Key to the vault: Stock Yards Bank & Trust and Imprivata
Stock Yards Bank & Trust
A biometric solution helps Stock Yards Bank & Trust manapge passwords and aids in compliance efforts, reports Greg Masters.
Stock Yards Bank & Trust has been doing business in the Louisville, Kentucky community for more than a century. Today, the bank boasts of $1.6 billion in assets, 28 branch offices and a large base of consumer, commercial banking and wealth management customers. Spreading beyond the greater Louisville area and into Cincinnati and Indianapolis, Stock Yards has recorded consecutive earnings increases for more than 20 years, ranking it as one of best performing banks in the country.
Maintaining the confidentiality of customer records and the integrity of its information assets is the job of the company's IT staff consisting of 11 people. This staff is also tasked with ensuring the bank complies with the provisions of the Gramm-Leach-Bliley Act, and the federal regulations of the Sarbanes-Oxley Act.
“Those can be considerable challenges for an institution with dozens of locations, hundreds of employees and a host of software applications,” says Jim Condra (left), senior vice president and chief information officer, Stock Yards Bank & Trust.
Application passwords are often the first line of defense in meeting these challenges, and Stock Yards Bank was experiencing significant password management issues.
“The Bank's largest group of users is the retail branch employees, including about 110 tellers and 120 customer service representatives,” says Condra. The tellers had three to four application passwords to remember, and the CSRs had four to five -- all of them with different degrees of complexity and expiring at different times. In the operations area, some groups had as many as eight passwords to manage.
“People kept complaining, saying, 'There's no way I can remember all of these passwords.' And of course, many of them resorted to writing passwords down where they could be easily compromised," Condra explains.
In addition, the Bank's audit department and information security officer were pressing to make the passwords stronger. Enforcement efforts included periodically running users' network passwords through password-cracking software and conducting random calls to test employee compliance. Meanwhile, the Bank's one-person IT help desk was receiving up to 30 calls per month specifically from users requesting password resets.
“After doing that for a couple of years and not having the results we wanted, the company started looking at biometrics to help solve the password issues,” says Condra. He felt biometrics would be the easiest solution to implement, because the Bank's computer users could authenticate their identities during logon simply by placing their fingertips on desktop scanners.
Condra's biggest concern was finding a solution that would support biometrics and work with the Bank's critical software applications. Stock Yards Bank & Trust's tellers and CSRs use a variety of client/server and mainframe applications, primarily from Information Technology (ITI), a subsidiary of Fiserv. The Bank also runs other Fiserv and Harland software solutions. The Stock Yards environment includes a Windows-based LAN and an IBM iSeries mainframe.
Condra's initial search for a solution was not particularly fruitful.
"We looked at two other vendors, but quite honestly, we didn't get very far with either one of them simply because of the cost," he said. "And we had some real concerns because we do have a couple of terminal server applications and we struggled a bit to get them running.”
The Bank's network person spent about two weeks evaluating each of the products, and discovered there really wasn't good technical support from these other potential solutions.
After the unsuccessful round of testing initial solution choices, Condra approached his primary software vendor for recommendations. He called ITI and asked them if they'd done anything with biometrics yet. Call Imprivata, he was advised.
Imprivata's representatives introduced Condra to Imprivata OneSign. With OneSign, a single action of user authentication permits appropriate users to access all computers and applications they are authorized to use, thereby eliminating the need to remember and enter multiple passwords. OneSign makes it possible to establish and enforce strong password policies without putting an undue burden on users. Without having multiple passwords to manage, users can stop bogging down the IT help desk with password reset requests.
Condra and his 11-person IT team selected OneSign after doing a pilot test. The team tried its core ITI software for the mainframe with two test users and included the Fiserv loan application. The Bank was looking for applications that had the largest number of users, with the thinking being that if they couldn't get all the applications to work, they would at least be able to eliminate as many passwords as possible.
The pilot test proved very successful, and as a result, Condra bought and installed hundreds of fingerprint scanners of his tellers and CSRs. The team was pleased to discover that OneSign could also easily manage One Time Password (OTP) Tokens, which Stock Yards uses for remote user authentication.
“Stock Yards Bank & Trust is at the forefront among its peers for tackling these security and productivity priorities simultaneously through Imprivata's OneSign,” says Imprivata CTO David Ting (right).
“OneSign's ability to manage multiple forms of authentication significantly strengthens security and increases employee productivity by reducing the number of passwords required for application access.
Specifically, the platform accomplishes this through:
- Supporting strong authentication, including ID tokens, smart cards, proximity cards and biometrics;
- Authenticating both local and remote access users as they log on to the Stock Yards Bank corporate network;
- Enhancing user accountability by recording all user and application events in auditable log file;
- Supporting fast user authentication and logout on shared workstations to strengthen security in facilities where multiple users share one of more workstations;
- Providing single sign-on to all legacy, web and client/server applications, including ITI, Fiserv, Harland and more
- Reducing costs and improving employee productivity by sharply reducing help desk and password reset call
The deployment of Imprivata's OneSign platform was very successful and enabled a smooth integration with core financial applications installed at Stock Yards Bank, says Condra.
Plus, Stock Yards Bank found the Imprivata OneSign platform to be very manageable and employees had an easy time learning how to use the technology.
Shortly after the deployment, Stock Yards tellers, CSRs and operations staff were trained to use the scanners, the applications were SSO-enabled, and OneSign was up and running. The deployment did not require any mass training exercise, because it wasn't necessary. The instructions for employees are incredibly easy to follow and intuitive, says Condra.
“It enforces secure and compliant employee access to networks and applications --locally and remotely-- while supporting the tracking and reporting requirements of regulatory compliance,” adds Ting. “And it does all that without the need for custom scripting, modifications to existing directories, or changes to user workflows.”
Now that OneSign is simplifying password management and strengthening IT security at Stock Yards Bank & Trust, Condra is considering moving to OneSign Physical/Logical, a OneSign module that integrates organizations' physical security systems and identity management systems. OneSign Physical/Logical enables companies to utilize their existing badges, cards and door readers to better secure networks and PCs in sensitive workplace zones without any modification or disruption to existing physical and IT security infrastructure. This would enable Stock Yards Bank to take advantage of the information around when a person entered the building and apply this as a second authentication method when logging on to start work.
The response to OneSign from both users and the help desk has been uniformly positive, says Condra.
“The decision to implement Imprivata OneSign was based on strengthening security, not tracking financial gains. Since implementing the platform, Stock Yards Bank has significantly strengthened network and application security, while enabling employees to be more productive by reducing the multiple application passwords employees previously had to remember.”
“Today's economic realities mean that businesses are tasked with making hard decisions to stay competitive during this downturn,” Ting points out. “Businesses are faced with the reality of continued layoffs and cuts in IT budgets. As a result, IT projects need to be prioritized on this basis. First, does it strengthen our overall security structure? And second, does it make my existing employees more productive?”
On the productivity front, it's universally accepted that businesses will have to do more with less in 2009 – less staff in IT, less money to spend on projects and less time to wait for ROI from ongoing projects, says Ting.
“Because of these realities, consolidation of resources and enhanced productivity need to be a priority of any project, specifically around the reduction of extra time-consuming problems that can keep employees from accomplishing the task at hand.”
An unfortunate by-product of increasing productivity is that it can sometimes lead to a lessened focus on security. Given the number of vulnerabilities organizations face, and the record number of data breaches, security cannot be an afterthought, Ting says. Businesses need to identify their greatest areas of risk and make sure those gaps are closed.
As insider-related breaches grow, one of the biggest security threats facing all organizations is access to applications and information. Businesses need to know what employees are accessing, while providing the ability to track uses and audit usage.
Having confidence in who is getting on your system means believing more than just who someone is as a username and password – it means relying on strong authentication and using a comprehensive model of device-based authentication to prove a user's identity, Ting says.
“The dramatic reduction in the cost of fingerprint biometric scanners, card scanners and tokens allows for the corporate wide deployment of this new technology,” Ting says.