Kære læser. Artiklen her er en del af det engelske magasin Copenhagen Fintech. Indholdet er udformet på engelsk, da det også henvender sig til en udenlandsk læserskare, som deltager på eventen Money2020, hvor Berlingske Media er mediapartner. Magasinet er udformet af Berlingske Medias kommercielle redaktion i samarbejde med Copenhagen Fintech. God læselyst.
Sponsored by Omada
It is no longer enough to only manage access to core IT systems within financial companies. In order to efficiently protect personally identifiable information and stay compliant with regulations, companies have to rethink their entire approach to managing the access and entitlements of their employees, says CTO of Omada.
In 2008, a rogue trader nearly brought down French bank Société Générale. Jérôme Kerviel, then a junior trader at the company, single-handedly managed to make unauthorized trades of 50 billion euros, which ended up costing the bank 4.9 billion euros.
»When we run audits in financial companies, we often find things that don’t meet the standards of the regulatory authorities.«
It is not the first – and probably not the last – time a big bank has seen a rogue trader running amok, damaging both the financials and reputation of the company.
What is more alarming, however, is that it is not only the proper risk control mechanisms to prevent this sort of behaviour was not only missing from Société Générale and other similarly impacted companies. Even today, many financial companies struggle with the authorization and segregation of duty mechanisms. In other words: who gets access to what, when and how.
“When we run audits in financial companies, we often find things that don’t meet the standards of the regulatory authorities,” says Santeri Kangas, CTO of Identity Management Solution-provider Omada.
Risk of unauthorized access
According to Kangas, it is not uncommon for Omada to discover so-called “orphan accounts” in the IT systems of financial companies in an audit. These accounts do not have any owner – perhaps because the person has left the company without the account being shut down. Sometimes the password is even changed after the person has left, which keeps a door open for people who should no longer have access to the systems. Omada has also discovered accounts that never expire.
“It means somebody could be using the account indefinitely” Kangas says.
On a general level, he says, companies risk not complying with the general principles laid out across EU in recent regulations such as Basel II and Solvency II. They require companies to step up their game in terms of control and compliance across their IT environments and monitor the entire lifecycle of identities in the organization, among other things.
For example, to follow the principle of segregation of duty, a person who makes purchases in a company cannot have the role of approving those purchases as well. In addition, the principle of re-certification implies periodically reviewing access rights to everybody in the company, so no one gets access to something they shouldn’t.
In Germany, where Omada also operates, financial regulators have taken this a step further to prevent convenience shortcuts. In the past, one bank manager was enough to authorise re-certification, but such shortcuts are now strictly forbidden and it is mandatory to have two people approve requests.
Kangas stresses that these principles are also important to increase security and prevent data breaches.
“Over 35% of breaches are committed by insiders, and in nearly all APT (Advance Persistent Threat) attacks today their identities are being used as an attack vehicle,” he says.
Identity management key to protecting personal data
If these things sound complicated today, it is nothing compared to next year. When the EU General Data Protection Regulation (GDPR) comes into effect on May 25, 2018, many financial companies will have to rethink the way they approach identity management, according to Kangas.
Financial companies usually have measures to reduce risk in systems that involve moving money around. But when the GDPR comes into play, companies will have to expand the scope, he says.
“Now everything needs to be governed. Not just the core banking systems but all those that handle personally identifiable information, like a customer’s name, phone number or email address.”
Implementing these requirements could be complicated without proper tooling. It is not uncommon for a financial company to have hundreds of systems with user access, and because many of those companies still manage accounts and their entitlements manually through IT service management systems or with aging, homegrown systems, expanding the scope can seem overwhelming.
“It’s no longer just a paper exercise once a year – you need to maintain a full log on who has access to information and who authorized the access. It becomes so expensive and cumbersome, that it doesn’t make any sense to do it manually anymore,” Kangas says.
Automating identity management
The key to managing access in financial companies with a complex environment is, according to Kangas, to automate some aspects of it using role-based access control (RBAC). That means integrating with existing HR-systems and automatically assigning the proper user role for each employee based on his or her position in the company. The solution automatically calculates which “birth right” resources employees should have access to, and automatically provisions the right resources to them. It also automates common employee lifecycle operations, such as changing department or position, holiday deputy arrangements or going on a maternity leave.
Financial companies in Germany have already adapted to most of these new standards according to Kangas.
“Germany has been leading this movement which promotes risk governance,” he says and concludes:
“In the rest of Europe, large financial institutions, insurance companies, municipalities and others are now responding to the call.”
This article is part of the commercial publication 'Copenhagen Fintech'. Click here to view all articles