Jiri’s Notepad

I want one of these at home:

And I certainly should visit Bletchley Park, which is something I have been planning since coming to the UK.

Patrick Bedwell, Arcot Systems, 24th April

A good overview of mobile banking

Evolution of mobile banking
First mobile banking solutions arrived at the end of 80s and technology then evolved in three waves. First was a basic mobile banking providing basic services such as account inquiry, activity alerts, finding a cash machine. Then came a second, mobile payments wave technology allowing initiation of payments at the PoS and in virtual worlds and P2P communication via SMS. We are at the beginning? of a third, mobile marketing, wave enabling two-way, interactive functionality during transactions, alerts, loyalty programmes, location specific offers and electronic coupons.

Current mobile banking technologies
There are broadly three classes of technologies, each with its own benefits and disadvantages:

• SMS – familiar to the target user demographics, low cost of entry, but not guaranteed delivery, no end-to-end encryption, data stored on device. Exposes users to a range of threats including fraudulent SMS messages, spam, spoofing;
• Browser – common. familiar, SSL encryption, low cost requiring only extension of the existing internet banking system. Has problems with upgrade, small screen & keyboards affecting usability; vulnerable to phishing, malware, squatting, man-in the middle, vulnerabilities;
• Thick-client apps – secure, dedicated to single purpose, allow branding, upgrades, resistant to phishing, support multi-factor authentication, lower cost, increased stickiness & better used for marketing; challenging if they need to be installed by customers (uptake & helpdesk impacts); still susecptible to malware and inherent vulnerabilities; hundred phone models to support; some banks to tied to provider / devices

Future
Limited consolidation of technologies. Higher risk transactions will require more secure access. Services and adoption will vary widely across countries and services. Criminals will follow the money. Regulators will follow he criminals. Our handsets will never be the same after the iPhone.

Overall rating: 4/5 (A solid technology session delivered by a vendor which was not just a thinly disguised sales pitch)

Panelists: Jon Collins (Freeform Dynamics), Adrian Seccombe (CISO/Enterprise Architect, Eli Lilly), Geoff Harris (ISSA-UK Chairman), Abdellah Cherkaoui (CISO Sodexho)

24th April

Jon Collins
We need to allow enable business to do what it needs to do. We also need to have some stick to keep things under control. At the same time too much security/control can be bad leading to lowering of end-user productivity. It can also lead be self-defeating leading employees to circumvent security mechanisms that are too cumbersome.

Geoff Harris
Geoff provided some definitions:

• Operability=functionality+availability+performance+ease of use
• Security=confidentiality+integrity+availability
• Compliance=his interpretation is that it sets and enforces minimum level of security (e.g. PCI DSS, COBIT, SOX, MPS, etc).

The biggest tradeoff is between operability and security. It cannot be said which one is more important as this tradeoff depends on the risk appetite of different organisations.

Adrian Seccombe
The question about the relative importance needs to be re-stated as a question about achieving the business value of information. To get an infinitely secure system you should switch it off and bury in a concrete undersea bunker, but this won’t provide any business value. The right question is therefore “How can we put our information asset at appropriate risk to achieve the maximum valueâ€?.

The answer to this will differ system to system and organisation to organisation. The appropriate level of risk needs to be negotiated with business asset owners. For these negotiation to be successful, they need to be done in the context of enterprise architecture and delivery processes. Such processes integrate security with the enterprise-wide architecture discipline and processes (Adrian’s role is CISO and Senior Enterprise Architect).

The big challenge today in balancing these three aspects is to respond to the fundamental transformation of companies from tightly knit internally integrated companies into flexible network organisations. Eli Lilly, which is an example of this, is transforming from a fully integrated pharmaceutical company to a company dependent on flexible collaboration, time-bound use of external partners and outsourcing. This is not easy and requires lots of balancing. There is no magic wand and to do this, but integrated processes are more useful than checklists.

There is another aspect we need to cope with and that is the fact that most of our enterprise data is moving outside the company – into the cloud, onto the internet. Competencies that drive value out of our business are also moving outside. We all need to figure out how to secure the cloud and how to manage cloud providers, preferably before we move our assets out there. This is still 3-5 years away but it is clear now that to do this successfully will require new thinking, new approaches and new products.

Jericho provides probably best overview of the new capabilities that we need:

• Onboard and offboard people (all types, employees, contractors, partners)
• Manage risks across collaborative frames
• Manage information assets in the cloud, processes to manage assets outside direct control
• Manage devices, services in the cloud to identify the asset, determine the user determine how trustworthy
• Onboard and offboard enterprises, support them during the period of collaboration, and then offboard them whilst maintaining security

Question from the audience: How does this fit with IT Service Management and BCP standards?
Answer: IT Service Management is a key discipline allowing management of cloud service suppliers. Ability to comply with ITIL, Cobit etc will be critical for the suppliers.

Abdellah Cherkaoui
Abdellah focused on the compliance angle. The challenge Sodexho, as one of the first European companies that has to comply with SOX, was how to cascade compliance requirements down to subsidiaries, partners etc. Cost of compliance was very important. At a certain price point the non-US based business needs to ask if the cost of compliance is worth it. Another problem – incompatible international laws.

Adrian Seccombe: As an American company, Eli Lilly did not have the option to de-list from SOX and so the approach they took was to achieve compliance at the lowest cost point. The key for that was to select the right auditors. (Many auditors were doing more than law required to get a repeat business).

John Collins: How to provide services out of the cloud? How to determine whom to trust and with what?

Adrian Seccombe: To do this, Eli Lilly decided to do the information classification exercise using the traffic light colours: white – public, green – company+collaborators, amber – sensitive, red – named people and certified systems only. E.g. Canteen menu on the intranet is public, IPR on drug sensitive, fire alarm system is red. This information can be used to decide which services can be sourced from the cloud.

John Collins: We are at the point of making this change but we have not achieved it yet. We are mostly consciously competent in getting in relationships across organisations, but consciously incompetent at developing technology to support them.

Overall rating: 4.5/5 (First half was fantastic and overshadowed the second half, which got a bit rambling and tedious, but overall probably the best session at the conference)