Swiss bank balances tablet security issues with performance, cost

When a Swiss bank needed solve its tablet security issues, it found a way to secure its devices without sacrificing performance by using virtualisation.

Security people may regard tablet computers as an unnecessary and unwelcome new challenge, but users, especially senior management, can't get enough of them. Frankfurter Bankgesellschaft bank has found a way to avoid potential tablet security issues while maintaining and even improving usability and performance.

IT consumerisation, employees using their own devices, such as mobile phones and tablets, in the course of their daily work, compelling IT staff to support them, was already a concern for IT security staffs even before the birth of the tablet. But tablet computers complicate the picture enormously, introducing not only a variety of operating systems, but also the threat of virus-laden apps being downloaded by tablet users and potentially stealing information and infecting corporate systems.

If you don't solve the cost and performance issues intelligently, management won't accept the cost of VDI and it will lead to project cancellation.

Zdravko Ruzicic
Frankfurter Bankgesellschaft

For Zdravko Ruzicic, head of systems & network engineering at Frankfurter Bankgesellschaft, a private bank with offices in Zurich and Frankfurt, the demand he sees from senior management wanting to use their own tablets is a sign that client computing is changing fast.

"We believe that within the next four to five years, the traditional notebook will vanish completely," Ruzicic said. He believes the current estate of desktop and laptop computers will give way to a mixture of tablets and thin-client terminals at his company.

Earlier this year, Ruzicic implemented a major new system architecture in the bank, based on desktop virtualisation, which he said will provide the ideal springboard to securely support users' own devices, whatever they happen to be. The new architecture, he said, will allow users to access corporate data from their own tablets, for example, without weakening the security that is fundamental to the operation of the bank. 

Ironically, the genesis for the change had nothing to do with tablets or bring-your-own-device (BYOD) programmes. It came about at the end of 2010 when the bank needed a new core banking system, which would require a major development effort by around 50 outside software developers.

Ruzicic figured a virtual desktop infrastructure (VDI) would be suited to support the 50 developers. Users would log on using their Windows username and password, plus a SecurID token to provide additional authentication. He chose ILIO from Atlantis Computing to manage I/O performance and keep costs under control.

"If you don't solve the cost and performance issues intelligently, management won't accept the cost of VDI and it will lead to project cancellation," he said. "But Atlantis ILIO enabled us to implement VDI for a lower cost than a physical PC by reusing our existing SAN more efficiently and reducing our storage costs."

So far the system is supporting just the remote developers, but such has been the effect of the project that Ruzicic now feels he has laid the foundation for more fundamental changes over the coming months. By using desktop virtualisation, he reckons he will be able to overcome the potential security dangers of a BYOD policy.

"Next year, we will make a migration to Windows 7 and Office 2010 and we plan to extend VDI to the rest of the company," he said. That will provide easier system management, he added, and allow the company to move gradually to smaller desktop machines over time.

It will also provide a perfect platform, Ruzicic said, for managing the proliferation of the different user-owned devices he expects to see at the bank over the coming years. With a combination of Citrix XenDesktop and good network access control (Frankfurter uses ARP-Guard from ISL, a private German software company based in Hagen), he said he can maintain control of who accesses information and what they do with it. For instance, it is possible to control the use of USB devices and file transfers according to a centrally held policy, while also keeping corporate data stored centrally rather than on the device itself.

"If we implement an infrastructure that is based in the data centre, and if we have a strong NAC solution, and implement strong authentication, we can take a step forward to introduce BYOD securely, even in a bank," Ruzicic said. 

Read more on Network security management