BID® Daily Newsletter
Jul 31, 2024

BID® Daily Newsletter

Jul 31, 2024

Identity and Access Management: A Gate Against Internal Threats

Summary: Not all cyber threats are external. That’s why it’s imperative to periodically review which employees have access to which systems. We detail best practices of identity and access management.

Wonder why the phrase “open sesame” enabled Ali Baba and the Forty Thieves to open the magic cave, while Ali Baba’s brother was trapped because he shouted out the names of other grains? The expression was first introduced into the story in the 1700s, when Frenchman Antoine Galland translated the work, as there was no mention of it in the original. One foodie recently blogged that the choice to use “sesame” might have been due to the nature of the grain itself. When it matures, the capsule opens abruptly and the seeds scatter all over.
“Open Sesame” is an ideal gatekeeper — only the privileged who know the phrase can gain access to the treasures that lie within. Financial institutions need such gatekeepers for their digital systems, not only for customers but also for employees. Indeed, user access control is a key component of “identity and access management” — making sure that access to systems is limited to the right people at the right time.
The Federal Financial Institutions Examination Council (FFIEC) details some best practices for effective identity and access management in its guidance, “Authentication and Access to Financial Institution Services and Systems.” 
Here are some of the major points to keep in mind that will help ensure logins for tools and platforms are only provided to those who truly need access:
  • Conduct a risk assessment. Evaluate all risks, threats, vulnerabilities, and controls associated with access and authentication. Determine when enhanced authentication controls should be used, such as for access to critical systems and data, or for remote access to systems.
  • Implement “least privilege” permissions. User access is limited to those information systems and resources related to the user’s job function or role. Privileged users have dedicated devices or accounts for all privileged or administrative activities, and such dedicated devices cannot access the internet. Systems are configured to log and alert when a privileged user account is added or removed and when unsuccessful logins or other anomalous behavior occurs.
  • Utilize dual controls when necessary. More than one privileged user at the financial institution must approve access to certain critical systems or certain requests for administrative changes.
  • Employ multi-factor authentication and layered security measures. MFA factors may include memorized secrets, look-up secrets, out-of-band devices, one-time password devices, biometrics identifiers, or cryptographic keys. Layered security incorporates multiple preventative, detective, and corrective controls and is designed to compensate for potential weaknesses in any one control. Examples include user time-out, system hardening, and network segmentation, when networks, systems, services, and data are physically and logically segmented based on the financial institution’s asset classification and risk assessment.
  • Educate workers. For employees, board members, and other users accessing a financial institution’s information systems, education can include training and testing programs on authentication-related scenarios such as phishing and social engineering.
  • Periodically review access. Make a point to regularly assess the design and effectiveness of access and authentication controls employed, including the availability of more advanced security options and configuration settings. Routinely re-evaluate whether staff access levels are appropriate by conducting enterprise-wide user access reviews. 
Effective identity and access management can protect your financial institution from bad actors from within. Determine what controls are needed, limit access to employees’ job functions or roles, and implement MFA and layered security measures. Then periodically review your access and control measures to determine if your gatekeeper is doing its job or if changes are necessary.
Subscribe to the BID Daily Newsletter to have it delivered by email daily.

Related Articles:

Protecting Your Institution as Ransomware Ramps Up
Ransomware attacks hit a speed bump in 2022. But the respite was short-lived. Ransomware attacks rose again in 2023, so this is no time for banks to let their guard down.
1234, This Password’s Not Safe Anymore (If It Ever Was)
Is your password too easy to guess? We discuss recent findings about the most common passwords and provide tips on creating more complex passwords that you can still remember.