Organizations are feeling the heat. Companies across all industries are under pressure to innovate and create new ways of doing business to stay relevant. For financial services organizations in particular, these pressures are even stronger due to fierce competition from industry behemoths as well as new, “born digital” start-up companies. Among the many challenges: balancing complex and ever-changing regulatory and compliance requirements with efforts to boost effectiveness and reduce costs through digital transformation, cloud service usage and smarter business processes.
A key component of such innovations is enabling optimal user access to systems while ensuring appropriate security measures are maintained. For a growing number of organizations, internal and external users are accessing systems from all over the world and from a variety of devices. This means that the identities of these users and their associated access, rather than the network, are forming the new security boundary around the organization. This paradigm shift highlights the importance of getting identity and access management (IAM) right, both to facilitate the business and to stay ahead of audit, compliance and regulatory requirements.
Security and Privacy Trends in Financial Services
In the global Executive Perspectives on Top Risks for 2019 study from Protiviti and the NC State University ERM Initiative, which included responses from 825 board members and executives worldwide, “cyber threats” and “privacy/identity management and information security” were two of the top 10 risks for 2019. Furthermore, “existing operations meeting performance expectations, competing against ‘born digital’ firms,” which ranked tenth in 2018, jumped to the top of the list for 2019.
Verizon’s 2018 Data Breach Investigations Report identified more than 2,200 breaches in 2018, 76 percent of which were financially motivated and 28 percent of which involved insiders. The Verizon report also showed that 75 percent of breaches are tied to credential theft and otherwise ineffective IAM, including RAM scrapers (malware), phishing and privilege abuse.
How do financial services organizations balance these risks, along with compliance and regulatory pressures, against those of the business demanding streamlined services and more efficiency and automation? Effective IAM programs establish the process and governance and provide the services to help companies excel in today’s fast-paced landscape. However, most organizations have substantial room for growth in their IAM processes. Protiviti’s benchmarking data suggests that less than one in five organizations are optimized to deliver IAM services that both reduce risk appropriately and consistently meet emerging regulatory requirements.
Getting Your IAM Program Right
IAM programs need to demonstrate compliance with regulation, mitigate major risks to the enterprise, and provide effective and efficient services to the organization. Organizations can deploy all the latest technology they can get their hands on, but without a mature IAM program over all of it, the technology will neither provide the business the value it seeks nor demonstrate to audit and compliance organizations that it is meeting control requirements.
The IAM program must be treated as an ever-living component and service provider to the business, rather than a series of one-off IT initiatives in response to audit, compliance or business triggers. Specifically, robust IAM programs require:
- An effective operating model;
- A maintained and communicated IAM roadmap; and
- The right skillsets and expertise to both manage existing and deploy new IAM services to the organization.
We recently published a paper on five common identity and access management pitfalls hampering organizations that need to be addressed in order to remain both compliant and relevant in the new digital landscape. As we detail in our paper, these pitfalls are:
- Lack of an effective operating model to ensure organizational alignment to continuously improve IAM services
- Lack of meaningful metrics
- Lack of an IAM roadmap with effective ongoing demand-management practices
- Insufficient business-analyst involvement in IAM
- Technology as the primary focus of IAM investment
Furthermore, IAM programs must be able to articulate key metrics tied to enterprise business and security control objectives. When communicated to the organization, these metrics should provide a view of IAM program health, demonstrating compliance and progress against remediation activities and informing business cases for future investment.
These metrics must be visible to executives and used to drive accountability for the performance of the IAM program. In our view, they fall into one of three categories: coverage, performance and user communities.
IAM for the Digital Future
Financial services organizations are investing significant resources in cloud-based technologies, including infrastructure, platform and software as a service. These allow for rapid scaling, moving operational burden from the organization to expert third parties, and can add substantial value and competitive advantage.
That said, these services also create potential audit, compliance and regulatory concerns with respect to IAM. Many organizations, in fact, struggle to support IAM and privileged access management (PAM) in these environments in a way that both adds business value and mitigates the aforementioned risks. Companies must take heed of the importance of both IAM and PAM in cloud and orchestrated environments.
Following are some important questions for management, especially IT leadership, to consider:
(1) Is the company aware of all of its compliance and regulatory requirements to ensure that enterprise policy, standards and cloud-specific IAM requirements are appropriately aligned?
For example, does the organization have defined requirements and processes around how privileged accounts used by orchestration tools and in orchestrated environments are being managed, including request and approval, password management, and recertification?
If not, cloud service usage can create compliance challenges that otherwise would not be present on-premises.
(2) Does the organization have sufficient staff expertise in managing IAM in cloud environments?
If not, the organization risks the deployment of ineffective solutions as well as audit, risk and compliance concerns. This may include general cloud security training as well as product-specific certifications.
(3) Has the organization deployed appropriate tooling to allow for effective IAM and PAM processes to be possible?
- Integrating these cloud applications and services with the enterprise identity governance and administration (IGA) tool;
- Ensuring the organization has PAM capabilities to manage privileged credentials in these dynamic environments; and
- Deploying the right authentication patterns to provide a smooth user experience along with sufficient security and risk mitigation.
Robotic Process Automation (RPA)
As a particular subset of their digital transformation, financial services organizations are spending significant sums to automate repetitive, time-consuming tasks via robotic process automation (RPA), a business process automation technology that uses bots, or software robots, to automate tasks by mimicking the steps a human user would typically take to complete the tasks. The Financial Brand’s report, 10 Technologies That Will Disrupt Financial Services in the Next 5 Years,states that RPA can help companies reduce the cost of administrative and regulatory processes by at least 50 percent while improving quality and speed. (Note: Protiviti has published extensive content on the use of RPA. For more information, visit www.protiviti.com/RPA.)
This can free up staff for other tasks that require critical thinking and can be a huge differentiator against the competition. However, RPA brings with it a set of new IAM challenges, as IAM controls that historically have been deployed for human users tend to break down in an environment in which RPA is being employed.
One of the most significant risks we see with organizations using RPA is in segregation of duties (SoD). Humans managing bots that execute various business processes adds a layer of complexity and potential SoD concerns. With RPA in place, organizations now need to be able to track access requests, approvals, recertification and potential SoD violations across both the access of humans and the access of the bots the humans manage.
Additionally, multi-factor authentication (MFA) cannot be enforced with bots in the same way it is with humans. Instead, bot credential management may require the use of a PAM tool or hardware security module (HSM), depending on the process(es) the bot is carrying out. Implementing these controls is critical to guard against internal or external threats of bot credential compromise or misuse.
We’ve observed many organizations rushing to stay competitive by deploying RPA without planning for these IAM and PAM considerations. With the use of new technologies, new threats typically follow. While the risks we’ve summarized here need to be planned for, additional new risks will need to be identified and mitigated. Organizations must remain diligent to stay aware of the shifting technology landscape and the potential threats that accompany those shifts.
The Ever-Changing Regulatory Landscape
The increasing attention to data security and privacy has prompted, and will continue to prompt, new and stricter legislation that has significant IAM impacts, considering that much of our data can now be accessed from various locations and devices. The General Data Protection Regulation (GDPR), the Cybersecurity Requirements of the New York State Department of Financial Services (NY DFS 500) and the coming California Consumer Privacy Act (CCPA), to name a few, introduce new requirements that organizations must meet or face significant financial penalty as well as organizational reputational harm. (For more information on IAM and the GDPR, read Protiviti’s paper, GDPR and Identity and Access Management, available at www.protiviti.com/US-en/insights/gdpr-and-identity-and-access-management).
This means that IAM organizations must balance business desires around factors like streamlined and smooth authentication experiences with compliance requirements indicating when MFA or risk-based authentication is mandated (e.g., in order to access any personally identifiable information (PII), for all privileged activities, etc.). Similarly, administrator-level users with high-risk levels of access to sensitive data may need to perform their duties with advanced PAM controls like session recording, even if it slightly impacts user experience.
It is crucial that IAM organizations partner both with the business and with risk and compliance groups to ensure alignment on these types of requirements. This will allow for IAM services deployed to the organization that can not only serve as a differentiator in a competitive financial services landscape, but also ensure compliance with regulation and risk mitigation.
IAM is top of mind for financial services C-suites and boards as well as for their regulators, as evidenced in the results of the Protiviti/NC State Executive Perspectives on Top Risks survey and Verizon’s 2018 Data Breach Investigations Report. To remain relevant and allow the business to succeed in a rapidly changing landscape while maintaining a strong risk and security posture, IAM programs, process and governance, and technology need to be aligned.
Partnerships among the business, the IAM program, and risk and compliance groups are becoming increasingly critical to striking this alignment. No single group can make the informed, risk-based decisions crucial to the company’s success in a vacuum. In a competitive environment where process and technology changes can either propel the organization to new heights or cause significant risk and potential negative impacts, it is crucial to solve for this partnership throughout the organization.
For more information, see additional thought leadership from Protiviti on IAM:
 Data based on Protiviti IAM and PAM assessments and CMMI Level 5 definition of optimizing.