Barclays to enforce encryption in all software applications

The bank has also begun vetting software supplied by vendors, ranking suppliers by their level of risk, and influencing software providers' business decisions so it can address weaknesses in its systems security.

Patrick Romain, head of information security at Barclays Bank, told the annual meeting of the Internet Society in London yesterday that it had sought to control its application development despite the costs to the business.

"We have a lot of applications that will not do application-to-application encryption," he said.

"What our business people have to understand is that I know it's cheap to continue running that application, I know you might not want to build another application, [but] you are going to have to restrict that application. You are going have to build one that does application-to-application encryption."

Barclays employed Vericode's automated software testing to vet its own software for security flaws, said Romain. This made it easier for the bank to set up software development centers in other countries.

"There are a lot of countries that people think it is not a good idea to develop code in. If somebody is worried about opening a development shop in China, Russia, Lithuania, South Africa, India or even the US, we will take your own code and run it through Vericode. It is very good at finding trapdoors," he said.

Vetting vendors

Barclays had also tried to vet vendors' code with Vericode, but suppliers were reluctant to let IT staff perform the procedure for fear of having weaknesses exposed.

"They say, 'What are you going to do with the information? You are going to tell everybody what a lousy piece of code I have'," said Romain.

Romain called for greater co-operation between businesses, clients, customers and governments in reducing the information security risks of his business. He said privacy laws should "back off for the best interests, for the legitimate interests, of the company". Employees should submit to closer monitoring and vendors should submit to greater control.

The bank developed a system of ranking vendors according to their level of risk. This came about after adopting satellite communications in Africa, where he said terrestrial cables would get stolen.

"We are relying on satellite communications. When you rely on satellite communications you rely on a lot of third parties," said Romain. This forced the bank to use multiprotocol label switching technology, which caused "a lot of headaches".

Supplier dashboard

"We just don't know the parties that are looking at our data. So we had to adjust," said Romain.

This was done by introducing categories of trusted and non-trusted suppliers, who were allocated risk scores and were assessed with a yearly audit. All the information was displayed in a supplier dashboard.

"We are trying to get to know our internet service providers as much as we can and control their actions. But to some extent we will never be able to do that completely," said Romain.

"One of the problems is to know who you are doing business with," he said. "I can do several things with my dashboard. I can list all the third parties who I am at risk of sharing data with. I can know who we have a contract with, is it valid, have they been tested. I can rank my vendors based on risk. I can list all the third parties that are at risk."

This story was first published by Computer Weekly

What’s Hot on Infosecurity Magazine?