|Compliance and Privacy News|
Welcome to the Compliance and Privacy newsletter. This monthly newsletter will provide you with highlights of important and valuable information that comes our way during the month. Sponsored by VeriSign both this newsletter and the website benefit from the remarkable insights that VeriSign's analysis of Internet traffic provides. That said, the majority of the content is from other, independent, sources - thus giving you the best of both worlds.
We welcome feedback, if you have any comments, send them to me. In the meantime, enjoy!
Compliance and Privacy
Managing Strong Authentication
PKI - an infrastructure for business
Banks opting for Outsourced Managed Security Services
83% of the world's largest banks openly admit that their systems were threatened last year by external attackers, according to a 2004 Deloitte Security Study of CIOs and IT security officers representing the world's 100 largest banks. And not only is the number of attacks increasing, but so too are their intensity: 40 per cent of the banks affected reported that those attacks resulted in financial losses.
To combat today's professional and targeted attacks, banks are increasingly employing intelligent IT infrastructures. Yet security systems are often so complex that even large financial institutions find them challenging to cope with. A growing number of banks are therefore opting to outsource parts of their IT security to external service providers - a development confirmed by the Deloitte study. The trend among large, multinational financial institutions is evident: J. P. Morgan Chase, Bank of America and Deutsche Bank all opted last year to outsource parts of their IT or communication technology.
This shift in the financial sector reached a new dimension with Managed Security Services (MSS). MSS enable financial institutions and other companies to entrust their IT security to specialists - either completely or in part. The most frequently outsourced applications currently include Managed Firewall Services and Managed Intrusion Detection Services.
Yet some financial institutions still worry that outsourcing will leave them at the mercy of service providers. "We see our Managed Security Services as co-management not 'outsourcing' in the classical sense," said Souheil Badran, vice president, VeriSign EMEA. ""Ultimately, our clients maintain complete control over their systems. We merely provide services that companies are not in a position to perform internally - for instance the early recognition of global attack patterns, and identification and implementation of suitable countermeasures." MSS providers have a very broad perspective of attacks on the internet because they manage systems for many different enterprises, enabling them to draw conclusions on the actual threat posed by an attack. For example, by outsourcing its firewall and intrusion detection services Merrill Lynch can now reliably make assessments and initiate the right countermeasures.
"A provider like VeriSign, which looks after many companies at once and has access to large volumes of data through its management of .com domains, has security-relevant information at its disposal like no other company. We now receive analyses of the incidents in relation to other events around the world and on the internet. This enables us to make far better decisions and to benefit from an early warning system," said David Bauer, who was then the chief information security officer at Merrill Lynch.
Smartcards - a new resource, courtesy of The Home Office
The UK Government has announced its intention to implement ID cards based around smartcard technology, despite claims that the costs could to in excess of £15Bn and the generally horrific track record of Government IT projects. As part of that project one of the largest ever biometric pilots was run earlier in the year, with the results being published in May. The study looked at Fingerprint, face and iris scanning/recognition of over 10,000 volunteers.
Since then there has been a highly critical review of the costs of the project from the London School of Economics and many reviewers pointing out that ID cards would have made no difference to the outcome of the recent attacks in London.
For those interested in IT security, what is fascinating is the volume of information available on the Home Office website
We've just launched a growing set of discussion groups for all the material covered by the website. They're brand new and need your contributions.
Key articles from the newsletters and from the site itself will be dropped into the groups for discussion. And you're welcome to add your own topics, too.
The idea of the groups is to share, informally, expertise between contributors. So feel free to ask a question, to give an answer, or simply to give an opinion.
European Banking Summit - Barcelona
7th Secure IT Forum - London
Readers should note that references to VeriSign's sponsorship are historical. That sponsorship ended on 28 February 2007, and is simply included here for context and historical purposes. VeriSign is not formally associated with this site in any manner, and has asked us to emphasise this point.