Identity Access Management Systems Need to Focus on Greatest Risks

Identity Access Management Systems Need to Focus on Greatest Risks
Manual processes leave financial institutions open to insider threats, said a study showing that nearly 60 percent of U.S. businesses and government agencies report they don't have the information or the technology to deal with insider threats to their network. This is according to a new study done by the Ponemon Institute.

“For the financial services industry there are some important implications in terms of account takeover, authentication credential and a very big risk of a harmful event if someone gains control of part of a financial institution’s network,” said Larry Ponemon, President of the Ponemon Institute.

The study showed that 58 percent still rely on manual controls to audit and control user access to critical enterprise systems and data resources, leaving networks open to privacy breaches, failed audits, and potential fraud or misuse of data. It also showed 71 percent of respondents confirm identity compliance activities are strategically important, resulting in an average of 28 percent of total IT compliance budgets. Respondents (64%) said they have deployed an identity and access management system (IAM), a category that includes access control, password management, provisioning, and role management. That's not solving the problem, though. The study also shows that almost 60 percent of respondents say their companies are unable to effectively focus IAM controls on areas of the greatest business risk. He added this is a 3 "severe" risk.

Ponemon explained the threat of insider at a financial institution has a higher loss potential, “If you think about it, retail banks and credit unions, rather than say an Amazon.com, have a lot more to lose if some hacker gets a user’s account information. The financial services industry by itself creates a lot of risk of this happening, if identities are not secured through strong access management controls. A better job needs to be done on this, financial institutions talk a good game, but breaches are still happening.”

He continued, pointing to the fact only certain personnel should have access to these records within financial institutions. “Unless you’re doing behind-the-scenes compliance and monitoring, you don’t know if it’s true or not when you say ‘only these people can see this information.’”

Access mistakes, either by mistake or intentional breach, can be most costly to a financial institution, he said. “Financial institutions have grown through acquisitions and mergers, and there are many with pre-existing legacy systems that are still connected to servers holding customer information. Just to get them connected and talking to each other is not an easy thing to do, and many banks have done miserable job in securing these legacy systems with their access control systems,” Ponemon added.

There is a very high level of identity risk management that needs to take place with the legacy systems. At one financial institution Ponemon visited he noted there were 400 to 500 systems, many of which were linked to the new systems. Many of the older legacy systems run on mainframe technology. Between the old and new there must be a unified identity access management system in place, he stressed.

“There is a myth that many hold that the older mainframe systems are basically safe because they’re not connected to the internet,” he noted. “Think about the connectivity within your networks,” he advised. “Insider threats are higher with mainframe technology when you don’t have identity access management controls,” he said. Some other points he encouraged included: identity access management should go across the institution, and be role based, not position based. A strong compliance program with provisioning and enforcement are key, along with monitoring credentials on a regular basis, not just when someone leaves the company.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network