Secure, Two-Way Internet Messaging—SDX Secure Document Exchange

Financial institutions have realized significant savings since the widespread adoption of electronic documents and Internet delivery tools.

While some professionals—in need of a fast solution—utilize the unpredictable practice of e-mailing documents, large companies have been quick to implement the numerous Internet delivery solutions that have emerged in order to save time and cost.

But, inadequate security measures have made these benefits come at the great cost of security breaches, negative publicity, and injured relations with account holders. Between ever-increasing reports of data violations and identity theft, deficiencies in security measures have become the weakest link in organizations. Since the enactment of California’s 2003 breach notification law, data breaches have been blazing across headlines.

Facing new legislation, technology developments, and threats from all sides, financial institutions need Internet messaging that: secures information through the utmost redundancy, completely locks down system channels, and restricts access to content.

Clearly, the optimal Internet document transport system needs to deliver the best available security measures, as well as time, cost, and risk reductions, by securing Internet messaging for both the sender and the recipient. The comprehensive methodology of Wolters Kluwer Financial Services’ SDX Secure Document Exchange serves as the exemplary model of such a properly architected Internet delivery service, allowing financial institutions to:

• Leverage usability to gain user acceptance and reliance on the system
• Lock down channels to secure the paths by which information flows
• Limit access to document content based on organizational roles
• Locate messages and documents at any time through comprehensive tracking
• Accommodate future legislative mandates via scalable technology

Usability
Professionals want electronic messaging tools that allow quick and easy replies—a two-way messaging exchange based on a familiar platform. Therefore, a solution that uses an easily recognized interface is more likely to gain trust and user acceptance. Unfortunately, most Internet delivery services overlook this need and only provide the means to send messages in one direction; making recipients initiate new messages for each communication instead of simply responding via a reply button.

SDX employs a familiar e-mail user interface and a true two-way communication channel between senders and intended recipients. With the ability to move messages conveniently in an easy-to-use environment, SDX encourages users to stay within the system and send documents securely.

Independent validation of SDX by a third party also increases user confidence in the system. The Statement on Auditing Standards (SAS) No. 70 is a fundamental audit for an Internet delivery solution. While the audit report is a testament to a service’s control measures, the commonly perceived meaning of the audit is one of trust and security. As a SAS 70 certified service, SDX’s stated policies and procedures accurately reflect its architecture as its credentials reveal its reliability.

Furthermore, a secure SDX package can include multiple formats—Microsoft® Word, Portable Document Format (PDF), and Joint Photographic Experts Group (JPEG)—to streamline the delivery process and preserve original data formatting. Without the hassles of conversion tools and the burden of managing multiple document versions, users can be more productive and less anxious over jeopardizing content integrity.

What’s more, SDX seamlessly integrates into existing systems, at both the legacy and code level, to minimize work flow disruption and organizational frustration. The solution interfaces with e-mail systems already in place to allow the creation of rules—simple or complex—so confidential messages route through the secure SDX environment if and when they leave the company firewall. By adapting to the unique processes of each business it serves, SDX reduces the need for attending to intrusive hardware or software security issues—instead, staff can remain focused on accomplishing tasks and increasing the bottom line.

Channels
As the industry with the highest risk of breaches, financial services must equally protect data from both outside and inside threats. Such measures require implementing the strongest security methodologies available and performing ongoing surveillance and system updates as needed. In the scope of a financial institution’s security strategy, redundancy is the key to realizing complete data lockdown.

Secure channels present the first layer of redundancy and the main line of defense against a number of external threats. Securing all paths by which information can travel provides the greatest amount of protection and significantly minimizes the opportunity for breaches to occur by accident, design, or malicious intent. Such channels include any portal designed into the system, like routes to servers and pathways to heartbeat services, which provide mechanisms for monitoring the health and status of processes. Securing these gateways and monitoring all access to them is a fundamental piece of a financial institution’s defense system.

While SDX provides highly secure channels, it also allows multiple safe access points for organizational flexibility and convenience. The system meets various security methodologies by supporting entry channels via Hypertext Transfer Protocol over Secure Socket Layer (HTTPS), Simple Mail Transfer Protocol via Secure Socket Layer (SMTPS), Transport Layer Security (TLS), and the Web Services (WS) model.

Access
Before establishing a single test account or exchanging even one file with an Internet document delivery system, companies must consider the overwhelming evidence of internally generated security breaches. By severely limiting access to nonpublic information across the organization, financial institutions are able to reduce the risk of data leaks and the damage they deliver. Optimal access administration takes a variety of routes, from restricting organizational roles from the system to authenticating user identity and encrypting content.
With every wall of defense constructed, the organization creates a stronger shield to protect data—from outside and inside threats. In the past, Internet delivery tools unwittingly hand delivered sensitive data to ill-intentioned, profit-seeking employees by neglecting to restrict access to content within the organization.

SDX intelligently provides redundant, internal controls that allow financial institutions to limit access and protect data by preventing roles in the organization from accessing content sent through the system by registered users. For instance, help desks can provide product support without the possibility of helping themselves to customer information. Moreover, roles can be identified, or flagged, when special circumstances arise, such as separating document compliance functions from system compliance approval.

The more control an organization needs over system access, the more authentication it will require from users. SDX provides multiple, flexible authentication schemes to make certain that those who have access to the system are indeed the person they claim to be. These user security requirements can include a password, personal identification number (PIN), or biometric data.

Institutions with a relatively small amount of risk may employ the use of PINs, which generally accompany another form of authentication to gain system access. On the higher end of the scale, biometric authentications measure and analyze human body characteristics such as fingerprints, hand patterns, eye retinas and irises, facial patterns, and/or voice patterns to prove identity.

During transport, high-level encryption secures SDX messages to ensure that content is available only to the sender and recipient. The system uses the strongest encryption methods to minimize the risk of identity theft as data moves across the Internet, as well as through the organization. Using industry standards, SDX employs encryption capabilities and server-side x509 v3 digital certificates for:

• Public Key Infrastructure (PKI)—manages digital keys and certificates to provide a network of reliable identities
• Digital Rights Management (DRM)—a non-intrusive restriction management tool
• Tamper-sealing

Using industry-standard certificates, the system encrypts and maintains tamper-evident seals for all messages and secures them inside a digital vault. SDX also provides digital shredding capabilities such as efficient handling of redundant file copies by encrypting them and destroying the encryption key after retention expiration.

Tracking
While securing packages with encryption technology is essential to preventing security breaches, it’s equally important to know the whereabouts of document packages before, during, and after transmission. Tracking features, reporting functionality, and audit trails are not only excellent work flow management tools; they are also essential components of an overall security strategy to deter potential leaks, and detect and detail any suspicious activity. Such strategy is another example of the SDX system’s protective measures.

Users on both sides of the SDX two-way communication channel can produce detailed reports on their activity and, under direction and system permission, the activity of others to provide the greatest utility for institutions and their many branches and business partners. The system’s comprehensive reporting interface allows the creation of custom reports, including information on secure messages sent, received, or pending delivery—complete with size of package and more.

Audit trails are essential to producing a record of system activity that, when used with other tools and procedures, can help detect performance issues and suspicious patterns of use. These audit trails help achieve multiple security-related objectives, such as individual accountability, reconstruction of events, intrusion detection, and ongoing system analysis.

Technology
Clearly, the financial services industry deals with more issues than security threats. Areas of business growth require constant attention, as do ongoing procedural and technological refinements and regulatory and legal issues. These factors require a great deal of time and talent and necessitate tools that can adapt to changing times.

SDX adapts to future needs through the extensive capacity of its implementation formats. Architected on the server side to provide maximum scalability and redundancy, SDX gives financial institutions the convenience of using their preferred delivery system as their business grows. Moreover, the solution accommodates changes quickly and efficiently to ensure the highest level of data protection, and the most up-to-date technology.

The SDX system also meets the needs of critical compliance issues to help institutions meet the ongoing requirements of legislative mandates. Designed to accommodate the increasing need for specialized handling of electronic information, SDX seamlessly coexists with corporate archive and e-mail systems already in place. This means the delivery system can conform to changes without bypassing existing security policies or compliance content inspection. SDX helps ensure compliance with multitudes of data handling directives required by Sarbanes-Oxley, NASD 3010, HIPAA regulations, and SEC 17 a-4, which requires financial institutions to preserve electronic records in non-rewritable and non-erasable format.

Wolters Kluwer Financial Services’ SDX support team can contact potential recipients from a client-provided database and educate them on the features and benefits of the system. Alternatively, clients can elect to use a variety of intuitive built-in mechanisms to register and authenticate recipients. An on-line registration by invitation allows secure, fast, and simple growth of the user base. SDX also features a “self-sign-up” process whereby authorized users or “approvers” can accept and deny new users to the system. The solution also provides the ability to add a large number of users in a batch mode.

Summary
SDX helps financial institutions through a variety of approaches:

• As a tool for ensuring data safety and accuracy—the system is a virtual change agent in an industry currently besieged by internal and external security threats.
• As an innovative system—SDX provides a new approach to limiting access to data.
• As a seamlessly integrated, scalable solution—it helps financial institutions meet the requirements of abundant legislative mandates.
• As a smart decision with lasting value—SDX helps financial institutions streamline organizational processes, save resources, and keep busy professionals safe from the snares of insecure document delivery methods.

Data leaks continue to hit newsstands. The time has come for an Internet document transport service to deliver the highest data security and performance capabilities possible. Added measures increase the SDX value, such as providing the intrinsic flexibility to cross technology platforms and bend with the needs of unique business models without breaking.

Human error and malicious intent are, to some extent, independent variables in the data security equation. However, their impact on sensitive account owner information is controllable, in part, through the implementation of a highly reliable system like Wolters Kluwer Financial Services’ SDX solution.

Wolters Kluwer Financial Services
Wolters Kluwer Financial Services is a leading provider of compliance, content, technology, and services for banking, securities, and insurance. To learn more about Wolters Kluwer Financial Services and SDX, please visit www.WoltersKluwerFS.com\SDX or call 800-552-9407.