A total of 360,083 North American Citigroup credit card accounts were affected by a recent breach of customer's names, emails, account numbers and transaction histories. This is a breach that could have been avoided by inserting simple access controls.
Access controls are a fundamental component of identity and access management. Any financial institution that wants to engage with their customers online is well aware of the need identity and access management.
However, identity and access management deployments are notoriously problematic. The nature of the Citi attack has been well known in security circles for some time. Had the proper access controls been in place, the attack would have likely been contained to a single account.
Many organizations aren't aware of, or equipped to deal with the process mapping and re-engineering that are part and parcel of most identity and access management deployments and all too often critical information gets lost in the fray.
When online identities are compromised, it is almost always just as much a failure of people and process then of not having the right technology.
Identity and access management involves applications that require deep hooks into an organization's existing infrastructure. More often than not, it is only with hindsight that IT leaders learn that those target systems almost always require some sort of maintenance or cleanup.
Here are some practical tips for ensuring the success of your bank’s identity and access management initiative:
- Define what you want to accomplish. For example, streamline compliance reporting and access recertification; reduce time and cost of reviewing access requests; eliminate "ghost accounts," etc.
To be successful, make sure those goals are aligned with C-level business priorities and objectives. For example: if the bank is planning a merger or acquisition, it is critical that its identity and access management strategy, processes, and infrastructure can support the integration without increasing the company's compliance, security or operational risk. - Create and implement an effective identity and access management governance model. You will need to identify and engage all IT and business staff. Make sure they understand what's in it for them, why they are involved, what is expected of them and how much of their time you anticipate needing. Develop a working governance model to solicit their ongoing input and support.
- Decide what is a feasible scope that can be completed in a first phase of deployment, and determine in advance how you will measure and articulate the value to allow the initiative to gain momentum.
- Define processes that will govern your initiative and ensure that they are practical and can scale over time. On the technical side, how are access rights and privileges (also called entitlements) defined, grouped into role hierarchies, requested, assigned, and re-evaluated? Remember IT should not be in the business of approving all access; the appropriate business units should be the one making that decision.
- Classify and clean your data. Beyond being able to uniquely map accounts to individuals across various systems, clean identity data will also mean having entitlements that are appropriately catalogued and prioritized. Not all entitlements are created equal - start with those that have a higher sensitivity.
As you catalogue entitlements, have application owners describe, in plain English, what each entitlement means. You should require application owners to do this inventorying proactively with any new application, prior to the application being brought under governance. - Decide what and how much to automate. There are many choices of products in the identity and access management arena, with many having reached a good level of maturity. Moreover, you also have choices for how you go about it: do you want a traditional, perpetual-license or do you prefer a managed service approach, or a mix of both?
- Recalibrate periodically: fine tune your governance model, review your business level role definitions and recertify entitlement and role assignments periodically.
- Educate yourself, read relevant information — and as you do, ensure that vendor-biased information does not poison you. Join industry forums, talk to peers in your industry that may have done it, whether successfully or not. Even if your team has experience undertaking this kind of effort, there is always something new to learn.
Retire or redefine outdated or obsolete roles, add new ones, ensure the overall number of roles at the highest levels (business or enterprise level) do not grow out of control.
Frank Villavincencio is the executive vice president of Identropy, which provides identity management technology.