SANTA ROSA, Calif. (3/16/12)--The mass migration toward using mobile devices such as tablets and smartphones to access corporate data, social networking and cloud computing is setting off alarms for security and risk management, and information technology (IT) executives concerned about security. One credit union is among the early adopters of a holistic approach to keeping data secure.
As smartphones and tablets become the new security "battleground," Redwood CU, a nearly $2 billion asset credit union based in Santa Rosa, Calif., is addressing the situation by incorporating end-to-end, or layered, defense so that all key elements of its IT infrastructure are protected against a variety of threats, reports Baseline, a publication for the IT industry (March 13).
For this credit union, a multilayered defense works. "We have been fortunate to not have had any loss or issues as a result of an attack," Tony Hildesheim, senior vice president of IT at Redwood, told Baseline.
Redwood's first layer consists of dual firewalls with multiple DMZs or perimeter networks that segment traffic, coupled with virtual LANs on switches and a segmented internet provider (IP) network, said the publication.
Its second layer includes a set of intrusion detection systems (IDS)and intrusion prevention systems (IPS) that watch all inbound, outbound and cross-network traffic, said Baseline. Redwood also employs an e-mail scanning and spam filtering tool to further reduce threats, as well as a virus protection on all its PCs and servers.
Redwood has aggressive policies on the network, with network restrictions to almost all files and directories on an "as needed" basis. For even more protection, it has a set of controls that includes network monitoring as well as regular checks and audits.
There's more: Its security framework includes central software management; patch management; encrypted hard drives; Internet access monitoring and limitations; and segmented, monitored and controlled network storage.
As a result it has stopped attacks such as Trojans and viruses, usually at the IDS/IPS device, before they attack a PC or other device, said Hildesheim. The credit union tries not to draw attention and, determined not to be an easy target, it aggressively deals with phishing and other attacks.
Redwood also provides security training for employees. It practices standard password rotation or employees, tests for social engineering, and performs penetration and controls testing. Redwood also educates members with awareness campaigns to help them protect their privacy.
Hildesheim noted the credit union sees about 40 attacks each month but all are averted, largely due to e-mail scanning tools and the local scanning and IDS/IPS that augment the firewall. It also experiences roughly 100 "suspicious hits" and about 20 "validated" hits a month, all averted by firewalls, patching and security procedures.
Redwood has suffered no financial or member losses because of an intrusion or attack on its systems, said Wade Painter, the credit union's chief financial officer.