Secure Image Transport: 'Buy, Don't Build'
"Secure Transport is provided as a central source of audit logs and also provides the visibility to the actual transfers themselves, where we can see the details of every transfer and then also be able to demonstrate our compliance with the government regulations and protect against any potential legal liability," Welsh says. "Secure Transport also enables us to more easily create a repeatable process that helps establish new exchanges with existing partners or modify our existing exchanges, or bring on an entire new trading partner."
In this interview with BECU, Welsh, the credit union's vice president of technology, and Dave Bennett, chief technology officer of Axway, the third-party that provided the credit union solution, discuss:
- Advantages of off-the-self solutions and technology;
- How an image-exchange platform can be used to manage and transport everything from ATM check images to Web-server logs;
- Improved business efficiency and increased transaction transparency.
Welsh is the vice president of technology services for BECU. Welsh is responsible for IT operations, IT enterprise applications, IT networks, and security and IT application development. He also is a member of BECU's project review board, information protection team and enterprise architecture board. Welsh joined BECU in 1997 and has held various positions in IT since that time.
Bennett is the chief technology officer of Axway and is a member of the company's board.
A Case for Secure Image ExchangeTRACY KITTEN: The emergence of new banking channels and the ever-increasing use of image exchange between and among merchants and consumers has emphasized the need for financial institutions to ensure the security of all monetary exchanges. One credit union in Washington opted for an off the shelf Secure Transport solution as a way to ensure strong layers of security as well as to lighten the strain on its IT department. Kyle Welsh, the vice president of technology for Boeing Employees Credit Union, which is based in Tukwila, Wash., talks about his institution's decision to sign with a third-party for secure image transport.
Kyle, BECU recently invested in a secure financial exchange platform, which it's using to exchange images, called Secure Transport. What images or files is BECU transferring or moving over the Secure Transport platform?
KYLE WELSH: Each day, we transfer actually over 2,000 files to over 50 business partners, usually with an average volume of around 2 gigabytes. Once all of our check images from our ATMs are consolidated in-house, we actually use Secure Transport to transfer those to our item-processing partner. We also use Secure Transport to exchange settlement files with our Visa card and debit card providers, and we also transfer our public Web server logs to an internal repository, where we perform security analysis and data-mining analysis on them.
KITTEN: And when you say "security analysis," can you explain what that means?
WELSH: All of our public Web servers are behind firewalls, so they are accessible over the Internet and we actually have a solution, internally, that looks for suspicious activity from different foreign countries, if we see a lot of activity from a specific IP address range; you know, things that actually raise suspicion with us internally that we then, in turn, go and look at a little deeper, to make sure there isn't some event that is occurring.
Defining 'Secure Transport'KITTEN: Now when we talk about file transfer, what are the encryption requirements, and does BECU merely transport the files or is it using Secure Transport to safely store the data as well?
WELSH: Well, we use Secure Transport to actually get all of the files off of the endpoints, but we don't store them on Secure Transport; and when we are transmitting, we use all of the industry standard encryption methods.
KITTEN: Kyle, what are some of the benefits that are realized by BECU members, and how does this make BECU a more attractive institution to members?
WELSH: Well, honestly, a lot of what Secure Transport does for us the members probably aren't necessarily going to see; but we have essentially automated all of our business-partner file transfers, which, in turn, allows us to run any batch jobs that are associated with these files as soon as we get them; or, at the very least, run them at the beginning of the pertinent processing window. So, essentially, we are keeping member accounts up to date and as accurate as possible. The majority of our transactions are real-time, but what we have done with Secure Transport is even make batch processing as near real-time as possible, as well.
Securing Images: Working in the CloudKITTEN: Security requirements for financial institutions continue to evolve and it is vital for businesses to have a defense that will fend off risks and data breaches. What role does secure image exchange play in the fight against some of these data breaches, to protect the data and to prevent breaches?
WELSH: With Secure Transport, we know where every file is, when we should expect a file or files from a partner and when our files need to go out to partners. We also get a positive acknowledgement of every transmission. Of course, there are thousands of files that we move each day, and now we can actually account for each and every one.
KITTEN: Kyle, the Secure Transport platform is provided by a company called Axway, which is based in Phoenix, and they provide managed services, cloud computing and software as a service. I guess one of the selling points for BECU was the ability to have full transaction transparency, in real-time, as these files are exchanged and these images are transmitted. How has that real-time transparency helped the institution to mitigate fraud and security breaches?
WELSH: We now have complete visibility through a single pane of glass, with all of our file transfers, with all of our business partners; before, it was rather hit and miss. All of our file transfers before were done in a fairly unique way, and now we actually have that single, consolidated approach; so it really just makes the entire process a lot more efficient.
Outsourcing and the Cloud: Working With Third PartiesKITTEN: Now, I would like to introduce Dave Bennett, who is the chief technology officer at Axway. Dave, could you please tell the audience how the Secure Transport platform works, i.e., is it hosted or in the cloud? And I understand that BECU is actually hosting it in-house; but can you talk about when Secure Transport is actually managed by Axway, what the difference is there?
DAVE BENNETT: Yes, it depends on the operation of the actual customer, the segment and their own risk-management issues that they want to deal with -- where the want to host it. But it is truly designed to be deployed on-premises, virtualized on an appliance, if you want an appliance, or in the cloud; so you have many options. In the cloud, you can do it from a public context, through our services, or you can do virtual private clouds.
KITTEN: How can financial institutions ensure that these transactions and files are secure? What kind of qualifications or information does Axway provide to them to ensure that these things are secured?
BENNETT: One of the unique things about Secure Transport is we support a lot of different models within the technology, from standards-based knowledge, like Kyle talked about, -- patterns from channel security to message-level security with full PKI, full validation. In fact, if you look at some of the history of a lot the secure-standard-messaging protocols on the market, they were authored or co-authored by Axway. So we will support all of the PKI infrastructures, from non-repudiation of origin to non-repudiation of receipt and all of the different levels of strength, all the way up to compliance for the government regulatory environment.
Securely Storing ImagesKITTEN: Now, this system only relates to the actual transfer of data; but what about that data that must be stored, once it has been transported or received? How is that information secured or protected?
BENNETT: Well, this will vary by customer, and I think Kyle alluded a little bit to that. There are opportunities where people might store this and have a security-encryption tool on that product. They might store it as a large object using a secure database. We also have the capability to secure it at-rest using encryption technologies, so there are many different options for a customer to choose from. Most of the time at rest, these kinds of transactions like Kyle was talking about have to be secure all of the time.
KITTEN: How many financial institutions are using the Secure Transport system, and what trends do you see in the way of institutions moving to more of these types of solutions, such as taking them out-of-house or into the cloud? What trends are you seeing?
BENNETT: We have a little over 300 customers today on Secure Transport in the financial-services industry. We have over 1,100 customers, in total. We have the top seven out of eight banks using this technology. I think the unique thing about Secure Transport, and the reason why we are seeing more and more banks and financial institutions leveraging this technology, is the broad kind of support for different patterns. Kyle talked about a pattern of B-to-B, where he was working with his providers, moving transaction between them and him; also internal integration -- we are seeing a lot of that. We are seeing more and more ad hoc, where people want to move big files securely and support things like PCI compliance. The other critical aspect of it, why these banks are adopting these technologies, is one of the points that Kyle hit on around visibility. Having complete start-to-finish visibility and being able to probe the systems that are also creating the files and delivering those files is a very unique feature that gives them the audit and risk-management capabilities to monitor these transactions. They can even go farther and do content classification and specialized routing based on this visibility.
Complying with Security Mandates: A Liability Shift?KITTEN: Kyle, one of the advantages of using an off-the-shelf platform, such as Secure Transport, is that it ensures BECU complies with government regulations. Now, if a breach occurs or a question of liability comes up, how is BECU protected?
WELSH: Well, Secure Transport is provided as a central source of audit logs and also provides the visibility to the actual transfers themselves, where we can see the details of every transfer and then also be able to demonstrate our compliance with the government regulations and protect against any potential legal liability. Secure Transport also enables us to more easily create a repeatable process that helps establish new exchanges with existing partners or modify our existing exchanges, or bring on an entire new trading partner, and, of course, gives us the ability to terminate all of those exchanges or partners, as well.
KITTEN: From a security perspective, what are the top three considerations a financial institution should take into account before signing with a third party for a platform that manages file and image exchanges?
WELSH: My first consideration isn't necessarily a security consideration, but one of our primary considerations with any solution is that we prefer our third-party vendors be true partners. Things aren't always going to go the way you want them to, but if you have a true partner relationship, you can work through those issues with a positive outcome for both parties. Secondly, my team really enjoys the total visibility of all file transfers and the trading partners. BECU IT has taken an approach of enterprise monitoring -- monitoring the business and not just monitoring the technical components. Secure Transport allows us visibility into a big part of our business that was previously very hard to see, and even harder to monitor. And third would be the ease of administration and flexibility of the solution. All trading partners are slightly different; many file sources are unique, as well. So, having a solution that can be easily implemented, operated and supported is always an attribute we look for in our "buy don't build model" here at BECU.