The Westpac Banking Corporation is creating a Virtual Enterprise Resource Directory to manage and automate access control while ensuring information is made available on a "need to know" basis.

"This is easy to say but hard to do," according to Richard Johnson, head of architecture, research and cybercrime in Westpac's information security group.

Speaking at Gartner's IT Security Summit in Sydney last week, Johnson said a lot of money is being invested in access control.

He said the goal is automation by embedding controls and reducing manual input.

"We are working closely with business units to do this; we currently have a number of projects in place and have invested heavily in Tivoli Identity Manager for provisioning," Johnson said.

"We are trying to get a single source of truth with our electronic HR system but the first challenge is federating all systems to get a single sign-on capability.

"Our current focus is moving to role-based access control as well as self service so users can reset their own passwords; the ultimate goal is an enterprise wide directory."

Westpac has 27,312 staff and 1,063 branches which is why Johnson claims IT security spending must be based on intelligient decisions.

Formerly an accountant, Johnson said his business background has been invaluable throughout his IT security career.

"Im actually an economist but financial audits bored the crap out of me," he said adding that a secure system without functionality won't make money.

Johnson said network boundaries usse to be more clearly defined but today it has moved on to remote access, wireless and the use of third party providers.

"It has blurred the perimeter which requires a defence in depth approach; we're talking about a very rich mix of access to your systems," he said.

"This means thinking about system design and creating a range of architecture guidelines with zones of trust.

"We are organizing our assets into zones of trust with different levels of access."

In recognition of this new landscape, Westpac has made a serious investment in Intrusion Prevention Systems (IPS) with Johnson claiming the bank has created the largest IPS shop in the southern hemisphere.

"An IPS understands threats in real time it is an effective capability to have," he added.

Out of its seven million customers, 2.9 million undertake their banking online which is why Westpac continually bolsters the security of this channel.