4 min read

Software Keeps Insiders Out

Vormetric's CoreGuard helps Ocwen protect confidential information in its online exchange for the mortgage industry.
Dale Pickford, CIO of Ocwen Financial Corp., had more than a passing interest in a security report released recently by the U.S. Secret Service and Carnegie Mellon University's CERT Coordination Center. The report, financed by the Department of Homeland Security, analyzed 23 cases of fraud perpetrated by insiders in the banking and finance sector. In 30% of the cases, losses were in excess of $500,000.

Ocwen provides services and technology to companies that collectively initiate 40% of the mortgages in the United States, including RealTrans, a Web-based electronic marketplace for ordering such things as title insurance, appraisals, flood-hazard determinations, and real property data. Much of the information is customer specific, and Ocwen is legally required to keep it confidential. It's also subject to the Gramm-Leach-Bliley Act, which imposes strict guidelines for protecting customer privacy.

The Secret Service/CERT report reinforced what Pickford had already considered: Hackers don't pose the biggest security danger, since the RealTrans Web site is Secure Sockets Layer-encrypted. It's the threat from insiders--those with access to a company's systems and confidential information--that pose a bigger risk, especially since the information in the RealTrans system was stored in plain text and was a little too easy to get at.

As the Secret Service/CERT report illustrates, identity thefts are often perpetrated by low-level employees with little or no technical expertise. In one notorious case last year, a former help-desk employee for a company that supplied software for accessing credit reports was charged with obtaining thousands of reports using passwords and access codes that he had taken with him when he left the company. He allegedly peddled the reports to street gangs for $50 each. The scheme went undetected for two years, by which time the gangs had racked up $2.7 million in phony card charges.

Pickford could have simply encrypted plain-text data stored on the RealTrans system, but he knew it would be too easy for an insider with some technical knowledge to figure out the encryption scheme. There was also another issue that confounded the problem. He needed to protect the confidentiality of information without slowing down the approximately 1 million mortgage-related orders that are conducted on the online exchange each month. "How do I prevent my own staff from accessing sensitive data without impeding them from doing their jobs?" he says.

The solution he hit on was to create a multilevel access system using Vormetric Inc.'s CoreGuard data-security software. CoreGuard was installed earlier this year to stand guard over three major subsystems: the operating system (Sun Microsystems' Solaris), database (Sybase), and storage (Veritas Software).

Ocwen needed a security system that wouldn't slow orders, CIO Dale Pickford says.

Ocwen needed a security system that wouldn't slow orders, CIO Dale Pickford says.
The CoreGuard system lets Ocwen centrally manage and enforce its enterprise data security policies and can extend those policies out to information regardless of where it's stored or in what form it's stored. Ocwen has set up CoreGuard so that it will detect any attempt to interrupt normal transactions and processing; if there's abnormal activity, personnel won't be able to access and view the information.

The software runs at the file-system level, eliminating the need to customize apps or the networking infrastructure. Because there were no major code modifications, Pickford says, there has been no performance degradation.

Moreover, CoreGuard security functions are transparent to users, as well as to the IT infrastructure, so Ocwen didn't have to train or prepare its personnel in any way. The system allows authorized personnel to do their jobs without running the risk of compromising sensitive information.

Pickford is determined to keep his company out of the headlines regarding security leaks. "I've been entrusted with protecting data from customers, and nobody in my organization should have access."