- Identity and access management is perceived as one of the greatest threats to cyber security.
- Inefficient management of electronic identities creates compliance risks, high cost and reputational damage – particularly for financial services.
- Australian market is on a growth trajectory though some challenges need to be overcome during the journey.
When it comes to keeping tabs on who has access to your data, you’d do well to look to the financial services sector for best practice.
Both in Australia and beyond businesses operating in the financial services are leading the charge when it comes to identity and access management (IAM). And rightly so: the industry stands a lot to lose from any cyber compromise – from healthcare records stored by insurers, to credit card details held by banks – particularly when we’re talking about a threat labelled by PwC’s latest cyber report as one of two ‘juggernauts’ posing the greatest perils to information security.
Why is identity management
Identity and access management is the practice of understanding who has access to the systems within an organisation, identifying what level of access they should have, as well as the monitoring of that access.
It can apply to verifying the electronic identity of customers logging into a service such as online banking, as well as managing access to internal systems for all staff and contractors working within an organisation.
Inefficient management of staff access leaves enterprises open to greater risk of employees and contractors performing activities in their roles that they shouldn’t be allowed to. This is no small concern: current and former employees remain the two leading sources of information security compromise.
Another factor propelling forward the urgent need for robust identity management is the fact that banks and other services are increasingly engaging mobile workforces, mobile devices and cloud technology. This sprawling network means it is becoming ever more difficult to manage access in a traditional manner – so new solutions must be sought. One of these solutions is to adopt cloud-based services to manage IAM, a practice that rose globally over the last year by 48%.
of staff access
At its core, managing the electronic identity of employees has two facets:
- Governance – reviewing existing access to the systems on a regular basis for compliance.
- Provisioning/de-provisioning – managing the identity life cycle to create, modify and delete user accounts (such as for joiners, transfers and leavers) through a well-defined process.
Both these fronts must be managed effectively to protect an organisation from both internal and external cyber threats.
Risks aside, there are also high costs associated with poor provisioning of access. These arise from delays in on-boarding and off-boarding users as well as processing requests. So there is an argument from an efficiency perspective to maintain a robust approach.
the finance hand
One of the drivers that’s particularly acute for the financial services is compliance. Acknowledging the depth of liability involved if someone gained rogue access to their systems, organisations are routinely audited and therefore need to comply with regulations to prove that they’re managing the risks.
Regulatory bodies such as APRA uphold strict regulations. Larger financial institutions that have a footprint that extends beyond Australia also have to comply with requirements laid out by international bodies such as SEC or MAS.
Of course, it’s not just regulation and efficiency that pushes these firms to take their identity management practices seriously. The types of data held by banks and insurers, for example, are particularly sensitive and therefore of greater value to hackers – which makes them an attractive target. What would it do to a bank’s reputation to be compromised as the result of a poorly managed access system?
The challenge of
While the UK and the US are considered global leaders in IAM maturity, the Australian market is fast catching up. Most large organisations are considering a strategic and long-term approach when looking at their IAM needs.
Over the last five years or so, most major financial institutions have made significant investments in implementing the latest IAM technology solutions. There are now multiple products available to address the breadth of requirements, but choosing the right one and effectively rolling it out still presents some challenges. The implementation of an IAM solution is never just a technology change: it needs to be seen holistically in order to reap the full benefits.
Since the scope of IAM covers the entire company – some with global reach – business processes, including organisation structures and roles and responsibilities, must be reviewed and overhauled. This means, for example, checking the access of every staff member and contractor and, if required, re-defining them in order to accommodate the new automated processes – a lot of work indeed.
However, the implementation of a new IAM solution also presents an opportunity to review user data stores and sources to reduce waste of resources. Imagine a parallel IT system to a human resource system that maintains identity data and then not knowing which one should be trusted as a source of truth.
Given the meticulous nature of this work, it’s advisable to take small steps at a time to move along the path to maturity. While this does make for a longer process, it means you have higher confidence in responding to the risks and also ensuring that all nuances specific to your organisation are indeed addressed.
The financial services industry will continue to be a leader for IAM growth in Australia and across the world, continuously driven by the high level of risk involved and the increasing complexity of their business systems.
The next few years are expected to bring in more automation to the existing IAM products. Those that have been developed so far will become more consolidated, either through organic growth or acquisitions, to address requirements as a single solution. United, they may be better equipped to face the oncoming juggernaut.
This article was co-written by Ameya Deshpande, Senior Manager, and Michael Cerny, Partner, Cyber Security, at PwC Australia.
For further reports on cyber security and financial services, download the financial services summary of the Global State of Information Security Survey 2016.