Tackling the IAM Challenge - Jay Arya of Investor's Savings Bank
In an exclusive interview, Jay Arya, 1st VP of Information Security at Investor's Savings Bank, discusses:
Arya was promoted First Vice President in charge of Information Security on Jan. 1. Prior to this appointment he worked in Investor's Savings Bank's IT Group since 2001 and handled a wide range of IT and Security responsibilities. As the Bank's Information Security Officer, Arya focuses on managing data security and enhancing the overall security posture of the Bank. Prior to joining Investors, he worked at Prudential Insurance in Finance.
Investors Savings Bank, with over $7 billion in assets and a network of 58 branches in has been serving New Jersey residents since 1926.
TOM FIELD: Hello, I'm Tom Field, Editorial Director with Information Security Media Group. We're talking today about identity and access management. With us is Jay Arya, First Vice President in Charge of Information Security with Investors Savings Bank. Jay, thanks so much for joining me today.
JAY ARYA: You're welcome Tom.
FIELD: Give me a sense of context here. What are the biggest IAM challenges at your institution?
ARYA: Investors Savings Bank, like many other banks, has several different applications and platforms that are being used by various business units. Since the platforms are independent, managing access and enforcing security is a cumbersome and time-consuming process. In that regard, we have a distributive technology platform, and layering uniform security policy across the segments is the greatest challenge.
FIELD: So how are you addressing this challenge, Jay?
ARYA: Investors Bank has made a commitment to keep our data secure, and in that regard we have a team of individuals performing due diligence and looking at solutions that would manage identity and access control across the different platforms we have right now. We are also looking at provisioning solutions which could make the process of user creation and access management easier. Among the products, we are giving preference to solutions that can integrate some sort of biometric control. This will not only centralize identity management but also serve the operational interest part of the equation.
FIELD: That sounds exciting. What do you foresee as your biggest obstacles to solving these issues that you have identified?
ARYA: The process of identity management tends to be more complex than most other IT security projects. The process has to be made seamless in order to be used effectively. Plus, the platform would support legacy as well as newer applications that are in use today, and be scalable for future applications. So, the real question here is, what resources are being used and by whom? For example, a file containing reporting data should only be accessed by staff that needs it to perform their jobs. With that in mind, the ability to manage different identities across separate platforms is a difficult process and there's one solution. Selecting a different single point solution with the expectation that it will solve every security problem could lead to discrepancy and higher cost in the long run. Finding the right technology that would address the IAM challenges, while delivering low cost of ownership and improve efficiency, is the biggest obstacle.
FIELD: When you get a solution, or solutions, in place, how do you measure progress in something like IAM?
ARYA: Measuring progress definitely is difficult Tom. But it can be looked at from a higher level in terms of evaluating risk as risk management components are measured through assessments, and in those terms the progress can be defined quantitatively.
FIELD: Now you mentioned biometrics. What are the types of technology solutions that you believe are really going to help you improve the issues that you have now?
ARYA: Biometrics is just a component of your whole solution. For the identity management platform, it needs to be scalable and be able to integrate and manage different applications and its security requirements. That will definitely improve the IAM overall.
FIELD: This is something you've certainly been thinking about for awhile, Jay. If you sat down and tried to boil it down to a bit of advice, what would you suggest to another banking and security leader trying to get a handle on their own identity and access management issues in these times, when this has become such a critical issue for financial institutions?
ARYA: The Gramm-Leach-Bliley and Sarbanes-Oxley are high on your list, but due to giving advice, planning is definitely critical in a high impact like this. Developing a strategy would be an important first step, to address not only the security requirements of your policy but also take into account the business functionality and the operational efficiency. It is a fine balance between those two. In that respect, our bank, Investors Savings, has approached security in a proactive manner and we are always seeking better solutions that would enhance control and reduce risk. I would suggest evaluating different platform, and compare features on each to make sure they align with your requirements and then provide solutions you are looking for to reduce risk. I would do this because for any security solution to be successful one has to understand the risk, the underlying technology and its implications to business. I would like to summarize this by saying, know your business and make security everyone's business.
FIELD: Jay, that's well said.
ARYA: Thank you Tom.
FIELD: I look forward to talking to you again and getting a sense of the progress you do make when you get your solution in place. And I especially look forward to hearing about the biometrics and how that is received.
ARYA: Likewise. I'll be happy to share some thoughts with you.
FIELD: Jay, thanks so much for taking time and sharing your insights and experiences today.
ARYA: Thanks for having me.
FIELD: We've been talking with Jay Arya with Investors Savings Bank. For Information Security Media Group, I'm Tom Field. Thank you very much.