In the financial marketplace, companies have traditionally centered their business controls and IT functions around their offerings and/or various lines of business (LOBs). This has allowed financial companies to direct their clients toward the specific services they need while increasing brand loyalty and personalized service. But the regulations and regulatory bodies that these companies must conform to -- GLBA, SEC, FDIC, SOX, etc. -- expect companies to maintain compliance and reporting structures in a centralized governance model. A key area where financial companies see the clash between their compliance requirements -- for example, knowing who has access to sensitive information -- and the company's operational governance model is in their authentication services framework.
With company organizational and control structures implemented in a distributed LOB governance model, IT administrators have been encouraged to implement their authentication services for users at the individual LOBs, each of which has a limited number of applications and services. While this has allowed the LOBs to securely manage access for the local systems and services under their control, it has complicated compliance efforts by requiring companies to manage and administer a virtual "key ring of authentications" for each user as the individual gains access to more and more LOB services. Employees require numerous authentications as they cross the LOB boundaries to administer systems, gather reporting information, gain access to local applications to perform their duties, or to provide support. Managing and reporting on each of these new authentications increases efforts to maintain compliance.
Consequently, a lot of companies have begun moving authentication services from the lines of business up to the enterprise level. The first step for migrating to a centralized authentication framework is to develop an authentication strategy. In addition to creating a roadmap to ensure the right technologies are selected, the authentication strategy should also consider new and existing business requirements, identify key systems that will be affected, determine implementation timelines and required resources, and account for any regulatory compliance requirements.
The good news is that security and identity management tools and services have been developed over the last few years to overcome many of the problems of a distributed governance and technology model. They include:
- A virtual directory can be implemented to create a single repository for joining or storing user information, including multiple authentication credentials. This provides a path for reducing the number of directories and databases that maintain employee personal and authentication information.
- A provisioning system can implement new business processes and consolidate the on-boarding, update and off-boarding of user accounts and authentications across the entire company.
- Meta-directories can be used to synchronize credentials to systems that cannot be integrated into the provisioning system so a common set of authentication credentials can be used by any number of disparate systems.
- Web access management (WAM) systems and portals can provide a Web-based, front-end system to create a centralized authentication service to back-end systems and can alternatively use a virtual directory to pass credentials to back-end systems that still require local authentication of end users.
- Federation technologies can be implemented so the user doesn't need to authenticate to multiple systems even if the data they need resides on them. In this scenario, an end user authenticates against a single front-end system and pre-defined federation authorization services are used to gain access to a series of "trusted" systems without the need to authenticate against each one.
- Compliance and audit tools can be integrated into the technologies described above and into business systems to collect, correlate, analyze and report on employee activities and access.
Despite the technology that's available, financial companies can run into a couple sticking points in migrating to a centralized authentication service. One issue is that many of their applications still run on mainframe technology. In order to move to a centralized authentication framework, gateways and other authentication servers must be put on the front end of these systems in order to dupe them into thinking they are still performing the authentication function. Another problem is the way these companies are managed. Financial companies generally maintain traditional management models that require many levels of approval to implement infrastructure changes, which slows down or may even stop the change process. So while a set of technologies may be available to streamline multiple authentications, communication or political roadblocks may make it impossible to get them implemented.
But if those problems can be overcome, a company can reap enormous benefits by creating an authentication strategy and implementing security and identity management technologies that simplify and consolidate a company's authentication services. Not only will enterprises be able to provide easier access and security to their systems and services, but more importantly, they will reduce the amount of data collection, analysis and reporting needed in order to maintain regulatory compliance.
About the author:
Randall Gamby is an independent security analyst who has worked in the security industry for more than 15 years. He specializes in security/identity management strategies, methodologies and architectures, and writes a security and identity management blog.