Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

11/30/2007
02:35 AM
50%
50%

Wachovia Automates Security Policies

Corporate Investment Bank Technology Division adopts entitlement management system to streamline security policy changes

Wachovia's Corporate Investment Bank Technology Division, which oversees institutional investing, has grown fast and furious -- it went from less than $500 million in revenue in 2001 to a whopping $6.7 billion in fiscal 2006. But the fallout with its dramatic growth was increased complexity and decreased productivity in its IT systems, as well as in applying security policies to its users.

“We needed an easy way to write software so our applications would let a senior trader authorize a $10 million transaction and deny a junior trader that same request,” noted Ryan Bagnulo, vice president, head of architecture and innovation at Wachovia Corporate Investment Banking Technology. Wachovia is the nation’s fourth largest bank and third largest full-service brokerage firm.

So the Wachovia division went with an automated entitlement management solution that makes security policy changes in seconds, rather than in weeks or even a month, which it took previously.

The financial services firm had been building its own custom security policies, written in a number of different programming languages, so its applications understood which privileges each employee possessed. The manual process of writing policies for different apps was tedious, however: A developer had to figure out who the user was, outline the privileges he or she should have, and then write custom code. Once the code was written, it had to pass through Wachovia’s quality testing procedures to check for programming errors, so it was a slow process as well: Writing 20 lines of code outlining one person’s privileges, for example, took two weeks in a best case, and worst case, as long as a month.

This wasn't just inefficient, but it was also becoming more and more complex. With the business trying to respond to competitive pressures, the number of privileges employees had, as well as the degree of granularity among them, was increasing. “We were reaching a point where there was almost one security policy for each user ID,” Bagnulo says.

To address the problem, the financial services firm earlier this year set out to find a way to extract its security policies from the rest of its application code. Ideally, the IT department would hand the task of establishing privileges off to business users, who would define them via a GUI that would generate standard programming code. And the timing was right, as OASIS's Access Control Markup Language (XACML) standard, which helps do just that, was emerging at the time.

A few vendors had begun incorporating support for XACML into their products since the spring, so Bagnulo this summer took a closer look at them. IBM’s Sparcle was attractive, he says, but it only worked with the AS/400. Bea Systems Inc.’s BEA AquaLogic Service Bus functioned only with the company’s WebLogic Server. He ended up selecting Securent’s Entitlement Management Solution (EMS) because it worked with number of different application types.

Wachovia had the software up and running within a month of evaluating it. Securent’s (which was acquired by Cisco in November) EMS now works with several of Wachovia’s platforms and apps: Adobe’s application development platform FLEX and LCDS, Bea’s WebLogic application server, EMC’s Documentum content management system, IBM’s DataPower XML appliance, Oracle DBMS, Microsoft’s SharePoint collaboration system, and Red Hat’s JBoss middleware. By January, the financial services company expects to have a link working for IBM’s FileNet content management solution as well.

Automating its security policies is helping the Wachovia division continue its growth and expansion. “The challenge for us is time to market; we need to be able to make the business respond quickly so it can take advantage of emerging opportunities,” says Bagnulo. “By deploying Securent’s EMS, we are in a stronger position to do that now than we were a few months ago.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Securent
  • OASIS
  • IBM Corp. (NYSE: IBM)
  • BEA Systems Inc. (Nasdaq: BEAS)

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    44% of Security Threats Start in the Cloud
    Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
    Zero-Factor Authentication: Owning Our Data
    Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    How Enterprises Are Developing and Maintaining Secure Applications
    How Enterprises Are Developing and Maintaining Secure Applications
    The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-8818
    PUBLISHED: 2020-02-25
    An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore...
    CVE-2020-8819
    PUBLISHED: 2020-02-25
    An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass ...
    CVE-2020-9385
    PUBLISHED: 2020-02-25
    A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
    CVE-2020-9382
    PUBLISHED: 2020-02-24
    An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
    CVE-2020-1938
    PUBLISHED: 2020-02-24
    When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...