With the deadline passing last year for the Federal Financial Institutions Examination Council guidelines for strong authentication, many financial institutions, having prepared their plans to meet these guidelines, may be lulled into a false sense of security.
However, strong authentication alone is not enough if these institutions don't move into the next phase of managing the risk of increased remote access to core banking systems — namely, online user entitlement certifications.
Though the guidelines have rightfully pushed banks to build stronger gateways for their online environments this past year, banks should note that the guidelines, and accompanying regulations, require them to pay equal attention to back-end access monitoring and reporting.
Furthermore, regulatory requirements put the burden on banks to continually evaluate, and adjust, their information security programs in light of any relevant changes in technology, internal or external threats, and changing business arrangements, such as mergers and acquisitions, outsourcing arrangements, and changes to customer information systems.
Entitlement certifications — and the continuous review of who has access to what, whether the access is appropriate, and whether security policies are being followed — is the next step in reducing the risk of online access by both customers and employees.
Real-time instant access to core banking and payment applications has grown exponentially during the past decade. At the same time, external access to banking systems has also grown exponentially with outsourcing and, more importantly, offshoring.
A study by Deloitte Research projects that an additional 2 million employees and contractors will access core banking functions remotely because of the migration of head count offshore during the next several years. Deloitte's 2006 Global Security Survey also shows that for major global financial institutions, the percentage of security breaches resulting from internal attacks, including insider fraud, has been on the rise for three consecutive years.
Both trends magnify the need to stay on top of the entitlement certification and review process to make sure that management thoroughly understands who has access to what and what they are doing with that access.
Banks' greatest vulnerabilities have always come from within, whether from branches, central operation centers, or automated teller machines. As we radically decentralize bank operations and service delivery through the Internet and other remote channels such as mobile phones, the need for continuous monitoring of who has access to what and what they are doing also grows.
The separation and isolation of systems make entitlement reviews even harder in an environment of increasing mergers and acquisitions, where common users with different log-on credentials and entitlements are maintained across unmerged operating systems, applications, and divisions.
Bankers performing entitlement certifications, which used to be done easily and manually for a few hundred users, now must deal with thousands, if not millions, of users when accounting for both external and internal users.
Furthermore, providing a universal, enterprisewide view of who has access to what and what they are doing is especially difficult in banking, because we have deployed numerous siloed, separately managed applications and systems. More times than not, users will have access to multiple systems, challenging the separation of duties of the most basic entitlement control program. It is not uncommon to find a "common" user having access to a loan origination system as well as log-on credentials and usage entitlements for a funding system — or, in another classic example, access to both an accounts payable system and an accounts receivable system.
Millions of new users, new points of access through the Internet and offshoring, M&A activity, and separately deployed systems all put more pressure on banks to meet the regulatory demands of monitoring online activity and the corresponding entitlement certifications.
AMR Research estimates the cost of such work for Sarbanes-Oxley Section 404 compliance alone at $1 million for every $1 billion of revenue. This projection doesn't even include the other banking regulations with stringent provisions for monitoring system entitlements — Gramm-Leach-Bliley, the Bank Secrecy Act, FFIEC regulations, and the like.
All this points to a key question for bankers as they move beyond the strong authentication stage to the continuous compliance and monitoring phase: How do financial institutions automate access-rights monitoring and assurance of access-related security policies and compliance controls?
With multiregulation compliance as the reality, banks increasingly recognize that they need continuous, sustainable compliance as it relates to system access controls. Getting there requires a multistep process: visibility across all the systems, applications, and security infrastructures; an automated, continuous certification process that ensures accountability for accurate access rights; and assurance that security policies and compliance controls are being met through an evidence-based model.
One approach is to aggregate on an enterprisewide basis all the ways users access computing resources. This task is nearly impossible on a manual basis. One way to solve the problem is to build a central collector across all applications in the bank's technology infrastructure to unify user identities and reveal who has access to what ("entitlements") and what they do with that access ("activity") in a consolidated dashboard view.
With this approach, bankers can be assured they meet access-related compliance objectives and be alerted when compliance is at risk.
In doing so, financial institutions can expect to significantly reduce their monitoring costs and, more importantly, reduce the financial exposure resulting from noncompliance (up to $100,000 or more per incident) because of criminal and civil penalties and loss of customers.
