Wachovia Automates Security Policies

Wachovia's Corporate Investment Bank Technology Division, which oversees institutional investing, has grown fast and furious -- it went from less than $500 million in revenue in 2001 to a whopping $6.7 billion in fiscal 2006. But the fallout with its dramatic growth was increased complexity and decreased productivity in its IT systems, as well as in applying security policies to its users.

“We needed an easy way to write software so our applications would let a senior trader authorize a $10 million transaction and deny a junior trader that same request,” noted Ryan Bagnulo, vice president, head of architecture and innovation at Wachovia Corporate Investment Banking Technology. Wachovia is the nation’s fourth largest bank and third largest full-service brokerage firm.

So the Wachovia division went with an automated entitlement management solution that makes security policy changes in seconds, rather than in weeks or even a month, which it took previously.

The financial services firm had been building its own custom security policies, written in a number of different programming languages, so its applications understood which privileges each employee possessed. The manual process of writing policies for different apps was tedious, however: A developer had to figure out who the user was, outline the privileges he or she should have, and then write custom code. Once the code was written, it had to pass through Wachovia’s quality testing procedures to check for programming errors, so it was a slow process as well: Writing 20 lines of code outlining one person’s privileges, for example, took two weeks in a best case, and worst case, as long as a month.

This wasn't just inefficient, but it was also becoming more and more complex. With the business trying to respond to competitive pressures, the number of privileges employees had, as well as the degree of granularity among them, was increasing. “We were reaching a point where there was almost one security policy for each user ID,” Bagnulo says.

To address the problem, the financial services firm earlier this year set out to find a way to extract its security policies from the rest of its application code. Ideally, the IT department would hand the task of establishing privileges off to business users, who would define them via a GUI that would generate standard programming code. And the timing was right, as OASIS's Access Control Markup Language (XACML) standard, which helps do just that, was emerging at the time.

A few vendors had begun incorporating support for XACML into their products since the spring, so Bagnulo this summer took a closer look at them. IBM’s Sparcle was attractive, he says, but it only worked with the AS/400. Bea Systems Inc.’s BEA AquaLogic Service Bus functioned only with the company’s WebLogic Server. He ended up selecting Securent’s Entitlement Management Solution (EMS) because it worked with number of different application types.

Wachovia had the software up and running within a month of evaluating it. Securent’s (which was acquired by Cisco in November) EMS now works with several of Wachovia’s platforms and apps: Adobe’s application development platform FLEX and LCDS, Bea’s WebLogic application server, EMC’s Documentum content management system, IBM’s DataPower XML appliance, Oracle DBMS, Microsoft’s SharePoint collaboration system, and Red Hat’s JBoss middleware. By January, the financial services company expects to have a link working for IBM’s FileNet content management solution as well.

Automating its security policies is helping the Wachovia division continue its growth and expansion. “The challenge for us is time to market; we need to be able to make the business respond quickly so it can take advantage of emerging opportunities,” says Bagnulo. “By deploying Securent’s EMS, we are in a stronger position to do that now than we were a few months ago.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.