The Little Bank That Could

As competitive pressures increasingly demand that technology projects support more-agile buisnesses, executives such as Fifth Third CTO Jim Scott are reexamining the budgeting process to implement a more dynamic way of allocating funds.

Stonebridge Bank is uniquely positioned as a local Delaware Valley financial institution and a cutting-edge Internet bank. Based in West Chester, Pa., Stonebridge ($350 million in assets) operates full-service branches and offers a complete range of banking services through its Web site, www.stonebridgebank.com. The bank recently implemented two-factor authentication and began offering customers key-fob security tokens from RSA Security (Bedford, Mass.). George Rapp, director of IT at Stonebridge, explains the bank's strategy to InformationWeek's Steven Marlin.

BS&T: How long have you been issuing RSA tokens?

Rapp: We started deploying tokens Memorial Day [2005]. Users are given the choice of a shared secret, an RSA token or staying with a user name and password. Shared secret was the most popular choice. There is a cost associated with the token. Tokens make the most sense for people who are especially concerned about security or are doing extensive traveling, where they may be using a computer that's not theirs.

BS&T: How have they been received?

Rapp: We've been very pleased with the adoption rate based on comments from customers.

BS&T: How alarming is the threat to online security?

Rapp: The Internet is getting more dangerous. We deal with 85,000 Internet attacks hitting our bank's Web site per day, including worms and viruses - some that can be dealt with automatically and others that require human intervention. A year ago, it was 8,000 a day, and when we first opened up, we were getting 30 a day. The Internet's getting to be a hostile environment; there's organized crime trying to break into banks. Most of the organized crime is based in the Pacific Rim or Eastern Europe, where we don't have customers. So if we see a message coming from one of those locations, there's a good chance it's not friendly.

BS&T: What was the genesis behind offering two-factor authentication?

Rapp: It's something we've wanted to do for a long time - since at least 2000. We first looked at two-factor authentication for internal users, but found it to be cost prohibitive. Once RSA's patent expired, however, the prices became competitive, and RSA offered us a package that made it reasonable to use internally as well as for customers. We signed a contract in December.

BS&T: What security measures did you implement first?

Rapp: We were not going to be able to compete if people didn't have confidence in our security. The goal was building a system that would hold up for a long time to the most sophisticated attacks. Open Solutions [Glastonbury, Conn.], our core banking systems provider, passed along the Microsoft [Redmond, Wash.] Marble specification that had been developed in conjunction with Intuit [Mountain View, Calif.] for the OFX [Open Financial Exchange protocol]. It was a basic model; security wasn't very robust. We made changes, such as increasing the number of security events and additional packet filtering, and passed those changes along to Open Solutions, which implemented them in its products.

BS&T: How do you define best practices in security?

Rapp: Best practices means focusing on basic concepts, such as defense in depth, where you put multiple security layers in place. We assume that all data needs to be protected. We've set up user access policies, so that from an external side, customers can only see their data; from an internal standpoint, information access is restricted to authorized individuals. Our intrusion detection system runs a series of tests against an IP address or range of addresses. We perform vulnerability tests daily and penetration tests weekly.

BS&T: What's your guiding security philosophy?

Rapp: Trust no one. We have detailed segregation of duties. Every system requires using passwords, and the passwords themselves have complexity requirements, such as requiring both letters and digits. Internal systems are firewalled off from external customers.

BS&T: How do you compete against larger banks?

Rapp: We don't have the infrastructure that a multibranch bank has. We offer better value for customers that don't need a physical presence. Our 4,500 customers span the country.

We're highly automated. We have a small staff, which is why we're able to be competitive on deposit rates. We have very high efficiency. We use the power of the Internet and call center delivery channels to promote our products. That's how we distinguish ourselves on the liability side of the business, which is the deposit side. We're a traditional commercial bank on the asset side; our loan business is commercial lending, real estate, small business lending. A lot of our business comes directly through the Internet and call center. Customers might walk in through our physical doors, but after that, they come in through our virtual doors.

BS&T: Has regulatory compliance been a hurdle?

Rapp: Not really. The USA PATRIOT Act wasn't a big issue for us. We're accustomed to knowing our customers. For our physical customers, we require documentary forms of identity, such as a driver's license or passport. For our virtual customers, we require non-documentary forms of identity, in which we verify the information provided with a trusted third party.

BS&T: What's Stonebridge's channel strategy?

Rapp: We opened in 1999. The difficult part for a start-up bank is getting funding through deposits. We quickly realized we needed offensive as opposed to defensive delivery channels, and those were the Internet and the call center. Our strategy is not necessarily to have branches on every corner, though our branches do help support our commercial loan business. In essence, the retail deposit business feeds the commercial lending side.

BS&T: Describe Stonebridge's IT infrastructure?

Rapp: We're using HP [Palo Alto, Calif.] servers and HP switches, and a mixture of several vendors for routers and firewalls. We're migrating to VMware [Palo Alto, Calif.] server virtualization, which enables us to reduce the number of physical and logical servers. We will be down to about 18 physical servers by the end of the year. We have a 4-terabyte SAN, which is our core storage.

BS&T: How are you implementing virtualization?

Rapp: We previously had distributed storage among servers. It's easy to implement, but it requires buying large numbers of smaller drives, and we were running out of room in our data center. VMware has an add-on virtualization product that allows you to move a virtual server from one physical VM server to another without having to shut it down. We can move from one machine to another for upgrades, for troubleshooting, whatever. The big reason for implementing a SAN was flexibility. Virtualization allows us to add space to a server on the fly, without shutting down a server. Previously, you'd do a full backup, replace the drive and restore, which meant bringing down the server for a full day.

BS&T: What are your backup and recovery procedures?

Rapp: We do a mixture of full and incremental backups every day. We do a full backup at least once a week and incremental backup on the other servers at the same time. We have a six-week tape rotation and retire a tape every month, so we always have a history. We're also replicating the data off our main servers to our disaster recovery site in real time. We house our backup site about 10 miles away. We're constructing a second facility about 40 miles away; it will go live at the end of September.