Wells Fargo says no to personal smartphones and tablets, period

Employee-owned mobile devices pose security risk, Wells Fargo says

Wells Fargo imposes strict regulations on employee-owned mobile devices and social networking sites because of security risks.

Wells Fargo's IT group has a simple answer for employees who want to hook personal devices up to corporate systems: No.

"They can't connect them to our networks," says Wayne Mekjian, executive vice president and CIO of information services at Wells Fargo. "We won't let them in."

The "just say no" policy applies to Apple iPads, Android tablets and smartphones owned by employees. The company also has strict policies regarding use of Twitter and Facebook, making the sites off-limits to many. Wells Fargo does, however, supply employees with corporate-approved smartphones, and a limited deployment of iPads that can connect to e-mail and other corporate systems.

CHALLENGE: The complicated new face of personal computing

"I carry two phones. One for personal, and one for work," says Martin Davis, executive vice president and head of Wells Fargo's technology integration office. "I've got two iPads in my briefcase, for personal and work. We keep it separate."

The consumerization of IT has led many large enterprises to reconsider restrictive policies on employee-owned devices. Intel, the chipmaker, allows nearly 10,000 personal devices to connect to its network, primarily for e-mail, contacts and calendaring. Ford Motor Co. has a program to support employee use of iPhones and other consumer devices. Moreover, VMware and other virtualization vendors are building a wall between personal and corporate data and applications on smartphones, making it more secure to use a single device for both work and play.

But financial services companies, generally, may believe that the special security risks posed to the banking and insurance industries demand a higher level of separation between work and personal systems. Wells Fargo, for instance, also blocks employee access to some social networking sites when they are in the office or connected through a VPN. Twitter and Facebook are among the blocked sites.

"We have a number of sites where you get a black message, covering your screen, and it says 'access denied,'" Davis says.

Wells Fargo, which is undergoing a huge technology integration project spurred by the purchase of Wachovia, has had to reconcile competing policies on use of devices and social networking sites.

Davis, a veteran of Wachovia, said Wachovia before the merger allowed employees to connect personal devices to corporate systems, as long as they signed a waiver allowing the company to wipe the device in case it is lost. One reason Wachovia allowed employees to buy their own devices was because they "were managing their price points better. When we had major plans for the enterprise, we ended up paying too much for minutes," Davis said.

But the Wells Fargo side believed that policy wasn't secure enough.

"It still is a huge deal with Wachovia and Wells Fargo merging, because at Wachovia it was OK to have personal devices attached," Mekjian said. "Now we're going back to all those guys and saying, 'You've got to take them off.'"

For smartphones issued by the corporation, employees can choose among iPhones, Androids and BlackBerrys. Wells Fargo has also issued 200 iPads to employees and connected them to Microsoft Exchange, in a pilot program. All the data on those devices can be erased when they connect to the network.

"If I leave my BlackBerry here in your offices, and I'm back in Charlotte, I'll just call the team and say, 'Wipe it,'" Davis says.

Beyond mobile devices, Wells Fargo and Wachovia also had different policies on social networking sites that had to be merged after the acquisition.

"At Wachovia, we didn't allow access to any [social networking sites] at all," Davis said. "I think Wells Fargo allowed a couple more than we allowed."

Internally, Wells Fargo uses Cisco TelePresence, instant messaging, SharePoint and other tools to collaborate. The company also, of course, has its own Twitter and Facebook pages, so at least some employees can access sites that are blocked for the general population. And Wells Fargo is considering allowing more access.

"We're wrestling with that right now," Mekjian said. "Should you give access, and if you do, how do you get there [securely] as opposed to just turning it on and letting people do it."

Currently, "there are groups of team members who do have access to Twitter and Facebook, as well as other social media sites based on business needs," a Wells Fargo spokeswoman says. "We typically block access to these and other sites due to the potential risk to our environment. Unfortunately we don't have a firm list of sites that are blocked because team members often request access when their business needs change."

While Wells Fargo can control what devices and Web sites its employees use, it still must manage risk from customers accessing their financial information from any device with a browser, whether that's a PC, phone or tablet. Dangers abound from customers who leave devices unguarded after signing into their accounts or fall victim to social engineering attacks.

"We're only going to hold you harmless for a certain amount of dollars," Davis said. "If you lose $2,000 in fraud, we're probably going to make you pay $50. So you've got the keys to our vault."

In the wake of the merger, Wells Fargo is slashing spending and will save $1 billion in annual technology and operations costs, as part of a goal of saving $5 billion across the whole organization.

For one thing, Wells Fargo plans to cut its application footprint from 4,000 applications to 3,200. The company is also boosting use of VMware to improve utilization of servers and creating an internal app store to simplify the process of deploying small apps and business services.

With more than 73,000 servers, 22 petabytes of storage, 1.2 million nodes, 42,000 network devices, 144,000 users, 12,000 ATMs and 6,000 stores, Wells Fargo has four major data centers, each the size of four football fields. The firm also operates about 80 regional and satellite data centers, but hopes to cut that number down.

For some companies, cloud computing would be the answer for consolidation, but not for Wells Fargo.

"I don't know what a cloud is, and so I don't want to go there," says Mekjian, noting that cloud computing is still poorly defined by the IT industry. "I'm not going to put my customer data into somebody else's cloud. It's not going to happen, not until I'm guaranteed beyond a shadow of a doubt that it's secure. The cloud should scare everybody. Why would anybody want to put their data in a cloud?"

Although Wells Fargo officials clearly have reservations about some modern technologies, it's not preventing them from attracting top talent, Davis says.

"One thing that attracts IT talent to financial institutions is that we have such a heterogeneous environment for technology," Davis says. "If you want to see HP NonStop equipment, we've got that. If you want to see iPads, we've got that. If you want to see big iron, we've got that. If you want to see virtualized servers, we've got that. If you ask any of your major IT vendors who is the largest slice of pie for their business, they're going to say financial services, because we're buying their products. We're getting the latest and greatest, and that attracts talent to our organizations."

Follow Jon Brodkin on Twitter: www.twitter.com/jbrodkin

Copyright © 2011 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022