IAM Audit in an Age of Rising Risk
If ever an incident breathed life into an essential discipline, it was the 2008 discovery that a rogue trader lost €4.9 billion at France’s Société Générale. The discipline it awoke was Identity and Access Management (IAM), shining a bright light on IAM gaps. The trader’s modus operandi reportedly was to create fictitious trades and far exceed his trading amount authority, occasionally concealing outsize gains by intentionally creating losing trades and stealing logins. It worked for years because of weak and/or ignored IAM rules and monitoring.
At Lincoln National Corp. in 2010 multiple users shared user names and passwords in violation of the company’s IAM policies, but the Radnor, Penn.-based insurance company lacked a system that would have alerted management to two different people logging in at the same time with the same identity. The result was an egregious leak of customer information to the wrong parties and a damaged reputation for the company.
It’s not just deliberate fraud that creates IAM exposure. It can be poor management or just innocent mistakes by users or administrators. The risk of exposure has led, over the years, to a raft of regulations, including Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, Basel II and the European Union’s Directive on Data Processing. These have contributed to a spike in spending on IAM, which according to a recent IDC report amounted to almost one-third of information security spending worldwide.
At its simplest, IAM is the process of managing who has access to what systems and data over time. It consists of the strategy and rules for protecting your bank against unauthorized access to your bank, customer, and employee data.
Making information secure isn’t that hard if that’s your only goal. But systems and information don’t exist to be locked down. They exist to be used. Their value depends on how well they enable authorized users to access them seamlessly, swiftly, from different devices, different locations, and with the precise access permissions each user is entitled to. That is the other face of IAM – enabling.
Those twin capabilities of IAM – protecting and enabling – and the costs involved have made IAM top-of-mind for bank CEOs, chief information officers and compliance officials. A third IAM capability lies in the near future: the ability of IAM technology to identify patterns that could indicate that rules or policies are being breached.
It is increasingly apparent that yesterday’s mechanisms are far short of what the new environment requires. Would an IAM audit at your bank reveal these common deficiencies?
Lack of integration. The downside of investing in off-the-shelf or best-of-breed applications, business by business, is that they typically come with proprietary security and access models. They are difficult to integrate into the rest of the bank’s IAM apparatus, creating risk and cost in the gaps. Proprietary custom-developed solutions can be designed for easier integration while also offering robust and scalable performance, ultimately costing less and being more easily supported.
Separate security and access rules. If myriad rules for security and access have to be defined and dealt with application by application, the effort consumes time and expert resources that could be allocated much more efficiently if the effort were enterprise-oriented rather than application-based.
Business-level IAM, not enterprise. Business-level IAM makes it difficult to set up automated workflows. If tight security means three days instead of two hours for new employees to get access, the cost is too high. When IAM is managed at the business instead of the enterprise level, users also face the inefficiency of multiple logins for different systems, which are difficult to revoke when necessary.
Customer access. One of the riskiest areas in terms of compliance and exposure to lawsuits is customer-facing access. Increasingly, customers expect access to their information and accounts from any location on any device. The IAM nightmare is granting the wrong customer access to the wrong customer. Banks fear the headlines as much as the penalties.
Centralization. When IAM management has not centralized its information about who has access to which systems, and where risks have already been identified for monitoring, there’s a high cost to pay when a real or even suspected violation is detected. Not having the information at hand means a slow response when urgency is needed. And it takes an expensive, labor-intensive effort just to identify the vulnerabilities, even before steps are taken to rescind access.
Manual provisioning. Another area of cost and risk involves manual provisioning, where several people in several roles must take multiple steps simply to accomplish a permission or access. Automated provisioning enables the bank to deploy a system by using pre-defined procedures requiring no manual intervention rapidly, efficiently and at reduced risk.
You are not alone if you believe your bank has some of these IAM deficiencies. Banks that have been tightly focused on the IAM challenge for years and spent heavily on IAM software are still dealing with significant risk exposure, costly manual intervention and gaps in features and interoperability. Most IAM executives have found that there is no substitute for a methodical approach that unfolds more or less in the following manner:
Know your gaps. A business-by-business line review of your current operation is, in our experience, likely to unearth a wide variety of findings. Some of your areas will show a stellar IAM job, others huge gaps. Some have installed slick solutions but may be limited in scalability or flexibility. Some have all the right rules but monitor them poorly.
Know the software market. Here there is less than meets the eye, if you keep in mind that spot solutions all have the downside of making enterprise IAM more difficult. Your survey of the marketplace should be biased toward those that permit enterprise IAM.
Know your risk tolerance. Remember IAM has two aims: to protect information and to enable your information to be used properly. Locking down information too tightly from legitimate users is anathema to your bank’s business.
Know your costs. Sometimes automated IAM can make bank workers more efficient, but sometimes it can hinder their work. Generalizing is useless; having the facts makes your decision more obvious. An additional cost factor to calculate is that of managing multiple of IAM solutions.
Think enterprise but start small. The IAM leader of a large bank with leading edge IAM capabilities started a multi-year IAM project by first conceiving of the solution in the broadest terms: governance, business process, risk mitigation and scalable architecture. But the bank then proceeded to create and implement it by beginning with one business unit and expanding methodically, building confidence throughout the bank by monitoring their performance and controls and using agile development to make incremental improvements without slowing the process.
When a process like this is followed, with appropriate checkpoints at frequent intervals, the result can be a financial institution with an IAM solution that matches its needs, is flexible for future needs and scalable for handling growth, while mitigating risk and ensuring compliance as cost-effectively as possible.