Industry
Banking
Banking Services Transformation: Unlocking Exponential Value
Highlights
- When financial institutions operated with on-premise data centers, excess permissions and privileges were granted to roles and identities for seamless delivery of financial services.
- Such excess privileges can pose security risks when carried over to the cloud and also be misused by bank employees for malicious purposes.
- Embracing cloud infrastructure entitlement management (CIEM) can help financial institutions address the difficulties posed by unused, broken, or excess access and privileges granted to cloud identities, in turn improving their cybersecurity posture.
On this page
Rising risks and threats
Cloud adoption will undeniably deliver an array of benefits to financial institutions, but it comes with certain cybersecurity risks.
One such risk stems from the privileges granted to different identities and roles within the organization. Securing identities is a key aspect of a robust security framework. A strong identity and access management (IAM) system plays a crucial role in efficiently governing the increasing number of users and their access privileges.
When banks and financial institutions operated with on-premise data centers, wide privileges were granted to roles and identities for efficient discharge of responsibilities. Such privileges were wider in scope than necessary; however, as the data centers were on-premise, they did not pose much of a security threat. But when the same set of privileges and accesses are carried over to the public cloud during lift-and-shift cloud migration, such misconfigured permissions heighten threat vectors and widen the attack surface, making banks an easy target for cyber-attackers.
Another point to note is that the scope of roles and permissions given to cloud identities for seamless functioning of applications and to adapt to the dynamic nature of the cloud usually exceeds service requirements. Such IAM misconfiguration leads to accumulation of unused permissions on cloud identities, posing a security threat. As the application migration to cloud matures, banks must ensure visibility into accumulated and unused permissions. Additionally, there is the threat of bank employees misusing or exploiting such broader privileges to access and steal or alter sensitive data for malicious purposes.
A breach or cyberattack can result in business downtime and have other negative impacts: loss of reputation and customer trust, intense regulatory scrutiny and/or penalties, and even financial loss. One research report reveals that 75% of respondents surveyed said that security compromises were facilitated by over-entitled and/or over-permissioned access while 66% said that digital identities that should have been inactive were compromised during an incident.[1] Capital One, an American bank, reported a data breach where misconfigured cloud access and privileges were exploited to steal the data of more than 100 million customers.[2]
Why CIEM
Cloud infrastructure entitlement management (CIEM) can help financial institutions overcome the challenges of unused, broken, or excess access and privileges granted to cloud identities.
Such a solution must be reinforced by an IAM policy based on the principle of least privilege (POLP). This means that users are given the bare minimum access and permissions necessary to perform their jobs. Applying the least privilege principle to IAM policies enables security and operational teams to restrict access to network, systems, and resources thereby mitigating security risks in multi-cloud environments.
In a multi-cloud environment, deploying a robust CIEM solution along with efficient IAM systems and governance tools can deliver multiple benefits to financial institutions, which are:
- Better control over identities with excess privileges and access rights that are vulnerable to cyberattacks or may be targeted by malicious insiders
- Better oversight over administrative mistakes that can result in interruption of cloud-hosted services leading to business downtime
- Enhanced security posture through continuous visibility into cloud identities making it difficult for bad actors to exploit IAM vulnerabilities and gain unauthorized access
- Compliance with regulatory audit requirements due to better visibility into the rectification process
- Automatic remediation of excess identity permissions by leveraging AI and ML algorithms and alerts on over-exposed permissions
- Compliance with security and privacy regulations such as GDPR, SOC2, and HIPAA
Zero-trust security
Banks and financial institutions must adopt a zero-trust security model and lay down clearly defined IAM policies.
In addition, they must adopt a CIEM solution to constantly monitor the cloud environment and ensure operations within defined access controls. To protect financial institutions’ cloud infrastructure in multi-cloud environments from cyberattacks, banks and financial institutions must lay down a consistent approach considering the following aspects:
IAM policies: Financial institutions must establish clear IAM policies for the cloud environment and ensure granular accountability and governance of access. The IAM policy must specify a process to define right-size entitlements for all cloud-based identities, resources, and services. To fulfill this, financial institutions must:
- Create cloud security architecture forums with IAM experts and leverage their expertise in IAM controls, policies, and regulatory requirements to understand the challenges associated with infrastructure and application deployment.
- Define clear guidelines and policies that will take care of different IAM functions such as identity life cycle management, access request management, role and entitlement management, application and service account management, access reconciliation and recertification, and compliance reporting.
- Define clear privilege access management (PAM) processes based on the least privilege principle. PAM must define processes for providing temporary, granular access to custom roles. The access must be limited to enabling the employee to perform a task, which will minimize the attack surface. Often, higher privileges are granted to users on a temporary basis to complete a particular task. The system should also be able to monitor and revoke such higher privileges after the task is completed. For example, when a mobile banking application, where customer data resides, needs an urgent update, a support staff will be given temporary permission to enable the software patch. Such permission will be withdrawn once the update is complete.
CIEM solution: We believe that banks and financial institutions must adopt a CIEM solution equipped with the following capabilities:
- Discovery: Discover all identities irrespective of who is using them, be it human, shadow accounts, or machines. These identity types can be native or federated. The solution must include tools with the ability to discover identities across the different types of cloud technologies the organization operates with. It must be able to understand the complex entitlement relationships and identify all the granular permissions granted to identities. For example, to update an internet banking application, where confidential customer data resides, a DevOps associate may be granted wider permission, which can become a threat if the permission is not revoked once the task is completed.
- Optimization: Detect cloud identities with excess permissions and entitlements that are unused or broken and remove them to prevent misuse. Human access to resources and services should be limited to the requirements of the role. The solution must continuously monitor how the identities use the permissions and keep track of deviations from the defined access controls based on the least privilege principle. For example, in an internet banking application, webserver identities need read-only access to the database while application server identities will need read and write access to the database to process the account information. But monitoring and analytics identities will need limited database access adequate for capturing analytical insights—the privileges here will be lower than those needed by web server and application server identities.
- Centralized controls and dashboard: Provide a centralized overview of entitlements across multiple cloud platforms through a dashboard. Put in place controls to monitor resource-level, service-level, and management-level entitlements and a standard process to apply IAM policies across varied cloud environments. The dashboard must provide multi-dimensional views to understand the threat exposure score of a resource due to unused permissions and identify if the entity is administration, shadow administration, multi-factor authentication (MFA)-enabled or unmanaged. For example, trading applications often access data from multiple cloud environments and the dashboard provides a central view of all the entitlements. This makes it easier for the administrator to take remedial action on revoking unused and excess privileges, thereby ensuring effective governance. The dashboard also offers a view of compliance trends and entitlements heat map.
- Analytics: Leverage AI-powered tools to perform user and entity behavior analytics (UEBA) and create identity entitlement data trends. This will help financial institutions identify potential dangers from a particular identity’s entitlements. The solution must automatically feed the alerts and recommendations into the security orchestration, automation, and response (SOAR) system for appropriate remedial action. For example, insurance companies expose application programming interfaces (APIs) to agents to allow access to insurance products. The analytics tool analyzes agent behavior and activities and generates a report on the permissions and entitlements granted to agents. This helps the insurer monitor the permissions granted to the agents and ensure that they are in line with the principle of least privilege.
Theory to action: Once financial institutions have defined their CIEM approach, the next step is to implement it in a manner conducive to reaping all the benefits. This will require financial institutions to:
- Define a strategy with key milestones and timelines.
- Assess if they should build an entirely new technology platform using different native cloud services or use a software-as-a-service (SaaS) solution from a third-party vendor. Costs and the time taken to launch the platform are key to this decision.
- Run a proof of concept (PoC) in a sandbox environment, perform all integrations and test all features and use cases.
- Design an enterprise integration and policy monitoring strategy and plan the rollout.
- Deploy the solution and ensure operational readiness to continuously strengthen cloud security guardrails.
A comprehensive approach to cybersecurity
Protecting customer data is a critical business imperative for the financial services industry.
A full bouquet of services will help banks and financial services firms tackle the cybersecurity challenge comprehensively. This would include:
- Consulting services for IAM: maturity assessment, strategy and architecture, product evaluation, implementation roadmap
- Professional services: identity and access governance, authentication and authorization, single sign-on and federation, privileged access management
- Managed services: technical support, product upgrades, enhancement and maintenance of IAM controls, user account lifecycle management and access certifications
For fast-track deployment of cloud IAM and CIEM solutions based on the zero-trust policy, we propose accelerators built using industry standards and policies:
- IAM maturity framework and reference architecture
- IAM controls and assessment
- Certified SI professionals
- IAM policies and guardrails
- Automated scripts with reusable rules
In a cloud environment, security is defined by the access and permissions that users are granted. Cloud identities with excess privileges are a security risk that financial institutions must address on priority to prevent cyberattacks. To achieve this, they must implement a zero-trust security model and establish clear IAM policies and guidelines.
[1] Used with permission from SailPoint
[2] Used with permission from TechTarget
