When FinanzIT GmbH needed to secure online banking applications, the Hannover, Germany, IT services provider turned to a trusted operating system from Argus Systems Group.
And its not alone. Experts, including analysts from research company Gartner Inc., in Stamford, Conn., report that trusted operating systems are critical for e-commerce servers and recommend that banks, in particular, use trusted operating systems to secure Web transactions.
FinanzIT began deploying e-banking solutions two years ago. It currently provides such services and applications to customers of more than 200 German savings banks, which, combined, employ more than 100,000 people.
FinanzIT needed to allow bank users to get through defenses such as firewalls to conduct business, said Stefan Krebs, FinanzITs manager of IT security. But the risk of providing this access, Krebs said, was that a hacker could open an account and thus obtain a user name and password. The credentials would, in turn, enable the hacker to cross FinanzIT firewalls after the system had validated him or her, and, from there, an attack on FinanzIT systems could be mounted.
Krebs decided that a trusted operating system—which would let him compartmentalize and isolate applications, including transaction processing, network connections and systems resources—was the solution to this problem.
“I have a complete online banking system to secure, and that system includes some very important applications,” Krebs said. “The trusted OS is the most secure OS in the world. [But] it is one of those things that makes no sense to use on a normal file system inside your network behind the firewall.”
Krebs looked at two trusted operating systems: Sun Microsystems Inc.s Trusted Solaris and PitBull LX for Solaris 8 from Argus Systems Group, a division of Innovative Security Systems Inc. Krebs said he decided to deploy PitBull LX because, during his tests, he found it easier to configure and manage than Trusted Solaris.
Krebs said installation of the Argus operating system, which FinanzIT uses only to secure online banking applications, was easy.
He added that managing a trusted operating system is no more difficult than managing any other operating system but that FinanzIT has IT managers and developers who focus strictly on the PitBull LX for Solaris operating system.
“Its just like any operating system—if youre used to managing it, its easy,” Krebs said. “However, we have specialists for the Argus software because it makes things much easier to have people on a project who understand the nuances of what the trusted operating system is supposed to do and is capable of doing.”
Krebs has 50 licenses of PitBull LX for Solaris and is running the trusted operating system on four Sun SPARC-based servers with a total of 48 processors.
PitBull LX secures FinanzIT Web servers and back-office systems by allowing security managers to isolate the Web interface, Web server and back-end systems. If one server is compromised by an internal or external hack, the others are protected.
By limiting access and isolating resources using a trusted operating system, Krebs said he is able to ensure that attackers coming in from the Web are unable to gain access to applications on back-end systems. In addition, he said, no one from FinanzIT is able to send unauthorized information out of the company using a Web interface.
While the Argus system provides increased security to his applications, Krebs said there is minimal impact on performance when his Web servers are handling transactions. “Using a trusted OS means we are able to offer a complete online banking system with high security,” he said.
Senior Writer Anne Chen can be reached at [email protected].