Countries in the Asia Pacific have either legislated or are looking into legislating dual or multifactor authentication requirements for online transactions. Through investing in authentication and identity management solutions, organizations can reduce the cost of enforcing controls, achieve compliance with regulatory guidelines, and reaffirm customer trust. This article argues the case for effective risk management through identity management.
Introduction
Internet financial transactions have grown at a tremendous pace with the popularity of online shopping on the rise in Asia. Korea is Asia’s leader in online shopping; e-commerce transaction there grew 37% in 2005. Online shopping volumes in Philippines and China doubled last year. As the growth in adoption of Internet financial transactions continue, so too does the risk for financial institutions and their customers.
Countries in the Asia Pacific, like Australia, Hong Kong and Singapore have either legislated or are looking into legislating dual or multifactor authentication requirements for online transactions. Further from home, the United States’ Federal Financial Institutions Examination Council (FFIEC) has issued updated guidance on the risk management controls necessary to authenticate the identity of customers accessing Internet-based financial services in October 2005, put in place to address a significant increase in identity theft and fraud, improved authentication technologies and other risk mitigation strategies available to financial institutions. The FFIEC recommendation for compliance by the end of 2006 further heightened the sense of urgency around the adoption of multifactor authentication and new layers of security and control in the financial services industries.
Compliance in the Financial Industry
New and sophisticated threats, coupled with actions from various governments to revise legislation, have financial institutions scurrying to identify and evaluate new technologies to further safeguard consumer and corporate data. By investing in authentication and identity management solutions, financial institutions can reduce the cost of enforcing controls, achieve compliance with regulatory guidelines and reaffirm customer trust.
Identity management has seen early adoption in highly regulated industries like financial services, due to its ability to help streamline and automate compliance processes. Many companies now are able to verify and report on who has access to systems, applications and information within an enterprise on a periodic basis, typically defined by companies’ internal auditors through a combination of manual and semi-automated processes. But as these processes become more embedded into the routine IT operations best practices, the need for, and the value of automation becomes self-evident. Some early adopters of identity management for such compliance processes have saved 12 man weeks per quarter using the technology.
Having a Global View
Not only does identity management help institutions solve immediate compliance issues, but it also allows corporations to spearhead international compliance challenges as they look to expand. The Internet and technological advances have provided companies – including financial services organisations – with the ability to develop a mobile workforce. This globalization has also spurred a new set of potential identity threats that must be addressed. Identity management allows a company to confidently go beyond securing its traditional physical network domains in multiple business locations. This in turn enables the company to create new business models via the security that identity and access management best practices and integrated security architectures provide.
Mobile workers run the risk of inadvertently introducing malware into corporate networks. This is yet another problem identity management can solve. Well-architectured identity management solutions can manage not only the rights that users have across digital assets, but also the lifecycle of users’ assignment to physical assets, in response to routine, or unexpected business events.
For example, consider a securities firm that has constituted a syndicate with other firms, providing advisory and underwriting services to a client considering an acquisition. For the duration of this exploratory exercise, users who legitimately belong to the ‘deal team’ (whether or not they are employees of the lead securities firm) require access to select digital assets (for example, the deal document management and market research repositories) and physical assets (a personalized smartcard for access to the ‘clean room’, for instance). At the end of this exercise, all of these assets need to be revoked from users who no longer require them, in accordance to corporate policy. The securities firm’s identity management solution can automate these processes, ensuring the client can efficiently receive services from the syndicate, at no additional risk to the lead member of the syndicate.
With the growth of globalization comes a mobile workforce that increasingly uses portable devices. Unmanaged portable devices like smart phones, laptops, memory sticks and removable media, which are commonly used in enterprises, pose significant liabilities for organizations. Since companies do not have visibility into these devices, they are prime targets for information theft and data leaks.
Data consolidation becomes a crucial weapon for an organisation in the compliance war. Data fragmentation is more than just the enemy of efficiency—it is almost impossible to effect compliance if you have 58 places to manage users and at least as many places where the critical data they access lives. While data consolidation is not a cure-all, being able to centrally manage users, what they can access and where the information is that they are accessing enables far greater control over corporate assets subject to regulation. Furthermore, being able to verify compliance is simplified by data consolidation.
Identity management and unstructured data management are two critical areas where “putting all your eggs in one basket” makes it much easier to prove they are Grade AAA eggs that have not been tampered with.
Conclusion
While IT security budgets are slated to rise in 2006, it still will not be enough to adequately protect a company from security threats. One can even argue that no amount of money will ever be enough to address the full array of security concerns we face in the 21st century. However, the additional budget will allow IT managers to explore security solutions that can streamline identity and password management and protect against internal (employee) or external (hacker) data breaches. IT managers should continually monitor enterprise need and the latest security challenges. The executive team must be consistently updated on potential risks and lobbied for additional IT budget as new needs and challenges arise.
The review and introduction of regulatory guidelines will continue to spur the entry of new, and thus, relatively inexperienced vendors to the identity management space. When choosing an identity management partner, look for a company with a history of successful, enterprise-wide identity management deployments.
Additionally, seek a vendor that offers a flexible solution, a strong workflow engine, a customizable user interface, responsive support and a strong record of customer confidence and satisfaction. You can also ask for and check references. Enterprises will face the same IT security challenges that they did in 2005 and then some.
Finding an appropriate vendor to address today’s current security problems, being vigilant against new threats and efficiently protecting critical data will be instrumental to a company’s success in the compliance and security war.
Top 5 Things to Consider Before Committing to an Identity Management Purchase Order
Identity Management solutions enable sustainable compliance, improved security and reduced administrative costs. However, not all solutions are created equal. If your organization has decided to purchase an identity management solution, here are some factors to consider when choosing a vendor:
· Comprehensive suite: Pick a vendor who offers a suite of best-in-class functionality, spanning Web access control to enterprise user provisioning promises to be the best long-term partner.
· Heterogeneity: The vendor must be committed to supporting leading platforms and applications. Avoid those whose interoperability is limited.
· Vision: Have the end-goal in mind. A solid roadmap should include emerging technologies such as application-driven identity, Web services security and fine-grained entitlements.
·Viability: Make sure the vendor will be around tomorrow and has a global infrastructure to support your worldwide operations.
·Ease-of-implementation: Look for solutions that are easy to deploy. Stay away from solutions that require an army of consultants.
Michael Burling is director for Security and Identity Management Sales in Oracle Corporation, Asia Pacific Division. Michael has been in the IT industry for a number of years, seven of which were in the security software business. At Oracle, Michael leads business development and sales for the industry’s most complete Identity Management solutions in Asia Pacific. |
