Driving Innovation in Security Technology Through ... - FST Media

More documents

Recommendations

Info

Driving Innovation in Security Technology Through Emerging Channels“Like most thingsthat are developed,you hope securityis considered atthe beginning butsecurity professionalsare use to that notbeing the case.”– Ken Brandt, ANZ“I think traditionally themove to mobile wasseen as a retail move.That’s no longer thecase. Now corporatecustomers are tellingus very, very loudly thatthey are mobile.”– Diane Shehata, NAB2and approve trade transactions through a mobiledevice. We have a huge diversity of cultures in ourmarket that makes we need to understand andcater to, for example supporting Islamic banking inseveral of key markets, such as Malaysia and UAE.Vic Mankotia, CA Technologies: When I talkto banks and institutions and people getting intomobile banking, there’s a lot of discussion aboutapplications. Ken Brandt, where is ANZ BankingGroup (ANZ) going, or where is the industry going,in your opinion? Are you thinking of security whenyou build these applications or do you think aboutit afterwards?Ken Brandt, ANZ: The last question is a broaderquestion and it’s fair to say, like most things thatare developed, you hope security is considered atthe beginning but security professionals are usedto that not being the case. Depending on who isthe developer and how it’s being developed andhow the product is being planned, you might bein there at the beginning – and that’s changing forthe good – but I think we’re still in catch-up mode.ANZ is much more security conscious now, in partbecause of all the news in the media about differentattacks on the bank. It has certainly captured theattention of the ANZ board of directors. It’s notthe best reason for increasing awareness but it hasincreased awareness.Diane Shehata, NAB: I am very concerned aboutthe business side. I think traditionally the move tomobile was seen as a retail move. That’s no longerthe case. Now corporate customers are telling usvery, very loudly that they are mobile. I’m hearing itfrom those of our customers that are internationalor are generally on the road. They want to bemobile. So in the business-type channels we expectpayments to be securely authorised.There’s a whole range of security that we buildinto the channels on top of all the other type ofsecurity that we have at the back-end to detectwhether or not this particular transaction is inline with this customer’s normal behaviour. Butwhat the customer sees is the security that’s builtinto the channel, which is around segregation ofduties, and how that is captured in a mobile device.Certainly we see this as the growing market for us.Vic Mankotia, CA Technologies: Thedifference is that branches are operational 9 to 5 –maybe weekends for certain banks. Mobile bankingis 24/7. That’s a different challenge. What I don’t seein the Australian market is a lot of authentication.How do you see regulation playing in this space?Chris Smith, NAB: Australia was among the firstever to experience hacking. In 2003, there was aphishing attack on the Commonwealth Bank ofAustralia (CBA). So the notoriety of being the firstto be impacted by this underground activity meanswe’ve had more experience than everybody else.Initially putting in SMS security to authenticatewas a market-leading move to secure transactions– or at least to drive awareness. We’re probablynot going to be No 1 on the hit list anymore but Ithink there are signs of innovation here: ANZ’s GoMoney, CBA’s movement in Commbank Kaching,and some of the work we’re doing is really movingthe power of choice to consumers. With that we’llhave no choice but to look at the next phase ofauthentication. Actually I am quite optimistic wedo lead in many parts of the world in terms ofauthentication.Vic Mankotia, CA Technologies: Risk-basedor transaction-based?Chris Smith, NAB: We hope it’s risk-based, butit’s probably transaction-focused. A lot of thirdparty applications are probably being built withoutthe awareness or rigour of some kind of securityframework.Vic Mankotia, CA Technologies: That’s a verycontentious issue. Let’s take Square, for example.I was at a conference last week in San Francisco.I jumped into a cab and the driver took my creditcard and swiped it on his iPhone and I got an email15 minutes later saying, “Here is your receipt.”He’s charged my credit card, there is a Googlemap connect link which tells you where I travelledfrom and I can file that under expenses. There areapplications being built around mobile platformsby third parties, consolidators or people who wantto capitalise on the opportunity. The risk doesnot lie with the bank or the carrier or the devicemanufacturer, or the software company helping itout. It’s the third party that I’m worried about. It’sthe authentication, the identity, the access control,the content aware either in access management. Allfour of these have to work together.I’m going to board a flight today. My passport,my identity, is not going to be enough. I have to goand get an access or boarding pass, I’ve got to goto immigration and get it authenticated. I’ve gotextra in my bags, scan my contents and then I go tothe gate, so all four have to work together and veryfew companies offer that. Dave, from a BankWestperspective, what do you see?Dave Williams, Bankwest: Everything goesthrough the same security gateway, but I think ifyou look at [Google’s] Android and [Apple’s] iOS,they are completely different in terms of security.In the Apple sphere, the authentication you need togo through to be able to publish gives you a certainlevel of protection and a level of traceability. Youcan go back to where the app came from and who
Driving Innovation in Security Technology Through Emerging Channelspublished it and what’s behind it. In Android,it’s almost a free-for-all. We really need to seesomething happening in the Android space tomake security much better because it’s already thepredominant operating system. That’s a real riskfor us. It means that in the Android space we’remore likely to move back into browser technologydeployed on the Android platform so the app doesnothing more than lodge the browser. The securityis in the browser itself.Vic Mankotia, CA Technologies: That’s a verydifferent approach. What I’m frequently hearing inthe industry relates to wrapping that applicationaround identity. That is, put any out there, wrapit around identity or compliance, access control,authentication, and then most applications will getthe right information from the right person to addaccess.Dave Williams, Bankwest: Which in Apple isgreat, but with Android we are much more scepticalthat it can’t be apped in any kind of way.Vic Mankotia, CA Technologies: Tim, whatabout wealth management: are you really lookingat this platform or is it a ‘good to have’?Tim Richardson, MLC: All consumers wouldwant it if it was readily available but you need toask, what are the priorities in terms of our slate ofwork? What can you expose without affecting theclients or leaving them vulnerable? In terms ofbanks, there’s a huge appetite for iPads out thereand most of the executives want them, but we needto do it in a manner that meets the requirementsof the security road map. It’s about having aco-ordinated strategy that approaches this in acontrolled manner. I think it is top of everybody’smind but when it comes to funding it still has tobe weighed up against other initiatives, which isalways the challenge every business faces.Vic Mankotia, CA Technologies: When Ilook at frequent flyer miles with Qantas, I’m notconcerned so much about security. It’s a number.If someone knows my miles, I don’t really care. Butif I’m moving $1000 or $10,000 to someone else’saccount, I’m concerned about the transaction.Naresh, can you talk about Standard Chartered’sBreeze and how it got to where it is?Naresh Vyas, Standard Chartered: For us,security was important in terms of building themobile apps and mobile capabilities. We ensuredsecurity is on par with what we offer on an onlinechannel. For example, we let customers decidewhat limits they want to have on various channels– $100 might be the maximum, $10,000, $50,000.The other thing we’ve done on the mobile is allowcustomers to transfer money to people they alreadyhave as a beneficiary or as a payee. If you need to setup a new beneficiary you need a lot of information,such as bank routing codes, so we do not supportthis via mobile.Vic Mankotia, CA Technologies: Richard,what do you see as the biggest security risk onthe mobile platform and what are you looking atin an ideal world to protect that experience on themobile platform?Richard Farrell, ANZ: You want to make surethat transactions are secured end-to-end; that yourcustomer information is secured. You also wantto ensure that your personal and authenticationdetails are protected. In an ideal world you wouldhave a controlled sandbox around it and say forexample you are using jail-broken iPhone, you stillwant a high level of control and security around it.The goMoney mobile application has been hugelysuccessfully for ANZ accounting for 36 per cent ofall online logins by ANZ customers and doubledigit growth month-on-month. But this level ofgrowth can be a double-edged sword. On one sideit is growing your business but on the other side,you potentially have half a million users using anapplication that will most likely be the target ofmalware and attacks in the future. On top of that,if you are looking at putting it on multiple devices –such as Android, iPhone devices and tablet devices,your attacks surface has just significantly grown.Due to the fast pace of mobile development, someapproaches are moving from a waterfall to agilebased methodology challenging your traditionalSDL (Secure Development Lifecycle) approaches.Berin Lautenbach, GE Capital: Five years agowe were doing all this stuff on a PC and a PC is a lotless secure than a mobile phone in general terms.At least with a mobile phone you know people havegot it on them all the time; they know if they’velost it. So there’s actually a whole load of securitymechanisms. Bill, you were speaking about iOS, agreat platform to build this stuff on. Does it meanit’s not compromised? No, it can be compromised.There’s things that can go wrong with it. But as afundamental platform to build on, it’s far betterthan Windows. So your question about DLP (DataLoss Prevention): some of the things that I’mseeing at the moment that are really nice on themobile phones, you can do on iOS. It’s harder onAndroid because the segregation side isn’t as good.A client goes on iOS – it’s your email client, yourcalendar, it’s everything. It’s clunky. But this stuff isalways clunky when it starts. And now I’ve got onecentral point of control on your device, but with mydata on it I can control what data you’ve got. I cansee where that data is going. I actually have morecontrol.“You need to ask, whatare the priorities interms of our slate ofwork? What can youexpose without affectingthe clients or leavingthem vulnerable?”– Tim Richardson, MLC“Five years ago wewere doing all this stuffon a PC and a PC isa lot less secure thana mobile phone ingeneral terms.”– Berin Lautenbach,GE Capital3
Page 1: Driving Innovation in Security Tech
Page 5 and 6: Driving Innovation in Security Tech
Page 7: Driving Innovation in Security Tech

Driving Innovation in Security Technology Through ... - FST Media

Create successful ePaper yourself

Delete template?

Save as template?