UBS applies data protection for compliance and competitive advantage

UBS recognised the growing importance of protecting sensitive customer data and has been honing its systems to ensure that critical data is always kept secure.

This applies not only to customer data in IT applications, but also when such data is extracted in the form of files.

“Our goal was to have a sophisticated system for protecting customer data that can also be used as a way of differentiating us from our competitors and of attracting new customers,” said Marek Pietrzyk, security project manager at UBS.

The bank’s approach has been to develop a system based on a data-centric approach to security to ensure that only authorised personnel are able to access files and to control what actions may be performed on files under particular conditions.

At the heart of this approach is a data classification system and a set of policies that automatically apply in different scenarios. But, Pietrzyk said the implementation process has been challenging.

Just developing the examples or scenarios and agreeing the types of classification that can be applied to files took a couple of months, and included consultation with business, IT and security representatives.

“Once we had defined a set of scenarios, for each one we had to decide whether one, two or three levels of authentication would be required and what other controls such as role-based access needed to applied,” said Pietrzyk.

Some files can be accessed with just a username and password combination, but the sensitive ones also require a smartcard authentication token, while the most confidential files under some circumstances require biometric authentication.

The result is a system where – based on the classification level and other additional context parameters such as user role – files are classified and automatically encrypted, and all file operations such as read, print and send via email are strictly controlled by policy.

But, as new use case scenarios or “parameter constellations” continue to be identified, the protection policies are continually updated.

In certain cases, the bank also had to adopt a hybrid approach to classification, where files that meet clearly defined parameters are automatically classified, while others rely on user classification.

Pietrzyk points out that there is still no commercial off-the-shelf product that is mature enough to handle classification entirely automatically. “I expect we will still see some investment by technology companies in developing more accurate scanning technologies for classification, potentially including some machine learning capability,” he said.

Pietrzyk also underlines that the use of encryption has been one of the biggest challenges so far because there are some compliance and other processes which require files to be in an unencrypted format, such as data leakage prevention (DLP) processes that scan emails and attachments.

“We had to find a way of ensuring the DLP processes were not blocked, and we had to ensure that encryption did not create tensions between different business groups working with the same files, which took up significant part of the time allocated to the project.”

Pietrzyk said it is important for any large organisation implementing a data-centric approach to file security to understand what processes will require decryption.

Integration of encrypted files in existing processes can be challenging, and decryption of files on-the-fly may have an impact on the performance of the system.

“There is an impact on users, so organisations need to be prepared to create adequate support teams to resolve issues when they arise, and to react very fast, as in many cases access to the files may be required in critical business processes,” he said.

As an additional result of pursuing a data-centric approach, all classified files are assigned unique identifiers, which can allow UBS to track each file through different business divisions in the bank.

“This had the added benefit of enabling the bank to reverse engineer some of its business processes because we can see exactly how files are flowing through the organisation, or which are leaving it in a controlled manner via the supported exchange channels,” said Pietrzyk.

While the ultimate goal is a fully automated system that balances accuracy with user acceptance, he said the bank’s progress in developing a data-centric file protection capability is also expected to pay dividends in terms of proving compliance with the General Data Protection Regulation (GDPR).

Pietrzyk is to discuss the details of this project in a presentation entitled Digital rights management – overcoming challenges related to the implementation of data-centric file protection solutions at the European Identity & Cloud Conference in Munich from 9-12 May 2017.