Identity management for financial firms in turbulent times

It's been a difficult year for some financial services organizations, and many face new challenges. But the old challenges still remain, including online fraud, identity theft and daunting compliance mandates. The result is that financial services are broadening their identity management initiatives as a way to meet both the old and new challenges. Believe it or not, identity management is thriving in the financial services industry.

Organizations are stepping up their efforts to battle consumer fraud and identity theft as online attacks are increasing and the nature of these attacks is becoming more sophisticated. Typical consumer authentication deployments started with clientless device identification and passive risk analytic engines, which sit in the background and monitor transactions for unusual activity. Now, financial institutions are moving ahead with aggressive risk analytics -- stopping a risky transaction before it happens. Risk analytic engines require careful tuning to reduce the problems of falsely accepting and rejecting transactions. In addition, financial services organizations are leveraging IP geolocation and blacklisting to keep out fraudsters.

A recent trend in consumer authentication is the use of telephone-based authentication, which uses a mechanism outside the Web to authenticate the user. This out-of-band authentication technique holds much promise because it provides some of the benefits of two-factor authentication without requiring that the consumer carry a hardware one-time password (OTP) device. The financial services organization contacts the consumer at a phone number of record (like the office, home or mobile phone), the user presses a key or two on the phone, and the Web session is authenticated.

While financial services organizations are battling escalating external attacks, they're also taking steps to protect themselves from disgruntled insiders. With so much upheaval and consolidation in the industr...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance and Governance Digest Seven GRC best practices for information security Shifting to a flexible information security framework Vendor contract management: Regulatory guidance is risk-based Vendor audit and monitoring contractual rights Data breach protection: Implementing vendor breach safeguards How to manage security risks in vendor contracts Red Flags Rule and preparing for new regulations Companies lagging in PA DSS compliance Social media: Risk management strategies for financial institutions FFIEC guidance on RDC: Guidance overview Security Architecture Insider Multifactor authentication options to secure online banking Security benefits of virtual desktop infrastructures How to secure data backup Too many encryption methods make secure communications difficult How to streamline role-based access control Five considerations for choosing network access control products Fighting fraud: Understanding technology and threats How to shift to centralized authentication and ease compliance Winning the war: Personal information protection Why financials must implement Web application security best practices Secure user and consumer authentication methods Multifactor authentication options to secure online banking Survey: Consumers don't trust banks to keep their data secure Data breach lawsuit puts spotlight on bank's security measures Credit union launches online banking suite with strong authentication Winning the war: Personal information protection BITS releases guide for implementing email authentication protocols Banks, e-commerce sites use device identification to stop fraud Evolving authentication methods in the financial industry Biometrics project studies ways to combat bank fraud Study of banking malware analyzes underground economy

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

y, there's a higher risk of unhappy employees with privileged access who could launch denial-of-service attacks, breach confidential information, and conduct unauthorized transactions. Financial services organizations are leveraging two identity management tools to reduce the risks associated with these users.

The first tool is the venerable provisioning system, because it offers the timely revocation of user access, especially when an employee is terminated. Another benefit of the provisioning system is its ability to limit the access rights of users. Some financial services organizations have already deployed provisioning systems and are expanding their use within the enterprise. Others are just beginning their evaluation of provisioning products.

Provisioning tools are helpful with real users, but what about platform accounts like the UNIX root, Windows Administrator and database ownership accounts? These accounts are shared by many administrators, making them difficult to track. That's where the second tool -- the privileged account management product -- comes into play. Privileged account management products provide greater accountability because the account must be checked out by the administrator and the password associated with the account is changed frequently.

Companies also are expressing interest in using risk analytics for preventing insider abuse. For example, an organization may want to know if a customer support supervisor, who needs access to customer records, is accessing an excessive number of records. Risk analytics products are not yet ready to address this problem, but the vendors are enhancing the products to support the enterprise use case.

About the author:

Mark Diodati, CPA, CISA, CISM, has more than 19 years of experience in the development and deployment of information security technologies. He is a senior analyst for identity management and information security at Burton Group, and has served as vice president of worldwide IAM services for CA, as well as senior product manager for RSA Security's smart card, SSO, UNIX security, mobile PKI and file encryption products. He has had extensive experience implementing information security systems for the financial services industry since starting his career at Arthur Andersen & Co. He is a frequent speaker at information security conferences, a contributor to numerous industry publications, and has been referenced in a number of academic and industry research publications.