Case Studies > Banking-Finance

A Spirit of Protection

SpiritBank goes beyond regulations to avoid a data-loss nightmare

Up Close

CUSTOMER: SpiritBank HEADQUARTERS: Tulsa, Okla. BUSINESS: Commercial bank HARDWARE: An IBM System i 520, an IBM System i 820 (soon to be upgraded to another 520) and BOSaNOVA’s Q3 storage encryption appliance SOFTWARE: BOSaNOVA’s Q3 storage encryption appliance setup software and Cardinal/400 from Cardinal Software CHALLENGE: Making sure the data on its backup tapes is secure SOLUTION: Using BOSaNOVA’s Q3 storage encryption appliance to securely encrypt backup tapes to be taken offsite

I wrote an article about encryption recently, starting it off with scary stories and statistics about lost and stolen data tapes. It sent a shiver up even my spine, thinking that my highly personal and confidential information might fall into the hands of some dirty-deed doer who would steal my identity and buy a new car on my credit. (If it does happen, I hope they at least get a hybrid.)

Unfortunately, those stories are still creeping up in the press, and SpiritBank is one financial institution that isn’t taking chances. Indeed, SpiritBank has taken rigorous steps, using BOSaNOVA’s Q3 storage encryption appliance, to help ensure the security of its customers’ information.

A Scary Thing

The Tulsa, Okla.-based SpiritBank has been in business for more than 90 years, and remarkably, it’s still family owned (third generation). In these days of banking mergers and acquisitions, that’s quite an accomplishment—and one that’s paid off. The bank has 350 employees working in its headquarters and its 18 branches, which are in 12 markets in a mix of metropolitan and rural locations.

Following a path along I-44 in Oklahoma, the commercial bank operates in large cities such as Tulsa and Oklahoma City and smaller burgs such as Bristow and Cushing. “Because of this, we have a pretty diverse customer base,” says Michelle Haskin, vice president and application specialist with SpiritBank.

Running quietly in the background are two IBM* System i* servers, including a production 520 and a backup 820 (soon to be upgraded to a 520). The bank also has an IBM System Storage* Ultrium* 3 3580 tape drive for its daily, weekly and monthly tape backups. And, as with most financial institutions, it has several vendor-supplied banking applications, most notably Cardinal/400 from Cardinal Software. “That’s our primary app,” Haskin says.

SpiritBank was sending tape off into the wild in clear text before deciding to encrypt all offsite-bound tapes. The daily backups would go with a bank employee to one of the bank’s branches and be sealed in a vault. If the company needed to send tapes to the Cardinal office in Parsons, Tenn., to troubleshoot or diagnose problems, it did so via commercial carriers.

In both cases, however, the possibility that a tape might get lost or stolen always existed, opening the bank up to possible liability—and the potential for customer revolt.

“A loss of customer confidence would have as big an impact as any fine would, maybe even more,” Haskin says. “Once you lose that confidence, you can never get it back.” Although it had never misplaced a tape, it decided it didn’t want to take any chances, especially given data thieves’ increasing sophistication.

“Five or 10 years ago, that wasn’t really a concern. It was too expensive for people to purchase the proper tape drives and there was not nearly the number of conversion utilities back then that are available now,” Haskin says. “In addition, you had to have a System i server to read the tapes. Now, you can actually buy a tape drive off of eBay, hook it up to your PC and use conversion utilities to read a tape that was created on the System i server. In fact, you can find a video of someone proving just how easy it is on the BOSaNOVA Web site. It’s a very scary thing.”

Unfortunately, according to Haskin, many banks still don’t recognize the threat—or if they do, they haven’t taken any steps to address it. In fact, she says, “I’ve been in the data-processing area in the banking industry for 25 years, and sending tapes offsite in clear text was an accepted industry practice. It wasn’t until probably a year ago that you even heard people talking about the necessity of encrypting tapes. And even now, many companies, banks and financial institutions continue to send tapes via mail or shipping companies. And just because you have a tracking number doesn’t mean a tape won’t fall off the back of a truck.”

If we lose a tape, we lose a tape. All we have to do is buy a new one.  Michelle Haskin, vice president and application specialist, SpiritBank

Next page: >>