Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Banking

Posted By Jessica Weisman-Pitts

Posted on October 25, 2022

The importance of identity and access management in the banking sector

By Kyle Benson, Director of Product Marketing at Saviynt

The cybersecurity landscape in banking organisations is complex and filled with challenges. For one, with the enormous amount of valuable data on the books, financial institutions will always be a top target for cybercrime, with BCG finding that financial services are 300 times more likely to be the victim of a cyberattack than any other type of organisation. A VMware survey also found that 63% of financial institutions said they’ve seen an increase in destructive attacks targeting their organisation, while nearly three in four survey respondents said they’d been hit by at least one ransomware attack.

A particularly malicious type of attack sees hackers looking to exploit stolen credentials to gain access to bank customer data for the purposes of double extortion. First, they take control of IT resources and demand payment to regain access, and then threaten to divulge or sell customer data on the dark web if a second extortion payment isn’t made. This exposure is a board-level consideration, as any violation of their fiduciary responsibility can lead to serious sanctions, fines and tremendous reputational damage.

The move to hybrid working has also introduced new hurdles and challenges to be mitigated, particularly when it comes to risk. With remote work, hybrid workforces, and cloud-based software technologies becoming ubiquitous, organisations across the banking sector have had to rapidly adopt new strategies to support this new way of working – but have further complicated IT networks, increased the attack surface for cybercriminals and created new risks in the process. Additionally, as banks adopt new technologies such as AI, extend their services across multiple platforms like mobile, and look to digitally transform their operations, the attack surface increases further still.

Added to this, the current labour shortage has seen organisations increasingly turn to third-party suppliers and subsequently put themselves in even greater risk. Without proper due-diligence and governance, these third-parties could have access to information they shouldn’t, and when organisations don’t know how many third-parties have this kind of access, the risk factor is increased again. According to the Ponemon Institute, 66% of companies have no idea how many third-party relationships they have or how they’re managed – even though 61% reported having a breach attributable to a third party.

Finally, legislation and regulation environments in the banking sector are constantly evolving to protect customer data and keep up with the introduction of new technology and services. But complying with these ever-changing standards can be time-consuming and expensive, and not always easy to implement – according to Banking Policy Institute’s technology division research, CISOs spend 40% of their time resolving numerous regulatory requirements.

So how can banks tackle these challenges head on, and take proactive steps to mitigating risks and securing their environments and their customers’ data? They can start with automated Identity and Access Management.

What is Identity and Access Management?

At its core, Identity and Access Management (IAM) is about ensuring that the right users have the right access to the right resources for the right amount of time and for the right reasons.

IAM is a set of tools used to provide visibility, control and management of identity and access. It does this by focusing on user authentication (the user/identity is who they say they are), authorisation (what permissions do they have), access (what are they allowed to access and who provides them this access) and administration (governance and management of access and identities). With these tools, organisations can continuously monitor access, and enforce the principles of ‘Zero Trust’, where everything and everyone is considered to be untrustworthy until they are verified.

IAM consists of two parts: identity management and access management. These govern how users interact with data and applications across information systems, networks, databases, and software. An identity can be any person, object, or code that interacts with information, from on-premise and remote employees, to robotic process automation bots that perform administrative tasks. Each of these identities needs certain resources to complete their job, and access is establishing what exactly these resources are and who needs access to what. An account manager at a bank, for example, will require different resources and access than a customer-facing chatbot on that bank’s mobile app.

Why banks should care about IAM

As security perimeters continue to change and expand, with increasingly complex hybrid and cloud infrastructures, and organisations continue to integrate new technologies and an ever-increasing number of identities that require identification, authentication and privileges, the approach to protecting identity and access needs to be proactive.

This means creating and implementing a policy that limits what information and applications identities – both human and robotic – can access. This is where IAM is indispensable, providing banking organisations with a huge array of benefits, including:

Effective lifecycle management: IAM helps banking organisations keep track of their employees through every stage of their employment, from onboarding to retirement. This is important as when employees progress throughout an organisation, their permissions and resource requirements change. And when an employee leaves or transfers, their access needs to be restricted or removed completely. Managing identity lifecycles for an entire organisation is extremely complex, so having an IAM programme that facilitates this process is invaluable.

Accurate request fulfilment: With an increasing number of new identities cropping up across an organisation, from third-parties to bots, all requesting access to different resources in different places, IAM can help fulfil those requests accurately and quickly.

Intuitive user experience: Every identity will require different access, and it’s likely most of these identities will have a different level of IT knowledge (this is even true of bots). IAM solutions can make things easier by ensuring everyone can make requests to get to the resources they need to do their job properly.

Extra layer of auditing: Compliance-heavy banks are no strangers to an audit, and they can ensure they are continuously compliant and secure by using IAM systems to identify weaknesses. By using the data from IAM solutions to produce activity reports and by analysing the data for any discrepancies or risk factors, like Separation of Duties violations, banks can work to mitigate issues before any damage is done.

Flexible cybersecurity: In the world of hybrid work, organisations are constantly changing shape and need to manage identities across multiple technologies, across different work environments and for an ever-changing number of users. Having a flexible IAM system that is compatible with either on-premise or cloud technologies is key to protecting an organisation, based on the needs of the business.

Conclusion

Banking organisations will always be facing new and different risks, and will always have the need to meet stringent compliance requirements for data privacy and security. With IAM, they can ensure their data is protected from unauthorised access and that they remain compliant with industry regulations by ensuring that the right users have the right access to the right resources for the right time and for the right reason.

Recommended for you

  • Optimizing Customer Lifetime Value in Retail Banking Using Statistical Methods

  • Automated Loan Approval in Retail Banking: Leveraging Statistical Models for Creditworthiness Assessment

  • SME Market Segmentation in Banking: Using Cluster Analysis to Tailor Services