Raymond James, a financial-services provider that manages over $18 billion in assets, recently decided to extend an extra layer of identity-theft protection to its customers who access their accounts over the company's Internet portal.
Late last year, the company selected intrusion-detection provider WholeSecurity's Confidence Online Enterprise Edition to secure the Raymond James virtual private network, which is used by remote employees and affiliated independent financial advisers to access Raymond James' systems. Having found success with that implementation, Raymond James is now looking to launch WholeSecurity's Confidence Online Portal Edition to protect its Internet-savvy customers.
Gene Fredriksen, vice president of information security at Raymond James, says the company realized last year that it needed to make sure those logging into its VPN were virus free. "In the past, we relied on the end points to do virus protection and firewalling, but a lot of the new viruses are intelligent agents that will disable the local virus protection and firewalls," he explains. WholeSecurity's solutions, which have proven effective against Trojan horses and keystroke-loggers, including recently identified viruses, provide what Fredriksen calls "check-on-connect" scanning.
Pete Selda, WholeSecurity president and CEO, explains that the software scans visitors' computers before they can access the Raymond James system. "Before you are allowed to put in your password and your username, we come down the wire [and scan your computer]," he says. "We look for behaviors that are suspicious in nature and, based on our behavioral technology, we can remove any malicious code."
Selda asserts that his company is committed to stopping viruses that have yet to be identified by using behavior-identifying technology. "We have built a very large database of malicious code, and we are constantly updating the behavioral technology of our product," he says, specifically noting that it is not a signature-based technology. The key, adds Selda, is figuring out what the next virus will look like so WholeSecurity software can disable it. "It's kind of an arms race," he says, "but we know how malicious code looks."
Raymond James' rollout of the portal system will begin on the firm's extranet site, which is used by employees to reference company information. According to Fredriksen, "We will put the portal edition on that site so people associated with Raymond James can see how the scanning behaves at that point. Then, later this year, we will start the evaluation of making that available on our customer site." He notes that customers will be able to "opt-in" to make use of the software if they choose.
Fredriksen adds that WholeSecurity's software doesn't hold visitors up for long periods of time while it scans their systems, something that would be unacceptable. In terms of the Enterprise Edition, he says, the scan takes about 10 seconds. On the portal side, it takes between two and three seconds, "So that is really not a major issue," he says.
According to Fredriksen, price was also not a major issue to overcome, especially considering the potential costs of an attack. "Compared to the costs of recovering from an attack, the $100,000 we spent looks like a pretty reasonable investment," Fredriksen says. "That could be filed in the cost-avoidance category."
The incremental software costs go down as the number of users goes up, explains WholeSecurity's Selda. For example, Confidence Online Enterprise Edition costs around $39 per user for small firms and approximately $15 to $20 per user for large firms (those with approximately 15,000 users). "We have firms that spend $5,000, and we have firms that have spent $400,000," he says.
According to Raymond James' Fredriksen, the project has been a success. "The product has worked, per the spec sheet and out of the box, since the first time we brought it in-house for evaluation," he says. But, no matter how confident he is in the software's ability to do its job, says Fredriksen, Raymond James doesn't have single-point-of-failure security. "This is just one layer of our strategy. We don't rely on any one tool for protection. This is just one blade of the Swiss Army knife of security tools that we have."