It is a big dilemma – how to provide employees with the ability to connect remotely to your network while maintaining security. For Raymond James Financial (RJF), there was a twist.
"We have financial advisors who are essentially contracted to us. We don't own their hardware or their office. They're not employees," says Gene Fredriksen, vice-president of information security at the financial services firm. "So we're in a situation where we want to give them maximum connectivity for the best customer service. We're also then very concerned about what they do for security at their end."
In the past, RJF provided training and tools to its financial advisors, but relied on them to secure their environments. Internet worms and viruses can circumvent the best intentions, though, and malware can disable a personal firewall or virus protection while leaving the firewall and anti-virus icons in the system tray, says Fredriksen. So RJF is beginning a project to further protect its network by ensuring end users' machines are free of malicious code.
"The next step in order to protect the RJF information assets is to do what we and a lot of people in the industry are calling 'check on connect.' It's that realtime check so when you connect to us, we're going to look at your machine to see if it's running Trojans, keystroke loggers, and those kind of things," says Fredriksen. RJF is boosting protection by using behavior-based Confidence Online software from WholeSecurity and an SSL VPN solution from Neoteris.
Confidence Online's detection engine has hundreds of modules to examine processes on a PC to identify types of behavior consistent with Trojans, worms, and other remote controls such as file manager capabilities and keystroke logging. Confidence Online inputs suspicious behavior into an algebraic scoring algorithm that identifies if processes are malicious threats.
The software scans a system for malicious code before allowing it to connect to the network, says Scott Olson, senior vice-president of marketing at Whole Security: "We look at the active processes on the machine and the behaviors those processes are exhibiting. We look to see if they're capturing keystrokes, opening up remote ports to send information out, or capturing screenshots."
At RJF, employees working remotely connect to the network via the SSL VPN, but before they do, their systems are scanned by Confidence Online. If a threat is detected, the user is directed to the company's helpdesk.
"There are a lot of avenues for potential infection that we need to make sure we take appropriate control steps to stop," says Fredriksen. The speed of internet threats requires enterprises to deploy this kind of real-time protection. Viruses and worms are outpacing the ability of vendors to release protective pattern files and updates, he states.
Confidence Online is part of a solution that blends technologies from several vendors to protect RJF and its clients. "When I talk to our financial advisors, probably the number one concern they have from a security standpoint is identity theft. It's critical that the personal identification of their clients is protected," he explains.
While RJF must adhere to federal privacy regulations such as Gramm-Leach-Bliley, retaining customer trust is its driving goal. "We trade in trust and the only thing that keeps you a RJF client is that you trust RJF," says Fredriksen. "One part of that trust is that you trust us to keep your private information private. We take that very seriously."
RJF is deploying Confidence Online Enterprise Edition, but has initiatives for WholeSecurity's new Confidence Online Portal Edition. It uses the same technology as the Enterprise Edition, but is geared for the customer PCs of online businesses. Customers can download the protection from the company via an ActiveX control, says Olson.
RJF is testing the Portal Edition on an intranet employee resource site. "Although it doesn't contain customer information, it's a good proving ground for the Portal Edition," says Fredriksen, adding that the company has tested the product extensively with good results.
The firm is looking at ways to use the technology in its customer-facing applications, such as its investor website.
"When you're talking about working with customers, you need to be careful," cautions Fredriksen. "It can't be a raw security initiative, so we're going to be working with those groups [development and customer support] on how to define the best way to roll this out."
The only problem RJF faced in deploying the Enterprise Edition was creating the appropriate training for employees and contractors so they could all understand the purpose of the technology and how it works, he says.
"It's just user awareness. There's no technical education that has to take place," he says. "More than anything, it's just making sure the users understand why we're doing this, that it's not just another 'big brother' kind of control that's being implemented."
Like many security systems, it's difficult to pinpoint the ROI the solution brings to RJF. "Usually, you are projecting against the impact of a potential service outage," says Fredriksen. "The only thing I can tell you is when we do a threat or risk analysis, we're seeing that the potential for an outage coming from a virus or something similar continues to rise... We've gone well beyond the days of these [malware agents] just trying to clog email servers. These things are incredibly sophisticated – they take multiple vectors of attack and we're making sure we can respond quickly."