Finance Industry Solution

Providing regulatory compliance, audit control & customer asset protection

Financial institutions have been quick to adopt virtualization and cloud computing. The economic benefits, green efficiencies and server consolidation gains make a strong case for bank IT, whose organizations are characterized by large computational needs across multiple campuses. Medium size banks are also quickly moving to virtualized infrastructure, as their limited IT staff with mission-critical responsibilities are well-served by the high-power and low cost of virtualized servers.

But while a bank’s data center might have changed, the same rigorous regulatory standards which applied to its physical data centers remain in place. SOX and GLBA have stringent requirements on asset protection, role-based controls and secondary validation – much of which is impacted by virtualization.

Catbird has specifically identified and analyzed the new risks which are introduced in the data center of regulated financial institutions as a consequence of virtualization.

Virtualization‘s Impact on Financial Institutions Subject to Regulatory Compliance

Virtualization introduces a loss of process control across four change dimensions in the virtualized data center:

• New, invisible, virtual networks
• New virtual administrator powers which collapse roles and bring loss of separation of duties and least-privilege
• The new threat surface, created by the hypervisor
• Loss of change management as servers become files, evidenced by virtual machine mobility and sprawl.

Full SOX and GLBA compliance takes a combination of trained staff, strong policies, and industry leading technology. As virtualization transforms the data center infrastructure, staff, processes, and technologies must adapt to address these four major changes.

Most auditors have adopted the Control Objectives for Information Related Technology (COBIT) framework of over 200 control objectives, as the de facto framework for measuring SOX compliance. Virtualization negatively impacts over 30 of these controls . Catbird restores compliance with these controls and, in many cases, improves compliance as compared to physical infrastructure.

Catbird: SOX and GLBA compliance for virtualized data centers; 24x7 security protection

Catbird has an extensive track record in helping banks meet their regulatory requirements. Hundreds of banks have already chosen Catbird to keep their customers' information protected, their transactions and accounts secure, and their outsourced partners properly managed in the cloud, in their virtualized servers and in their traditional physical data centers. Many banks use Catbird as their only source for security and compliance monitoring.

Catbird’s 24x7 automated security and compliance monitoring for virtualized data centers helps banks comply with requirements by facilitating risk management in the following ways:

• Data privacy and confidentiality risks
• Unauthorized access and system attack risks
• Software vulnerability risks
• Firewall penetration risks
• Outsourced technology partner risks

Solution Example: Hybrid data centers with consolidated security posture

Banks frequently outsource core processing and other functions to hosters who specialize in such work for financial institutions. Many banks employ a hybrid data center, combining traditional physical infrastructure with virtual hosts and outsourced processing in the cloud. Though data may reside in separate places, and administrators may be bank employees or outside partners, IT staff is required to have a single view of the entire security posture of the bank, be it on site, virtualized or in the cloud. Catbird is the only security and compliance solution in the marketplace that gives its users a single view of all of the security events under its control– no matter where they may occur. This consolidated view, managed over a web-based portal, gives IT the ability to aggregate its intelligence and make smart choices about strategies for addressing security and compliance concerns.

Solution Example: Vulnerability Monitoring for Compliance

Bank examiners are growing increasingly savvy about virtualization’s impact on the data center. A typical requirement in the past was for banks to provide evidence of vulnerability management. This requirement is now extended to the virtualized data center, where vulnerability monitoring is essential, but frequently absent as traditional approaches cannot see the virtualized network. Manual vulnerability scanning might be a time-consuming solution, but such an assessment provides only a snapshot of the vulnerability exposures of the bank. At Catbird, we believe this snapshot is not sufficient to protect a bank's security. Among many other essential security technologies, Catbird provides 24/7/365 vulnerability protection of all of the virtual machines, as well as the vulnerabilities of a bank’s website and outer edge.

Solution Example: Reporting

Catbird’s sophisticated reporting gives bank management peace of mind as they prepare security and compliance documents for auditors. Reporting from Catbird can be a single page with a summary of the security health of the whole organization, or a deep dive for an auditor tracking a series of regulations. As an example, Catbird includes default SOX-specific policies and reports built upon Catbird security controls that are automatically mapped to the appropriate SOX controls.