select that partner or is it just another buzzword that everybody is talking about? Do we really need to implement that particular control or solution?" says Ribeiro.

Safe access

With all these processes to guide them, CBD has been at the forefront of security implementations for sometime now. One example of this is the enterprise single sign-on solution that was implemented by long-term partner, Paramount Computer Systems in 2007.

"The main reason for the solution was to have more control over password and policy management, as well as access to core systems. The average pattern will be the normal user with five to ten different passwords to remember and use on a daily basis.

So there is a network password, with various policies attached to it, and core systems and package systems and other systems. Each and every system would be asking for a password and maybe a change of password every ten days. Each of them will have a different kind of password as well - eight or ten characters long - and so on," says Ribeiro.

"So the complexity of the access required for different systems would require a normal user to remember many passwords and remain compliant to different policies.

And this might possibly cause some problems when it comes to selection and recall of passwords, as well as access to other systems. So you might find people sharing their passwords, you might find people using the same passwords in many different systems and causing at the end of the day a problem for the security of the bank," he adds.

"With enterprise single sign-on, we try to provide one single set of credentials, with which users can have the right access to the system. Of course, these credentials should be very strong, because if you compromise this access, you will be compromising all the other access to all the other relevant systems.

So what we have done is basically implement single sign-on with one time passwords, in the form of time based tokens combined with fingerprint analysis.What we have today is a password-free environment where you don't need to know your password, you don't need to change your password, but the moment you provide your token or the moment you use your finger, you have access to your profile with all the access to the systems that you need," Ribeiro states.

All of this access is monitored and audited on a centralised base. Passwords are changed every day, or every week, depending on the kind of systems, but the users do not even need to know what password they have.

They only have to swipe their finger, or use the RSA token provided to them, to access the right systems. According to Ribeiro, this solution has brought about a major change in the way systems are accessed, and has also helped with troubleshooting and calls to the service desk, which have been reduced many-fold.

The benefits and the price of the solution are the key factors. Another major factor is the local support and presence of the company or the group in the region.

"A software or an agent sits on the client-side, on every laptop and desktop. Users may have to do both fingerprint scanning, as well as use the token. But they will certainly need to have at least the token.

Depending on the access needed, we provide readers with desktops. Moreover, most laptops today come with finger scanning incorporated," says Ribeiro.

The bank is one of the first in the region to use enterprise single sign-on across its employee base, and continues to be a leading user of security solutions in the Middle East.

"Our major security implementations in 2008 include web application firewalls. This is basically for access to the internet from the web servers. The solution protects us from all the top twenty threats that could affect our web servers.

We also have load balance and some other features. We also deployed a network behaviour analysis solution. This is basically meant to identify and track each and every flow of data on the bank's network.

Based on some behaviour patterns, you can identify possible instances and variations in the information traffic. This is very good for internal monitoring and to see what is really flowing on the network," says Ribeiro.

The bank also implemented malware protection for e-mails through MessageLabs, which provides software, service and the entire malware protection for e-mails, including antivirus and anti-spam.

"Another major implementation was the enterprise security management solution. This is basically about logs and log management, log monitoring, instance response and security management.

The solution allows us to concentrate all the logs from different sources, and attempt to correlate the logs in order to identify instances. It also gives us the right forces to respond to these instances. This was another major solution that was implemented," adds Ribeiro.

Setting levels

Ribeiro assures that the bank looks at all the possible issues that can appear to compromise its security, both physically and at the application layer, in order to ensure that nothing similar to the ATM frauds of recent times can affect CBD customers.

"We are also constantly working on increasing security awareness internally. We have sessions and focus on policies to make sure that users know what we are expecting from them.

This is actually the main activity that we do have on a regular basis. Data leakage is, first and foremost, about access controls - who is supposed to be having access to the data - and we have this area covered effectively," says Ribeiro.

"For example, the PIN number of any card, it is just not available. Even if you have access to the database, this information is not there.

Data leakage does happen, people can send out data, maybe some banks were compromised in the recent fraud and some people managed to get data from the bank, but not all the necessary infomation and data is readily available in any bank," he adds.

The six member security team, works with less than 5% of the IT budget to ensure that the bank remains on top of the many global security threats.

"Majority of the time, the budget is an annual thing. We do know what we should be having for the next year, but this is not 100% bullet proof. Over the year you might find a new control, a new project that you couldn't plan for.

In this case, we have to get special approval, and a special budget for that particular project. However, usually it is all planned and the budget approved," he explains.

"We will continue with our routine work. We will be concentrating more on the end-point protection and maybe data leakage or data loss prevention as well.

If you look back five years, the main area of concern has been the internet, the perimeter, the controls and this is more or less migrating to the data itself, where the data is, how it can be leaking and what kind of measures we should be putting in place. This is all the major areas of focus for the next year.

It will involve new controls in terms of protecting the data or information that we have at various places - across endpoints, or roaming devices that need VPN access. We will also work on different access forms for the sales team.

All these are challenges for IT security. Of course, threats are evolving and changing everyday. We must keep up to date," concludes Ribeiro.

All about CBDIn 1969, the Commercial Bank of Dubai (CBD) was started as a public shareholding company. An Emiri Decree issued by His Highness the late Sheikh Rashid Bin Sayeed Al Maktoum, the founder of modern Dubai, laid the cornerstone of CBD. It started out as a joint venture of Commerzbank, Chase Manhattan Bank and Commercial Bank of Kuwait.

By 1982, little more than a decade later, the bank evolved into a national public shareholding company. A feat complimented by an exponential increase in the capital base and mammoth restructuring of its operations. The feather in the cap came when the Government of Dubai became a key shareholder.

Over the decades, CBD has transformed itself into a progressive and modern banking institution. It is supported by a sturdy financial base and reigned by a strong, stable management. In 2007, CBD reported a record net profit of AED 936 million and total assets of AED 30.4 billion.

Today, the bank is in a position to offer a range of retail and commercial banking products and services at par with any other bank in the industry, and a banking experience better than the best. With a network of 26 branches, it covers all of UAE.

In the future, CBD aspires to take on the financial services industry head on so as to be able to meet customer expectations of better interest rates, new services, easier access and improved technology.

Arabian Business: why we're going behind a paywall

For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.
Real news, real analysis and real insight have real value – especially at a time like this. Unlimited access ArabianBusiness.com can be unlocked for as little as $4.75 per month. Click here for more details.