Security is vitally important to any online site conducting business transactions, but securing a risk management site with highly sensitive financial information is even more of a make-or-break project. So when Cygnifi, the derivatives risk management solutions provider spun off from J.P. Morgan, was looking to build a secure architecture it took the search very seriously. Offering a suite of risk management applications as an application service provider (ASP) and through private-label offerings, Cygnifi needed a highly secure, reliable environment. For that task, Cygnifi looked to Saecos--an up and coming Internet security solutions provider with a team who had previously developed an Internet banking system for Bank of America.
In the risk management arena, especially as an ASP, security and lapses in security are a key to a provider's success or failure. As Lorenzo De Leon, CEO and co-founder of Saecos explains, "For a global bank that's making their cash management or their trading structure available through the Internet, a fraudulent transaction can potentially cost them millions of dollars. So there is a huge exposure there." He adds that securing e-finance sites, such as Cygnifi, requires even greater security than typical B to C types of online sites because the transactions are much larger and the financial information is highly confidential.
"E-finance and e-business are two totally different things in terms of security," says Michael DeAddio, chief technology officer at Cygnifi. "For example, when you buy something from, say Amazon, the only time you get into that secure page is when you're actually going to execute and put your credit card number in.
E-finance is a different story, from the time a user enters the site to the time they leave, everything must be secure, everything must be encrypted and every piece of information that flows is under the strictest of security." When Cygnifi was looking to secure its site, it didn't want to take any chances and tapped Saecos to provide what some in the industry are calling 3A security-- authentication, authorization and administration. "We had to be secure to the level that a financial institution would allow us to have access to or store pieces of their critical financial data," says DeAddio. Saecos was also able to cut Cygnifi's rollout time from 18 months to six months, which was very important for the provider's success, he adds.
The first step in securing the Cygnifi service was building a system architecture for secure sessions to take place. This first level of security was achieved with Saecos' Secure Session Manager, which covers the session between the Web server or the Web application and the user. The front-end engine allows Cygnifi to apply a security policy for each user at every stage of interaction. "We have to keep all access secure and that's on top of the normal secure socket layer (SSL) type of encryption that your Web servers provide--that's not enough," explains De Leon.
"Cygnifi has some very sophisticated applications and Saecos is a little foundation piece underneath that. Technically speaking, it becomes a component that Cygnifi calls out to that actually does all the security for them," notes De Leon. On top of the secure foundation and session management, Cygnifi's software applications plug into a central IT infrastructure integrating database and financial data components from third parties and its own proprietary data.