The Business Opportunity of Basel 2

Many of the major High Street banks in the UK are choosing to locate their Data Centres outside of central London. Once separated by no more than 10 kilometres (km), innovations in secure, high-speed optical networking allow a given bank’s Data Centres to be deployed 40 to 80 kilometres apart.

The driving force behind many of the banks’ decisions appears to be part regulatory and something to do with economics. Locating different Data Centres on different electricity grids improves the likelihood of a given bank maintaining operations in the event of a disaster. This is critical to achieving compliance with Basel 2 and other regulations now being adopted across the financial services sector.

From an economic perspective, banks can deploy personnel and equipment in less-expensive office space outside of what the Americans would term the ‘downtown financial district’. In other words, this represents an IT solution to a regulatory challenge that delivers substantial business benefits.

Basel 2: infractions

Infractions against Basel 2’s requirements for operational risk containment hurt a financial services provider’s credit rating and, therefore, their credit line. In this way, taking data security risks may prove costly, even if no breaches were to occur. Certainly, where such breaches are concerned, a financial services provider will weaken trust with customers and experience lost revenues (plus regulatory penalties).

Making strategic investments to comply with Basel 2 guidelines is, however, not that easy. There doesn’t exist a single, transparent set of criteria against which a bank or finance house security manager might grade the security of his or her company’s data, IT systems and services. For example, separating Data Centres with redundant system components is one of the fundamental rules behind the deployment of disaster recovery capabilities. Basel 2, though, doesn’t specify a required distance between facilities.

As mentioned, banks operational in the UK are frequently locating their Data Centres anything up to 80 km apart, while UK telecommunications providers have been prompted to support services over distances of up to 100 km. How far is far enough when it comes to Data Centre separation, then?

Different distances will deliver levels of protection in different areas of the world. An enterprise simply must take into account factors such as the likelihood of earthquakes and flooding in a given area to ensure appropriate spaces.

Basel 2 requirements are ‘sweeping’. It would be all-too-easy for the security specialist to pay too much attention to one area, and not enough in another. A financial services provider might operate high availability mainframes in a modern, high security facility that’s fully protected against various physical and logistical risks – but will then fail to go far enough when ensuring the security of data in transit between distant Data Centres.

The major objectives

The first step in building a disaster recovery solution that lives up to Basel 2’s broad standards involves the completion of a recovery time objective (RTO) and recovery point objective (RPO) analysis for each service or system in use. In essence, the RTO defines how long the financial services provider can go without the availability of a particular service or system. RPO indicates the time to be allowed between the point at which data is backed up and a service or system fails.

In most cases, more demanding RTOs and RPOs will need higher capital expenditures to established and required capabilities, so that an IT security manager must set priorities at the same time to meet security objectives and the budget. For example, could any bank afford to be without e-mail longer than it could an online mortgage sales application form?

Today, the range of data protection solutions available in enterprise networking is vast – from backing-up data to tape once per day through to continuous, synchronous data mirroring between Data Centres.

Basel 2 requirements are ‘sweeping’. It would be easy for the security specialist to pay too much attention to one area, and not enough in another

The financial services industry – wherein tremendous volumes of constantly changing data are the very lifeblood of business – harbours companies deploying some of the most sophisticated capabilities. Optical fibre is the preferred high-speed communications medium for interconnecting Data Centres separated by up to 200 km, while the key traffic handling technology is Wavelength Division Multiplexing (WDM).

By splitting light into wavelengths and assigning different colours to different application channels, WDM cost-effectively multiplies the amount (and type) of traffic that can be carried across a strand of optical fibre.

Data security in transit

The next step for the IT security professional lies in ensuring the security of data while it’s in transit between secure corporate facilities. What characteristics must the transport layer exhibit to meet Basel 2 requirements for access, system and data security? A financial services provider must:

• secure remote access to the network;

• secure the optical fibre;

• ensure the continual availability of transmission lines.

To protect the remote access path from unauthorised access, a stringent log-in procedure must be implemented that relies on central Radius authentication servers and the Secure Shell protocol. WDM technology makes traffic eavesdropping difficult because individual wavelengths are assigned to specific channels. In addition, data should be encrypted – either at the server level (to span specific data zones) – or, more economically, when bits are injected into a transmission line.

To secure the optical fibre itself, it’s important to monitor for changes in the light signal along a fibre and take action accordingly. If the signal suddenly drops, this is usually a good indication that the line has been accidentally severed. If the signal gradually degrades over time, this might be because the fibre is constantly subject to medium load or due to its natural ageing. Other ‘behaviour’ patterns might offer some clues relating to any unauthorised attempts to tap the line.

Finally, redundancy is the key word in ensuring the availability of transmission lines. Using a simple, unprotected line might be the least expensive option for connecting Data Centres, but could a financial services provider afford a complete outage on the line? An outage that might last for days? Instead, the enterprise may simply duplicate the link. That does mean that 100% of network capacity must be kept in reserve in case of emergencies.

A more prudent option may well be the deployment of redundant optical amplifiers, running data on both lines and achieving an optimum load balance. In this case, capacity is only halved if one line fails.

Michael Hoffman is the business development manager for storage networking at ADVA Optical Networking (www.advaoptical.com)