Access Controls for Access and Control
The list of acronyms is daunting: FFIEC, FRB, FDIC, OCC, NCUA, CFPB, ACSSS, CSBS, NASCUS and SLC. As anyone who works in banking or financial services recognizes, that list is indicative of the fact that banks have more combined state, local and federal governing bodies and agencies than any other industry.
While keeping them all straight in your head might seem challenging enough, the real issue is that each of these agencies impose specific mandates and requirements for banks as part of their regulatory and oversight responsibilities. Financial institutions must translate the components contained within the applicable mandates and requirements and create effective “controls” designed to measure and improve associated security gaps. Among those controls, there is a specific subset that poses an increased level of concern and difficulty for financial institutions: Access Controls.
Understanding the specific challenges associated with access, and designing, deploying and maintaining successful access controls to meet those challenges, is a significant part of a security professional’s core responsibilities for banks and financial services organizations. It is also one of the most complex and challenging.
Fundamentally, the goal of access control is to oversee and ensure the creation of specific policies and mechanisms designed to control access by authorized individuals and devices, while disallowing access to all others. Authorized individuals may include employees, technology service provider (TSP) employees, vendors, contractors, customers or visitors. Access should be authorized and provided only to individuals whose identity is established and their activities should be limited to the minimum required for business purposes.
Authorized devices are those for which placement on the network is approved in accordance with institutional policy. Change controls are typically used for devices inside the external perimeter and to configure institution devices to accept authorized connections from outside the perimeter. Effective access control mechanisms include numerous controls throughout all layers of the network stack to safeguard and limit access to key information system assets.
If you do nothing other than establish strategic and effective access controls, you are covering a majority of security and compliance requirements. But how do you get to that point? How do you design and maintain electronic and enforceable boundaries that also enable you to measure the efficiency and effectiveness of the program and calibrate the controls accordingly?
There are several considerations here, including identifying the authorized individuals and what they should have access to and which devices are authorized according to institutional policy. But how do you make those determinations? And how does the answer to that question create informed decisions about how an effective control mechanism operates?
Each of the categories of access requires specific policies and procedures, as well as underlying and supportive levels of automation, to build robust access controls. Each category comes with its own set of challenges, and requires a correspondingly specific set of solutions:
Access Rights Administration. Effective controls require assigning users and devices the minimum access required to perform necessary functions, updating access rights as needed, implementing a frequent access rights review process, and designing appropriate acceptable-use policies.
Authentication. Authentication mechanisms must align with the needs of applications and or services, accommodate the introduction of multi-factor authentication, and should include basic measures like password encryption and personal identification numbers.
Network Access. Controls should create common asset groupings/domains (servers, applications, data and users), establish and sustain access requirements within and between each domain, and monitor cross-domain access events for policy violations and anomalous activity.
Operating System Access. This begins with securing access to administrative tools/utilities, restricting and monitoring privileged access and logging and monitoring user or program access to sensitive resources. Controls should also provide alerts on critical security events, deliver updated operating systems and security patches and secure all devices (workstations, laptops, tablets, etc.) that can access the operating system.
Application Access. Access controls in this category should deploy authentication and authorization controls for applications, monitor access rights to ensure minimum required levels and correlate with current user needs (including possible time-of-day limitations on access), log access and security events, and provide rapid analysis of user activities.
Remote Access. Remote communications should be enabled only as needed. Access should be controlled via approvals and reviewed through regular audits; robust, end-to-end controls over remote access configurations should be implemented; all remote access communications should be logged and monitored; remote access devices should be secured; and authentication and encryption protocols should be deployed.
Perhaps the biggest and most common access control problem is simple human error: companies frequently do not do what they are supposed to do in terms of updating and maintaining appropriate access controls. This problem tends to grow over time. As promotions and interdepartmental moves mount, current access levels tend to go with the employee and are frequently not updated to reflect new operational and employment realities; this is especially common with fast-growing companies.
As a result, longtime employees tend to have much more access than they should have. Temporary solutions – granting someone temporary access in an emergency situation, for example – frequently go uncorrected and can compromise an entire system of access controls. A small exception here, a minor tweak there, and it is all too easy to let it get away from you.
Once those errors begin to mount, it is almost impossible to get the access control genie back in the bottle. Even the best strategies must have a program in place to maintain oversight, provide reporting capabilities and facilitate changes as necessary.
Another structural problem is the rapid evolution of systems and technologies. A company that was convinced it was secure five years ago is almost certainly at risk today with that same level of access control. This rapid evolution, together with the tendency of companies to accumulate vulnerabilities over time (and for those access control exposures to increase risk exponentially along the way) contributes to a phenomenon known as risk drift.
Risk vs. Convenience
One of the biggest access control questions facing decision-makers at banks and financial institutions today involves balancing risk and convenience. Ultimately, banks need to ask themselves how far they are willing to extend themselves for their end users and what level of risk they are willing to assume in the process. Traditionally, banks have erred on the side of risk avoidance, being very reluctant to expose data to outside risks. That has changed dramatically in the past 10 years as the ubiquity of mobile platforms and more powerful apps have made convenience, productivity and accessibility competitive priorities.
Thankfully, once you understand the risks and challenges associated with access controls, organization-specific solutions tend to be relatively straightforward. Some are procedural and administrative, some technical and some physical. Some just require a little creativity. The difficult issue of personal devices storing sensitive data, for example, has become less about placing access controls on the device itself (which is expensive and does not scale) and more about controlling data on the application level, which is more manageable, adds value and is cost effective. For example, you can deploy an application that wraps the email functionality on a phone in a figurative bubble, encrypting any data that actually resides on the phone itself and making it possible to lock or delete that data remotely if necessary.
This is the type of elastic access control solution that banks and financial institutions can and should be working toward as they move forward in a world where regulation and access controls will likely play an increasingly important role.
Mr. Guracech is chief operating officer and Mr. Gregory is practice manager, IT Governance, Security and Identity Protection, at Troy, Mich.-based Creative Breakthroughs, Inc. (CBI), an industry leader in IT advisory services, network security, integration and infrastructure management strategies. They can be reached at [email protected] and [email protected] respectively.