Financial Firms Like Wireless-Security Spec

Wireless technology can offer speed and agility in the fast-paced world of financial services, but ensuring the security of customer information and other sensitive data is a challenge. Some financial firms see promise in the emerging 802.11i security specification for wireless networks.

Security and 802.11i were popular topics at last week's "Wireless On Wall Street" summit in New York. "Wireless will allow many more people to get access. But what we need to do in the financial industry is to ensure that data is protected," said Louis Gibaldi, VP of risk management at J.P. Morgan Chase & Co. "That's our No. 1 concern."

Wachovia Corp. employees use wireless and instant messaging extensively, with BlackBerry units being the most popular wireless device. "This adds a lot of productivity to our staff," said Ilieva Ageenko, director of emerging enterprise applications at Wachovia. The bank also offers a wireless service that sends account-related alerts to customers' wireless devices. "We send out about 1 million alerts a month, and our customers love that."

802.11i is a security amendment to the 802.11 standard and is designed to replace the existing Wired Equivalent Privacy specification for interoperable security in wireless networks. WEP's vulnerabilities are well known, Gartner analyst Ken Dulaney says.

Within hours, a hacker with the proper equipment and tools can collect and analyze enough data to recover the shared encryption key from WEP on a busy company network. The emergence of 802.11i, which offers enhanced security options, including support for the Advanced Encryption Standard protocol, could let more financial firms develop wireless offerings, Dulaney says. An early limited version of the standard, called Wi-Fi Protected Access, is being used by some companies as an improvement to WEP. "802.11i is still gaining traction," Dulaney says. "There's mild adoption with the number of companies currently rolling it out. It will take time."AXA Financial Inc., a financial-protection and wealth-management company, is among 802.11i's early adopters. "The implementation of 802.11i and AES encryption is a critical improvement to wireless LAN technology," Julie Gordon, principal architect at AXA's Architecture and Standards Group, said at the summit.

AXA has started letting employees access corporate data stored in Siebel Systems apps, Livelink, Domino, DB2, intranet sites, portals, and other systems from a variety of devices such as iPaqs, Palm Pilots, smart phones, and laptops over the Internet, WANs, and LANs. AXA's goal is to build a low-risk, low-cost, companywide mobile-computing platform. Part of this initiative is improved security, which means better data protection. It also means improving the security architecture and infrastructure through enhanced encryption for wireless WAN and wireless LAN access, which 802.11i enables.

Although 802.11i is designed to fix security deficiencies and to support the use of wireless LANs, it still poses challenges. 802.11i is built around the 802.1X protocol and is used with the Extensible Authentication Protocol, which supports multiple methods for companies to define user authentication. This means interoperability can be a problem because 802.11i doesn't support a single, universally accepted standard for user authentication.

It's still unclear if the financial-services industry is ready for widespread adoption of wireless, given broader security concerns. The consensus at last week's summit is that it's not enough to secure the airspace and the networks surrounding financial-services companies; the physical infrastructure, which includes systems, applications, and employee laptops, also must be better secured.