Tailoring Transformation

Banks need to create streamlined security processes

• By Kim Lorusso, Kuppusami Natesan
• Mar 05, 2007

THE retail banking industry is undergoing a significant transformation accompanied by increasing regulatory compliance requirements, consumer demands and industry consolidation—all while working to provide the best in customer service and maintain operational efficiency. But these needs and challenges possess one common thread—secure access to systems.

Employees in the front and back office are spending valuable hours managing and gaining access to systems and applications running the business, from entering and keeping tabs on a number of passwords, to ensuring passwords and access are protected to maintain security policy integrity. But this can take the focus away from strategic efforts. Retail banks need to be able to enforce security and better address compliance needs, which improves productivity, satisfies consumer demands and, most importantly, drives revenue and profitability.

Process vs. Productivity
With the heightened awareness of identity theft, many banks have measures in place to address and confront the fraud. However, internal processes and measures are under more scrutiny with a number of federal and industry regulations such as the Gramm-Leach-Bliley Act, Sarbanes-Oxley, HIPAA, the Patriot Act, Basel II and multi-factor authentication measures as recommended by the FFIEC.

But despite the “watchful eye” and internal security policies, employees need to access business-critical applications without interruption. Further complicating the issues is current bank infrastructure, which is often made of legacy systems, homegrown IT applications and inherited systems from mergers and acquisitions. While Web applications also have been introduced, they are not replacing legacy or mainframe IT systems anytime soon. The result is employees with yellow sticky notes all around a monitor to keep track of passwords for a heterogeneous infrastructure, leaving password information exposed for anyone to see. With lost and forgotten passwords comes the sharing of passwords with superiors and other staff members. It’s convenient, but employees are inadvertently violating compliance regulations.

When passwords need to be reset, many retail bank employees rely on the help desk. But the help desk often lacks the ability to provide new access rights via secure channels, as passwords are typically communicated via e-mail or over the phone. According to Gartner, the average cost of a help desk call can run an organization anywhere between $10 to $30, dipping into the bottom line.

Compliance Conundrum
Without being able to effectively track who is accessing what applications when, IT and security staff find themselves scrambling to address compliance requirements without an automated and repeatable process in place. Oftentimes, they are forced to manually track down and report on the information required by various standards affecting the institution, which is inefficient and inaccurate. In today’s world, retail banks cannot afford to be on the front page of The Wall Street Journal for failing to comply with federal regulations.

Addressing challenges surrounding access control across multiple applications is possible when passwords can be streamlined and automatically recognize not only the employee, but everyone’s role in the organization. Retail banks often struggle with role-based access because without an automated process, it’s very hard to keep track of and manage credentials in an industry where temporary hires and high turnover is common. There needs to be a standard, automated process to ensure employees have access to only needed applications. The process also needs to terminate access rights of former employees.

Retail banks are subject to multiple audits throughout the year, so having a robust, repeatable and automated process is imperative to viability. Automation of access rights also enables organizations to create an audit trail that can effectively and efficiently track compliance throughout the organization.

Sound Security
A sound security infrastructure is critical in providing the agility and streamlined security processes that enable banks to gain a competitive advantage. To achieve this, banks should evaluate custom-tailored solutions that address identity, security and compliance management.

Role-based access contributes to a bank’s ability to meet both security and compliance objectives in line with overarching security goals. For instance, employees should be able to log on from a single workstation and be presented with a screen that displays all necessary applications that are specific to their jobs. This helps to eliminate confusion and ensures employees are not only productive, but also in compliance. Role-based access also creates a trackable and manageable access log, saving time and money come audit season.

It is critical to control and/or reduce the number of passwords employees use to gain access to necessary applications, as it will ultimately reduce the number of sign-on attempts. Security concerns associated with frequent sign-ons can be addressed with strong password policies, one-time passwords and/or strong authentication technologies such as smart cards and biometrics.

Passwords also should sync up with all systems, if possible, to cure the yellow sticky note syndrome. Look for solutions with a self-service interface for password management of employees—so if a password is lost or forgotten, employees can retrieve or reset their own password. In the event of needing to share passwords, consider solutions offering temporary access delegation for physical resources and logical information systems with a single authentication measure.

Despite the size, retail banks have a large role to fill in ensuring sensitive information is secure and managed in compliance with a variety of regulations. In an industry where turnover rates are high, it can be a daunting task to ensure access rights are appropriately delegated and controlled—nevermind ensuring the access history of all systems are accurate and ongoing. Implementing an identity-based solution that is automated and tailored to the specific needs of the bank can alleviate any angst. The hours and resources once dedicated to piecing together paper audit trials and access control can now be redirected to a bank’s most important asset: the customers.