Stillwater National Bank: Cost-effective management via a standards-based security platform

• Customer Profile: Subsidiary of Southwest Bancorp
• Goals: Customer privacy; regulatory compliance
• Solution: PGP Universal™ Gateway Email; PGP® Whole Disk Encryption; PGP® Desktop Email
• Deployment: Within budget; ahead of schedule
• Benefits: Security; better customer service; lower operational cost

Stillwater National Bank chose the PGP® Encryption Platform to secure emails and laptops rather than outsourced or proprietary solutions.

Stillwater National Bank and Trust Company (SNB) is a subsidiary of Southwest Bancorp, Inc., a public company traded on the NASDAQ:OKSB. Founded in 1894, SNB is headquartered in Stillwater, OK, and currently has assets of more than $2 billion, with offices in Kansas, Oklahoma, and Texas.

The Challenge

Stillwater National Bank (SNB) struggled with the solution it had been using to send confidential banking information to customers and partners. "In the past, we used a combination of PGP Desktop Email with Self-Decrypting Archives and password-protected WinZip files. We then had to call each recipient with the password," explains Jacob Mays, SNB's assistant vice president of information systems. "The solution was hard to implement and did not track whether something was encrypted, so we could not verify if what was supposed to be sent out encrypted was really being sent that way." The process was also too complex for users. "We had to install software on the desktop systems and then train users. When users lost passwords, we had to re-create the entire message with attachments and then encrypt them again."

SNB wanted a solution that did not require desktop software installation or password exchange and that would encrypt emails automatically, when required: "We needed a solution that was very easy to use so our staff would adopt it quickly and use it consistently," Mays says. "We also wanted it to be easy for recipients. When you are dealing with customers, you do not want to make it technically challenging. It has to be easy for them to open encrypted emails and retrieve the information they need."

Laptops at most risk. Mays was also looking for a solution to protect corporate laptops: "We've always known that laptops were the most vulnerable to a potential data breach because people travel with them. Although they usually contain only a small amount of confidential information, what's there can be highly sensitive. In the past, we used a Trusted Platform Module (TPM) and Microsoft Windows Encrypting File System (EFS), but we had a lot of problems, especially because certain parts of the disk, such as temporary folders, were not being encrypted. The solution just wasn't doing the job it was supposed to do."

Compliance and privacy needs. According to Mays, encrypting data is very important to SNB: "There are a lot of regulatory mandates that require us to encrypt customer information. This was the number one business problem we were trying to solve. In addition to these legal requirements, we also believe our customers' privacy is an important asset to protect."

Backing from senior management. At first, the bank's senior management did not fully understand the value of encrypted email. The biggest hurdle for Mays was to define why encryption was important and what the financial and reputational consequences would be if confidential information was exposed. "The requirement to encrypt data doesn't make the bank any money-it was viewed as just an expense," he explains. "To address this issue, I presented news about other companies losing information via lost laptops or unsecured email and the fines imposed on them. Once management recognized the need for an encryption process, they actually pushed us to introduce the solution."

Outsourced solution no alternative. First, Mays explored whether to use an outsourced solution: "We decided we didn't want our information to be stored on a third-party system. We would have to ensure the vendor complied with specific audit requirements and verify that compliance annually, which would have been a complex project. In the end, we were uncomfortable with the idea that another organization would be in the possession of our confidential data."

Non-standard solutions impractical. The in-house solution came down to a choice between PGP Corporation and another vendor. "The challenge with the alternative solution was that we felt they were not using industry standards," Mays explains. "Encryption only works if everyone speaks the same language. The more people you can communicate with securely, the better the solution works out of the box. When you're dealing with larger enterprise partners that already have certificates and security mechanisms, you want to be very flexible about what you can accept. This is why it was so important to us to use an industry standard for encryption."

Platform easier to manage. Mays points out the bank was looking for a comprehensive solution with centralized management: "The alternative solution didn't have any complementary products such as PGP Whole Disk Encryption or PGP Desktop Email, so the issue became the manageability of multiple solutions. We wanted one central database with all the keys for the various solutions and one central system to manage the licenses and deployments. Managing one key per person is easy, but managing multiple keys for each person is a nightmare. The PGP® Encryption Platform was the only solution that allowed us to use the same key and offered central management for all our security solutions, meeting all our security needs."

The Solution

Mays says PGP® Technology has always been a standard for encryption. "Every time we thought of encryption, we thought of PGP® software. It used to be a techie's toy because you had to know about encryption and about keys and how to exchange them. So our original impression was that if we chose a PGP® solution, it would be very difficult to use," he recalls. "But that's no longer the case: PGP Universal™ is deployed as an email gateway, so you don't have to manage any keys or download software to desktop systems. Users can now quickly and easily encrypt email messages."

Internal encryption. Some SNB users also needed to encrypt files internally: "For example, the Information Systems department has certain files that contain passwords and other highly confidential information," says Mays. "We needed a way to secure these files in internal email, store them encrypted on a network share, and encrypt backups." These SNB users take advantage of the granular security options in PGP Desktop Email to protect information internally.

Ensured access. To comply with regulatory requirements for data continuity, SNB needed a way to access encrypted messages without having to recover the user's key. The bank employed a PGP® patented technology called Additional Decryption Key (ADK) that also encrypts every message to a specific corporate key: "We wanted the ability to create an ADK to ensure data access in case the owner lost the key or was unavailable. To prevent misuse, we used PGP Desktop Email to create a key that is shared between multiple individuals; to retrieve and decrypt a message, the shares have to be brought together, meaning that no one person can access the information."

Peace of mind. The bank's security advisors like that PGP Whole Disk Encryption secures all information on their laptops. Mays says, "PGP Whole Disk Encryption allowed us to secure an entire laptop hard drive, including all temporary, swap, and operating system files. If it's stolen, we don't have to worry about the data because we know it's secured."

Integration with Active Directory. Mays connected PGP Universal Gateway Email to the internal Microsoft Active Directory: "All our users have two or three email addresses because they have multiple aliases. Active Directory integration was important so that the PGP Universal Gateway Email server could automatically pull these aliases and add them to keys when they were generated. It was very simple and it worked," he recounts. "We also tracked in Active Directory who was using internal email encryption and PGP Whole Disk Encryption so these users would receive the correct policy from the PGP Universal Gateway Email server."

The Results

Within budget and ahead of schedule. SNB completed the project within budget and ahead of schedule. "Installation of PGP Universal in the gateway was simple," Mays recalls. "We installed the software on the server and then easily reconfigured the way the mail was delivered internally to accommodate our anti-spam and content-filtering solution. That was the only change we had to make to our existing infrastructure. It took about 4 hours to get up and running, and we'd originally thought it would take about a week."

Time and money saved. Mays appreciates the return on investment of the PGP Encryption Platform compared to the previous solution: "We didn't really have to convince the IT department that PGP Universal Gateway Email was the right choice. We'd been managing keys for awhile, and the time and money saved by a gateway solution was well worth the expense."

Customers receive information faster. Mays says the business units were begging for a secure email solution: "Some business units wanted to send confidential information by email, but we had no process in place for systems to automatically send encrypted email. With the gateway solution, the business units can now utilize this functionality and give customers the information they need more quickly. In other words, encryption accelerated the business process rather than slowing it down."

Low cost of ownership. "We've already saved money by centrally managing all the keys we managed before, lowering the TCO," Mays points out. "The cost of a solution can be budgeted, but it's difficult to estimate the cost of keeping the solution running. PGP Universal Gateway Email is doing very well on that front. Our help desk people like the solution because they never have to fix anything, and the end users love it because it's so simple to use."

Excellent performance and scalability. SNB is very pleased with the performance of the PGP Universal Gateway Email server. "Daily utilization of the server is minimal," says Mays. "We could probably process 10 to 20 times the amount of email we're currently receiving without having to move to a clustered configuration. If we decide to add more servers, we'll be able to cluster them immediately without investing in additional infrastructure because PGP Universal is very scalable. We're a growing company, and as we get bigger, our needs will change, so the ability to start small and grow is very important."

No need to upgrade laptops. Mays is also satisfied with the speed of the full disk encryption: "Because of the number of laptops we have, performance was an important criterion. Otherwise we'd have incurred significant expense in upgrading all the hardware. Instead, we wanted to use existing laptops and just layer a solution on top. PGP Whole Disk Encryption requires minimal CPU usage and handles encryption on-the-fly without forcing us to upgrade the hardware."

Support was quick and accurate. When questions arose during the initial stages of deployment, Mays contacted the PGP® Support team: "We ran into some minor issues when we set up the system. PGP Support responded quickly and effectively, allowing us to fix the problem in no time."

Summary

"We always knew encryption was something we needed to do. The PGP Encryption Platform provides the range of functionality we need," Mays summarizes. "Now that we've completed the project, I'm asking myself why we didn't do it sooner."

Customization for ease of use. Mays says SNB is planning to customize the PGP Universal Web Messenger interface to reflect the bank's corporate identity. The PGP Universal Web Messenger service allows recipients without an encryption solution to retrieve email from a secure website: "We're customizing the interface to improve usability and to fully integrate the PGP solution into our external Web applications."

Protecting mobile devices. Mays is also planning to look at the PGP® Support Package for BlackBerry®, which extends PGP® email encryption to mobile device users: "We'd like to send and receive encrypted emails from the BlackBerry devices. We expect banking regulations to get tougher in the future and require data to be more secure, so staying ahead of the game and protecting the information of our clients is vital to our business."

The PGP Encryption Platform. The PGP Encryption Platform reduces the complexities of protecting business data by enabling organizations to deploy and manage multiple encryption applications cost-effectively from a single management console. Deployed with the first encryption application, the PGP Encryption Platform makes installing a separate or additional infrastructure unnecessary when the organization needs other encryption applications. The PGP Encryption Platform supports the broadest range of integrated applications to secure email, laptops, desktops, instant messaging (IM), PDAs, network storage, FTP or bulk data transfers, and backups.