It's been a difficult year for some financial services organizations, and many face new challenges. But the old challenges still remain, including online fraud, identity theft and daunting compliance mandates. The result is that financial services are broadening their identity management initiatives as a way to meet both the old and new challenges. Believe it or not, identity management is thriving in the financial services industry.
Organizations are stepping up their efforts to battle consumer fraud and identity theft as online attacks are increasing and the nature of these attacks is becoming more sophisticated. Typical consumer authentication deployments started with clientless device identification and passive risk analytic engines, which sit in the background and monitor transactions for unusual activity. Now, financial institutions are moving ahead with aggressive risk analytics -- stopping a risky transaction before it happens. Risk analytic engines require careful tuning to reduce the problems of falsely accepting and rejecting transactions. In addition, financial services organizations are leveraging IP geolocation and blacklisting to keep out fraudsters.
A recent trend in consumer authentication is the use of telephone-based authentication, which uses a mechanism outside the Web to authenticate the user. This out-of-band authentication technique holds much promise because it provides some of the benefits of two-factor authentication without requiring that the consumer carry a hardware one-time password (OTP) device. The financial services organization contacts the consumer at a phone number of record (like the office, home or mobile phone), the user presses a key or two on the phone, and the Web session is authenticated.
While financial services organizations are battling escalating external attacks, they're also taking steps to protect themselves from disgruntled insiders. With so much upheaval and consolidation in the industry, there's a higher risk of unhappy employees with privileged access who could launch denial-of-service attacks, breach confidential information, and conduct unauthorized transactions. Financial services organizations are leveraging two identity management tools to reduce the risks associated with these users.
The first tool is the venerable provisioning system, because it offers the timely revocation of user access, especially when an employee is terminated. Another benefit of the provisioning system is its ability to limit the access rights of users. Some financial services organizations have already deployed provisioning systems and are expanding their use within the enterprise. Others are just beginning their evaluation of provisioning products.
Provisioning tools are helpful with real users, but what about platform accounts like the UNIX root, Windows Administrator and database ownership accounts? These accounts are shared by many administrators, making them difficult to track. That's where the second tool -- the privileged account management product -- comes into play. Privileged account management products provide greater accountability because the account must be checked out by the administrator and the password associated with the account is changed frequently.
Companies also are expressing interest in using risk analytics for preventing insider abuse. For example, an organization may want to know if a customer support supervisor, who needs access to customer records, is accessing an excessive number of records. Risk analytics products are not yet ready to address this problem, but the vendors are enhancing the products to support the enterprise use case.
About the author:
Mark Diodati, CPA, CISA, CISM, has more than 19 years of experience in the development and deployment of information security technologies. He is a senior analyst for identity management and information security at Burton Group, and has served as vice president of worldwide IAM services for CA, as well as senior product manager for RSA Security's smart card, SSO, UNIX security, mobile PKI and file encryption products. He has had extensive experience implementing information security systems for the financial services industry since starting his career at Arthur Andersen & Co. He is a frequent speaker at information security conferences, a contributor to numerous industry publications, and has been referenced in a number of academic and industry research publications.