Complacency Increases Security Risk

IT security managers should never be complacent about existing technologies because threats can dramatically change in such a short time, according to the security head of Australian wealth management company Asgard.

Owned by the St. George Bank, Asgard has about 33 billion Australian dollars (US$25.4 billion) in funds under management with 700 staff around the country.

Asgard systems and security manager Patrice Li advocates keeping a close eye on the market to ensure the relevancy of existing security systems.

As an example of rapid change, Li cited a spate of virus attacks two years ago that have since given way to phishing and other money-grabbing scams.

With its head office in Perth, Asgard has focused on consolidating core services back to its main data center, which has had to cope with a sharp rise in data.

“When I started four years ago, the company was managing A$18 billion, and we bought two high-end Sun storage systems with 2TB each,” Li said. “Now we have about 50TB of storage.”

About three years ago, Asgard started a program of work around IT security that involved getting the “many layers” of security to comply with the ISO17799 standard.

This included “a lot of investment” in protecting the company’s borders with clustered CheckPoint firewalls, Messagelabs for hosted e-mail filtering, and a McAfee appliance for an additional layer of scanning.

Asgard’s core application, AdvisorNet, gives its financial planner partners a Web-based reporting and customer management.

Li said Asgard was one of the first wealth management companies to offer a Web-based application, which is now in its third-generation.

AdvisorNet was originally developed on Tru64 Unix and VMS, but was migrated to Sun’s Solaris about three years ago.

The application uses the iPlanet (now part of Sun’s software) Web server, Bea’s WebLogic J2EE application server, and an Oracle database.

While Asgard does not yet use encryption at the database level, connections with third parties are done with 128-bit SSL.

For data protection, Asgard previously used Symantec’s BackupExec in the remote sites with tapes for archiving, but since it upgraded its national network from Frame Relay to IP-MPLS with Optus, it can now replicate the branch-office data over the Internet.

Asgard also uses Symantec’s NetBackup on Solaris for volume management and data replication.

Since decommissioning its BackupExec installations and the associated tape drives at the remote sites, Li said management costs have dropped and restoration times have improved from weeks to minutes.

WAN optimization appliances from an unnamed vendor are also being tested to reduce interstate network traffic.

The satellite e-mail servers are also being consolidated back to Perth as a result of the changes, and Asgard will now investigate a high-availability solution for Microsoft Exchange.

By Rodney Gedda, Computerworld Australia

Keep checking in at our Security Feed for updated news coverage.