AlexKelleyIndustryProfile

From Information Systems at Pitt Business

Jump to: navigation, search

 

Information security in commercial banking

- data encryption -

 

More and more people don’t see a bank teller for years because the technology allows bills to be paid online and checks to be deposited at the ATM, money transfers to be delivered over wired or wireless networks and so on. This raises issues on personal and company information security.

 

Commercial banking

The United States commercial banking industry grew by 6.7% in 2006, up to $502.9 billion. With all the information stored electronically, it’s necessary for the banking sector to have reliable and secure infrastructure in place, which makes the suppliers of hardware and software, IT consultants, Internet service providers, and similar companies – the key suppliers in this industry.

 

The leading companies in the banking industry are Citigroup Inc. ($21.5 billion in net income in 2006 and about 337,000 employees), Bank of America Corporation ($21,1 billion, 203,000 employees), JP Morgan Chase & Co. ($14.4 billion, 175,000 employees), Wells Fargo & Company ($8.5 billion in net income in 2006).

 

Security issues

During the past few years, as more and more people and companies are using the Internet for activities that involve money, and given the rapid progression of fraud schemes, the need for a secure environment on the banks’ end grew as well. The national authorities in many countries took initiatives in establishing a set of minimum rules and regulations that the banks have to be in compliance with. In the United States, the data security framework for financial institutions is provided by the Bank Secrecy Act, Gramm-Leach-Bliley, Sarbanes Oxley, the USA Patriot Act and FACT Act, among others.

 

The security provided by switches and routers is supplemented by a wide range of antivirus, antispyware, web filtering and e-mail/messaging security software. Other security components refer to the firewall/virtual private network software, controlling user access to applications and data, intrusion detection and vulnerability assessment software (which monitors networks and devices to prevent malicious activity).

 

In the past couple years, the trend for the secure content management technologies is to converge with threat management techniques to help companies better address a broader array of threats. The overall software-based Internet security segment generated $13.2 billion in revenues in 2006, and the forecast indicates an almost double amount (over $23 billion) by 2011. Key players include Symantec Corp., with 18% market share, followed by Cisco Systems (12%), McAfee Inc. (8%), and Trend Micro Inc. (5.5%). All these companies are US-based, except for Trend Micro, which has its headquarters in Japan.

 

Two additional areas of Internet security software are digital certificates (also known as electronic signatures), and authentication and encryption. The digital certificates market is shared primarily by two companies: VeriSign Inc. (over $1.5 billion in sales in 2006) and Entrust Inc. ($95 million in 2006 in sales). In September 2006, EMC Corporation, the digital storage company, acquired RSA Security Inc. (leader in authentication and encryption) for over $2.1 billion.

 

Data encryption: PKI

Broadly speaking, data encryption is a branch of computer security that deals with the secure transmission of documents, authorizations, and other electronic communications. Companies that are active in the encryption field provide software and services, sometimes hardware as well, mostly to other firms. In many cases, encryption products are components used in other applications. They appear, for instance, in Web browsers, e-mail and networking applications, also on Web sites that require a secure exchange of information.
<![if !supportLineBreakNewLine]>
<![endif]>As an economic enterprise, digital security software and services have a bad reputation for over-promising and under-delivering. In particular, public key infrastructure (PKI) systems, a widely used model of data encryption, has been under scrutiny.

 

In any PKI security system, certificates are a central component. Digital certificates, or digital IDs, are secure electronic documents that identify their owner as a valid user of the system. These credentials are used to authenticate users, provide access to a system, and disseminate encryption keys. In a typical configuration, the certificate is sent to the user as a digitally signed message. A digital signature adds another layer of encryption to ensure that the document (the certificate, in this case) wasn't altered between the sender and the recipient. If the document has changed, the key shows that it's not valid. Once a certificate is issued successfully, it enables the user to send and receive communications within the secure system. Specialists refer to this process as binding the certificate to the user.


PKI systems also involve certification authorities (CAs) and registration authorities (RAs), which are systems (often provided by third party companies) that assign, validate, track, and revoke certificates for both individuals and Web sites. Once a PKI system is launched, the certification and registration authorities, which can be one and the same, provide the service backbone to keep it all running. RAs perform the initial certification: they determine who should be allowed on the system and assign unique certificates to these users. They also usually determine who should no longer be using the system by revoking certificates. Meanwhile, CAs perform validation and authentication services on every transaction, making sure (using encrypted exchanges) that each user is who he affirms to be and has permission to do what he's trying to do. CAs and RAs must be highly trusted sources because they would give out security keys that could compromise a system's integrity if they fall into the wrong hands.

As with most newer technologies, PKI and digital certificates suffer from a shortage of standards on how exactly the infrastructure should work, which elements of a system are essential, which are only optional, and what protocols should be used for better transmitting information. From a legislation point of view, it can be argued that the law hardly even defines what constitutes an electronic signature. At least in theory, a fraudulent user could use someone's digital signature to authorize a transaction, and the rightful owner of the signature could deny responsibility. The law tends to keep silence about these issues. The implications suggest that individual businesses will have to decide on their own what an electronic signature consists of.

 

By most measures, the industry is significantly growing and expected to do so for the next few years. For digital certificate issuing and management services, International Data Corporation (IDC) had revenues of over $3.5 billion in 2006 in the entire industry of digital certificates and PKIs. One growing niche market, wireless PKI (WPKI), is expected to account for 40 percent of the total PKI industry by the end of 2007. Players on this market include VeriSign Inc. (a growing company, purchasing Network Solution Inc. in 2000, and the German Jamba! in 2004), RSA Security Inc. (with integration and technology partnerships with more than 1,000 firms), Entrust Technologies Inc. (originally a part of Nortel Networks Corp.).
 

Other methods and algorithms for encryption are IBE (Identity-Based Encryption – easier for large organization), federated identity management (developed by a consortium of 150 organizations including banks), RSA algorithm, AES (Advanced Encryption Standard), SSL (Secure Sockets Layer), SHTTP (Secure Hypertext Transfer Protocol) and others.

Retrieved from "http://www.katzis.org/wiki/AlexKelleyIndustryProfile"
Personal tools