>
Business Continuity & Disaster
Recovery for Wide Area
Networks in Financial Services
>
Concerned over the security of backup data replication connections
supporting your business continuity and disaster recovery plans?
>
Worried about protecting data confidentiality and integrity?
>
Confused by complex government and industry regulations?
Are you:
>
>
>
Protect data replication WAN connections
>
Fulfill government and industry data security regulations
>
Use encryption as a business and compliance advantage
Learn how to:
4
Financial services organizations have become dependent on the uninterrupted operation of complex electronic information systems to conduct day-to-day operations. To maintain a resilient system and guarantee business continuity, constant data replication between primary and backup sites is commonly employed. These interconnected infrastructures carry and store vast amounts of sensitive data. While the process of replication and exchange provides increased redundancy, it also places data at greater risk of compromise.
This paper addresses concerns expressed by chief information officers (CIOs), network architects, and corporate auditors in the financial services industry about how to protect increasingly distributed data replication networks supporting their business continuity and disaster recovery plans. The paper examines the vulnerabilities and threats affecting these systems and highlights effective ways to protect networks and connections. Given the potential for dramatic and even catastrophic effects, especially in financial services, business continuity and disaster recovery is a critical aspect of doing business in today’s technology-dependent environment. The paper focuses on the importance of a secure data replication process to guarantee uninterrupted operation and to fulfill government and industry requirements for data protection. Specific technologies for high-speed and low-latency encryption are examined as a solution of choice to help secure data replication processes.
As a leading provider of network encryption solutions, Thales is uniquely positioned to help enterprises protect the security of critical data exchanged between primary and secondary sites. Thales’ Datacryptor® family provides high-speed encryption with
minimum latency using robust certified algorithms, ensuring the confidentiality and integrity of critical information without impacting operations. Datacryptor SONET/SDH and Ethernet Layer 2 encryptors protect backup data connections to support business continuity and disaster recovery plans.
Executive summary
>
Executive summary
...4>
Introduction
...6>
Vulnerabilities and threats
... 7>
Protecting networks and connections
... 8>
Regulations and their impact
...10>
In conclusion
...14>
About Thales
...15>
References
...15Contents
6
Business continuity and disaster recovery are contingency planning processes designed to ensure minimal disruption in the event of natural disasters, accidents, or attacks. Business continuity plans seek to reduce the effect of external disturbances on a business’ processes, allowing uninterrupted operations. Disaster recovery plans are designed to restore business operations as quickly as possible after an interruption. Today’s mission-critical information systems use built-in redundancy and parallel processing to manage ever-increasing amounts of data. As a result, data replication is needed to maintain the high-availability service levels that customers now demand. However, in the course of moving and storing data, these processes also increase the risks of data exposure and compromise.
Measures used to achieve business continuity and disaster recovery can be categorized as either preventive or reactive. Preventive measures focus on before-the-fact initiatives to ensure uninterrupted service by adding redundancy to the business process. They aim to identify and eliminate single points of failure that can bring operations to a halt. Backup and data replication systems discussed in this paper fall into this category. Reactive measures, on the other hand, focus on the development of detailed and orderly after-the-fact procedures that dictate the management and execution of events under a crisis situation. Disaster recovery requires accounting of known crisis conditions and their associated possible worst-case outcomes. To achieve this, it develops if-then scenarios, and from these baselines, builds predetermined responses to minimize decision-making and establish organized transition roadmaps back to normal operation. Effective disaster recovery provides a step-by-step approach to managing a crisis through prioritization, leading to resumption of high priority services, recovery, and full restoration of capabilities.
Introduction
CIOs, network architects, and corporate auditors in the financial services industry must meet customer demand for dependable, always available access to their accounts. High levels of security and privacy must also be maintained to fulfill consumer expectations as well as a growing number of government and industry data security regulations.
In the context of business continuity and disaster recovery, vulnerabilities are inherent weaknesses in the operational systems that can result in service disruptions. A threat, on the other hand, is the likelihood that an adverse natural or human-made incident may actually materialize. Conventional threats to enterprise operations include natural disasters such as storms, earthquakes, and floods that can damage facilities and cut power and telecommunications infrastructures. Human-made threats include hacking and sabotage of physical and virtual resources required for business. A critical component of business continuity and disaster recovery planning is the ability to restore data resources and redirect connectivity at a moment’s notice to maintain operations. While business continuity and disaster recovery plans address a multitude of threats and vulnerabilities, we will focus our attention on vulnerabilities and threats affecting critical data in today’s more distributed wide area network (WAN) environment. An example illustrating the operational elements of a financial services organization and the components associated with the data security aspects of a typical business continuity and disaster recovery plan are shown in Figure 1.
Figure 1. Schematic representation of typical operational elements of a financial services organization and WAN data security components of associated business continuity and disaster recovery plans.
Vulnerabilities and threats
>
>
Business continuity plans and disaster recovery procedures
Redundant connections provide improved resiliency. Ecrypted and signed data secures confidentiality and integrity.
Threat
Threat
Threat Electronic network Financial institution’s primary operations
Stock/Bons; Mortgages/Loans Deposits/Withdrawals
Security requirements for data in the WAN
> Availability: Prtection of factilities and data processing > Confidentiality: Encrypted data transmission/storage > Integrity: Single data transmission/storage
Credit/Debit Point of sale ATM Home banking Mobile banking
Financial institution’s remote services
Branch offices Data center/Backup site
Business continuity plans and disaster recovery procedures
8
Since data resources are the foundation of the financial services system, any unauthorized disclosure or corruption of the data directly impacts the reliability and availability of services. As a result, protecting the confidentiality and integrity of sensitive data is a critical priority. Confidentiality is the ability to keep sensitive data private and prevent its disclosure to an unauthorized entity. Integrity refers to the ability to prevent unauthorized alteration of data during processing, transmission, and storage. As highlighted in Figure 1, redundancy is the key protection principle required to mitigate the risks of business disruption and guarantee uninterrupted availability of services. Continued operation of financial services depends on the extensive use of network connections and the transfer and replication of critical data resources to build system resiliency. Because these connections are commonly carried over WANs shared by multiple users and applications, the level of exposure of sensitive data is increasing. To protect the confidentiality and integrity of critical data resources, encryption has emerged as a preferred protection mechanism.
Hardware-based, point-to-point network encryption provides an effective and straightforward way to secure data connections. CIOs looking to maintain separation of security management and network administration will find that stand-alone dedicated network encryptors will help enforce this vital security principle. While cryptography often carries the implication of slowing down operations by adding unnecessary overheads, high-speed Layer 2 encryption provides unprecedented speed and convenience. Operating at the data layer of the Open System Interconnect model for data transport, encryption at this layer has the unique advantage of introducing only insignificant latencies and overheads. This allows Layer 2 encryptors to ensure maximum operational efficiencies, protecting the confidentiality and integrity of data connections transparently, often going unnoticed by users.
Because they operate independently of the telecommunications protocols used, Layer 2 encryptors can be easily deployed into existing networked infrastructures, requiring no additional reconfiguration. This characteristic, often referred to as “bump in the wire” operation, makes them attractive to network architects looking to secure the existing topology in a cost-effective manner, with minimal or no disruption. Automatic key management, a feature often found in commercial encryption offerings, provides the means to mechanically generate and distribute cryptographic key material with little or no additional time requirements.
Secure management and auditing capabilities are often provided by vendors of these solutions, affording further control of the data in transit. Because data replication connections commonly use shared high-speed telecommunications infrastructures offered by third-party service providers, these capabilities help ensure the complete protection of the information resources needed to support a sound business continuity and disaster recovery plan.
Protecting networks and connections
Business continuity and disaster recovery are now subject to a growing range of government and industry regulations. As data confidentiality and integrity have become critical factors in ongoing business operations, encryption has emerged as one of the most effective ways for an organization not only to protect and control data resources, but also comply with regulations.
Given the capabilities that encryption of data in transit over WANs affords, this vital security mechanism has become an implied regulation. Properly deployed stand-alone encryption solutions provide the means to secure WAN connections in a cost-effective manner that does not impact operations and facilitates compliance with government and industry regulations. Financial services organizations deploying high-speed stand-alone encryption solutions to secure data across WANs stand to gain a business and compliance advantage.
10
Corporate governance has taken on increased significance in recent years, partly as a result of numerous incidents in which questionable business practices have made global headlines. A more regulated environment has emerged, requiring organizations to enact strict control measures and provide auditable records to external examiners. Compliance with this new set of regulations is a key concern for security practitioners designing and implementing business continuity planning and disaster recovery initiatives.
Many of the regulations have come about as a result of evolving environmental factors, with the ultimate aim of protecting consumers. The increased dependence on network information systems and the rapid growth of electronic eavesdropping, identity theft, and fraud have all contributed to this push for greater regulation. Nowhere has this been more apparent than in the financial services market. For the purpose of this discussion, we will concentrate on identifying issues specific to securing network connections as they relate to data replication and their effects on compliance. A small selection of regional regulatory entities and their associated directives are shown in Table 1.
>Prudential Standard
Requires deposit-taking institutions to implement business contingency management practices.
>Personal Information Protection and Electronic Documents Act (PIPEDA)
Establishes security principles for protection of personal data disclosed in the course of commercial activities.
>European Commission Data Protection Directives 95/46, 02/58, and 06/24
Requires companies processing information containing individual private data to protect the confidentiality.
>Basel Committee on Banking Supervision
Requires accurate maintenance of historical transactions and continuous availability of distributed financial systems.
>Personal Information Protection Law
Applies to any company with offices in Japan and requires confidentiality of customer data.
>Financial Instruments and Exchange Law
Commonly referred to as JSOX, the Japanese equivalent to Sarbanes-Oxley.
Requires regular auditing of the business continuity life cycle as part of internal controls within public companies.
Regulations and their impact
>
>
© DiskArt™ 1988 © DiskArt™ 1988 Australia Canada European Union Japan>Data Protection Act (DPA)
Requires confidentiality of personal information.
>British Standards Institute (BS 25999) Business Continuity Management
Addresses complete business continuity life cycle including data replication transit and storage security.
>Civil Contingencies Bill
Mandates government agencies to implement business continuity practices. Additional requirements introduced in 2005 are expected to expand to business community, particularly segments considered to be part of national critical infrastructure such as banking and financial services.
>Federal Financial Institution Examination Council (FFIEC)
Requires member financial institutions to guarantee continuous uninterrupted services.
>Sarbanes-Oxley (SOX)
Section 404 requires regular auditing of the business continuity and disaster recovery plans across enterprise.
>National Institute of Standards and Technology (NIST)
Requires contingency and continuity plans and management and promulgates cryptographic robustness standards.
>Securities and Exchange Commission Title 17 Code of Federal Regulations 240
Require continuity of service and transaction histories on all electronic securities exchanges.
>Gramm-Leach-Bliley Financial Modernization Act (GLBA)
Requires customer data be kept confidential even in the event of disaster.
>Committee of Sponsoring Organizations (COSO)
Requires data center operational controls in order to ensure data security.
>Payment Card Industry Data Security Standard (PCI DSS)
Requires the security of sensitive credit/debit card data in transit and storage.
>International Standards Organization / International Electrotechnical Commission (ISO 17799/IEC 27002)
Requires testing, maintaining, and reassessing business continuity plans.
>Information Systems Audit and Control Association (ISACA)
Control Objectives for Information Technology (COBIT) promulgates best practices.
United Kingdom
United States
12
Because the financial sector is considered to be part of a nation’s critical infrastructure, global regulations protecting the resiliency of this market have more than doubled in the last ten years. Some of the more prominent government regulations and standards include Sarbanes-Oxley (SOX) in the United States, the Basel Capital Accord in the European Union, BS 25999 business continuity management and the Civil Contingencies Bill in the United Kingdom, and the Australian Prudential Standard for business continuity, among others.
Increasing international acceptance of the information technology governance guidelines developed by the Information Systems Audit and Control Association (ISACA) and its Control Objectives for Information Technology (COBIT) best practices are also making these a de facto set of regulations. ISACA audits are beginning to carry the weight of generally accepted compliance and control measures. Business continuity and disaster recovery planning are a key component of these assessments. Under the Federal Financial Institutions Examination Council (FFIEC), member financial institutions in the United States at both the federal and state level must be able to guarantee continuous uninterrupted services. The council reviews operational procedures including business continuity and disaster recovery plans as part of its examination procedures, and places responsibility for compliance at the senior management level of these institutions. In order to comply with high-availability service requirements, comprehensive data replication mechanisms must be part of business continuity and disaster recovery planning.
In the commercial environment, the Payment Card Industry Data Security Standard (PCI DSS) developed by the credit card industry requires financial services organizations and merchants conducting credit and debit card transactions anywhere in the world to comply with the requirements. PCI DSS is enforced by the individual credit card companies holding relationships with banks, financial services companies, and merchants. While PCI DSS does not directly deal with business continuity and disaster recovery planning, the components associated with the data security aspects are prominently addressed. A Visa bulletin on the requirements of the PCI DSS standard specifically addresses the security of sensitive data in transit and storage*. (*Visa CISP Bulletin, Clarifications to PCI Requirements 3.4 and 10.2 - 10.3, July 2006). In addition to the physical plant and human resources on which financial service organizations depend, virtual resources including data and telecommunications are equally crucial to business operations. Safekeeping the confidentiality and integrity of critical data assets is vital to ensuring availability of services.
Encryption offers a reliable and easily implementable way to secure data resources. It enables financial services organizations not only to establish more robust business continuity and disaster recovery measures, but also to address the underlying requirements of many regulations. As a data layer process, Layer 2 encryption affords an uncomplicated mechanism for protecting sensitive information assets no matter the communication protocols used across the WAN infrastructure. Operating independently of these network protocols, Layer 2 encryption can be applied to protect the confidentiality and integrity of sensitive data while allowing operations to
continue at maximum performance. In today’s highly redundant telecommunications environment, encryption at Layer 2 can provide the necessary protection needed to secure this more vulnerable infrastructure. Common security issues addressed by many of the regulations we have discussed can be fulfilled by employing Layer 2 encryption across WAN connections. Table 2 highlights how Layer 2 encryption meets some of these security mandates.
Table 2. Common security challenges and how Layer 2 encryption meets them.
Common security challenges How Layer 2 encryption meets them
addressed by regulations
Protecting confidentiality and integrity Encryption renders sensitive data of personal and private data unreadable to unauthorized parties Accurate maintenance of historical Encryption prevents data from being files and transactions altered by unauthorized parties Guaranteed uninterrupted service Layer 2 encryption does not impact
operational performance, enabling data replication/exchange without additional overheads or latencies
14
Safekeeping the confidentiality and integrity of critical information assets is vital to ensuring the availability and resiliency of financial services. CIOs, network architects, and corporate auditors need to ensure the protection of backup connections used for data replication systems.
Having briefly examined how to assess the risks and vulnerabilities of typical business continuity and disaster recovery WAN connections, and analyzed how to secure backup data replication mechanisms, we have seen how encryption techniques can be used not only to protect the critical data resources, but also to fulfill security regulations. As a proven effective mechanism to control the exposure of sensitive data, encryption has become an implied regulatory requirement.
As a premier developer and supplier of cryptographic network security technologies, Thales is uniquely positioned to help financial services organizations protect the security of critical data exchanged between primary and secondary sites with innovative and cost-effective solutions that ensure the confidentiality and integrity of critical information assets. Thales offers robust certified data encryption solutions designed to protect high-bandwidth data connections typically used for data replication. Yielding maximum performance and reduced operational impact, these solutions provide the means to protect data confidentiality and integrity and to comply with government and industry security regulations. Easy to install and integrate into existing architecture, Thales’ bump-in-the-wire encryption platforms protect the confidentiality and integrity of data exchanged between data centers as part of the data replication mechanisms supporting business continuity and disaster recovery initiatives.
In conclusion
Thales is a leading international electronics and systems group serving the aerospace and space, defense, and security markets worldwide. The group’s civil and military businesses develop in parallel to serve a single objective: the security of people, property, and nations. The group employs over 68,000 people in 50 countries and generated revenues of €12.7 billion in 2008. Operating in three main markets covering e-security, card payment, and network security, Thales’ Information Systems Security activities address the business, government, and finance industries’ needs for cryptographic security products and solutions. Over half of the world’s banks, together with the majority of the busiest exchanges, currently use Thales technology.
About Thales
>
>
References
>Agility Recovery Solutions, 2009 Disaster Recovery and Business Continuity Survey, Spring 2009.
>Forrester Research, Inc., Role Profile: the Chief Information Security Officer, by Emily Van Metre
and Eric G. Brown, April 2009.
>IRM Research White Paper, PCI DSS Appendix B: Compensating Controls, by Michael Owen,
April 2007.
>Seventh Annual Conference on Business Continuity and Disaster Recovery in the Financial
>
>
>
© Thales • September 2009 • MGD0784
Americas
THALES e-SECURITY, INC. 2200 North Commerce Parkway Suite 200 Weston Florida 33326. USA T: +1 888 744 4976 or +1 954 888 6200 F: +1 954 888 6211 E: [email protected] Asia Pacific
THALES TRANSPORT & SECURITY (HONG KONG) LTD.
Units 2205-06 22/F Vicwood Plaza 199 Des Voeux Road Central Hong Kong, PRC
T: +852 2815 8633 F: +852 2815 8141
Europe, Middle East, Africa
THALES e-SECURITY LTD. Meadow View House Long Crendon Aylesbury Buckinghamshire HP18 9EQ. UK T: +44 (0)1844 201800 F: +44 (0)1844 208550 E: [email protected] DISCLAIMER
Thales reserves the right at any time, without notice and at its sole discretion to revise, update, enhance, modify, change or discontinue the information provided herein.
THALES MAKES NO REPRESENTATION OR WARRANTY AS TO THE ADEQUACY OR COMPLETENESS OF THE INFORMATION PROVIDED HEREUNDER.