240 likes | 262 Views
“Identity Management in the Financial and Banking Sector”. IAM – From vision to reality A chain is only as strong as its weakest link. Konstantin Zografov, AFCEA International Regional Vice President for the Mediterranean and Black Sea Region
E N D
“Identity Management in the Financial and Banking Sector” IAM – From vision to realityA chain is only as strong as its weakest link Konstantin Zografov, AFCEA International Regional Vice President for the Mediterranean and Black Sea Region Dr. Mircho Marchev, Ph.D., Director of the Information Technology Directorate of the Bulgarian National Bank, Member of ECB ITC
Introduction Context Federated Identity Needs Standards Approach Roadmap Examples Agenda
IAM (Identity and Access Management) A broad and complex administrative approach in mitigating the risks of fraud, errors and disclosure of confidential information. A threefold concept of managing digital identities and access to corporate systems and assets by combining: - Business processes, - Policies and - Technologies Centralized identity management solutions: the users and the systems they accessed were: - within the same network or - within the same “domain of control”. Introduction
IAM – a growing business necessity reflecting the global economic and society developments. IAM – constantly evolving over time due to to the continually changing computing environment in which organisations operate. IAM – Banks are the leaders in the civil sectors in working on and launching information security systems to handle digital identities and access due to the greatest possible impacts of identity breach to the financial community – both clients and corporations. IAM – grows out of already existing corporate security systems, enterprise administration, single sign-on etc. Introduction
International Globalization, Internet access, NATO Alliance Corporate Multiple applications, some of those obsolete, increased risk exposure Financial ESCB definition: Identity and access management (IAM) enables organisations to handle digital identities, to set and control access to their systems, and to ensure that only authorised users and resources (service accounts and devices) gain the appropriate access to those systems, in accordance with business requirements. Context
Decentralization: intégration of the Internet into every aspect of personal and business life. The inevitable separation of users, requiring access to systems and Information Assets Evolving identity management challenges cross-company and cross-domain access A new approach of identity management, known now as “FEDERATED IDENTITY MANAGEMENT”. Context
The Federated Identity (or Identity federation): to enable the portability of identity information across independent security domains. The concept of Federated identity describes: The policies, the technologies, the standards and the use-cases of the respected industry. Federation of identities could only be realised by the usage of: open industry standards, Agreed specifications, made available to the parties, Thus achieving interoperability for the common use cases. FEDERATED IDENTITY MANAGEMENT
Federated identity: The virtual reunion, or assembled identity, of a person's user information (or principal), stored across multiple distinct identity management systems. Data are joined together by use of the common token, usually the user name. A user's authentication process across multiple IT systems or organizations. The concept: the capacity of being able to extend, under a pre-defined circle of trust, the account profile and access management system to a third party who needs to access a specific target resources and applications. The architecture will be based on a federated identity model where authentication could be fully delegated towards trusted members. General Definition
Principles ESCB: IAM High Level Principles • Individual accountability should be ensured ESCB-wide. • Each CB must report IAM security incidents to the IAM System Owner and/or Information Owner. • Access rights are task specific and granted on a need to know/do/work basis, and, of a non-permanent nature. • Management (issuing, renewing, revoking, etc) of credentials shall be controlled through a formal management process. • Each CB must inform their staff and relevant third-parties of their roles, obligations and duties.
Risks: businesses without strict IM procedures risk having attackers use employee passwords to gain illegal access to applications and information, or conflicting with government regulations. The Needs • Building a consistent IAM system: • improve security • boost worker productivity • cut costs • reduce the "integration friction" • while giving access to internal systems to employees, business partners, customers and suppliers.
Reduce cost by eliminating the need to scale old or proprietary solutions. Increase security and lower risk by enabling an organization to identify and authenticate a user once, and then use that identity information across multiple systems, including external partner websites. Improve privacy compliance by allowing the user to control what information is shared, or by limiting the amount of information shared. Improve the end-user experience by eliminating the need for new account registration through automatic “federated provisioning” or the need to redundantly login through cross-domain single sign-on. The way to do this is through standards. The Needs
The Liberty Alliance (est. September 2001, now 150 companies) develops open standards, guidelines and best practices for identity management - extending SAML (Security Assertion Markup Language ). The Standards • IBM, Microsoft, and VeriSign also are pushing their own security specifications. • IdenTrust, similar to SWIFT, Visa and Master Card, was developed by a consortium of financial institutions to deliver trusted electronic commerce. Those standards don't speak (YET) directly to each other.
The Basel II accord (Advanced Capital Adequacy Framework–Basel II – November 2, 2007) concerns also access to computer data by physical persons and is an opportunity to Significantly improve identity and access management. Its overhaul approach can generate important return on investment in terms of productivity among users and IT personnel. It allows to deploy easily procedures that are critical in a banking environment: De-provisioning, segregation of duties, separation of roles, access rights, independence from technologies. Among the risk evaluation methods proposed by the accord, the advanced measurement approaches (AMA) authorizes banks to evaluate their operational risks themselves. The Standards
Build a series of interconnected systems to allow an employee, logged on to his company's intranet to access a business partner's systems and have those systems automatically trust the employee's digital credentials. The Objective
Build the Business Case Educate, stay away from techs (this is not a technical exercise). Outline benefits and cost reduction, productivity gains for 1. Users; 2. Help desk and 3. System administrators. Ensure compliance with regulations and to auditors (e.g. Basel II, Sarbanes-Oxley etc.). Pilot the processes, not just the technology. Plan the customization. Do not struggle to provide automated provisioning to non-standardized, old systems with few users. Industry consolidations – be informed of vendors moves – merges, takes-over etc., do not “lock” into an obsolete solution. The Approach
With IAM, laying down a technology roadmap, usual plan and feasibility study after a business analysis just do not work. The future landscape is unpredictable from the technology point of view alone. It takes a consistent and useful shared VISION to develop your ideas as to: who the future players in the identity and identity management field might be and how their businesses might work. The Roadmap
Security vision Executive support and guidance. Information security principles and values, ISMS scope. IAM strategy Internal and External drivers, Requirement definition IAM value statements, Objectives and success criteria. Policies and standards Information management and privacy Definition of the doctrine Technology standards The Roadmap
IAM architecture Conceptual and logical IAM architecture Control definitions IAM specifications Detailed specifications on IAM technology components Guidelines The IAM roadmap Practical steps for Integration of IAM Deployment of IAM components as per specifications. The Roadmap
SEPA (the Single European Payment Area) is developing the legal framework for cross-border payments. In SEPA the IAM is closely aligned to risk management: having a degree of certainty that the counterparty to a transaction is who they purport to be, based on support by one or more trusted intermediaries, involved in a payment across the SEPA geographies, both from both Initiator’s and Recipient’s side. This management framework must allow parties to: Interact in an environment of privacy Ensure authentication, message integrity, non-repudiation. SEPA will accomplish this by provisioning credentials which enable authentication, encryption and digital signing. Example 1 Authentication in SEPA and Cross-Border Payments
Financial institutions are to meet this challenge by: multiple forms of identification before transacting payments or opening any account. mandated processes, namely Know Your Customer (KYC), applied to both individuals and corporations with a stringent controls for levels of trust. IdenTrust validates the identities used by the customers, not the data associated with the transaction. The messages with the transaction data are exchanged between the banks on either ends. A key part of the solution – the End-to-End activity tracking. The natural providers of this service are the world’s financial institutions, which will remain active on the market in the transaction processing. Example 1 Authentication in SEPA and Cross-Border Payments
Example 1 Authentication in SEPA and Cross-Border Payments • IdenTrust only validates the identities used by the customers, not the data associated with the transaction. The messages related to the transaction data itself are exchanged between the banks on either end of the transaction.
Example 2 Lack of mandatory security components in the ESCB network - authentication, authorization, security logging, SSO etc. Increase of ESCB-wide applications and the extension to new countries: hundreds of end-users are managed often on “ad hoc”. The interim solution - ESCB-wide user repository for identity and privilege management. The objective: a project to enlarge the scope from a centralized directory service to a security infrastructure aligned with its long-term vision for security: open IT systems to external partners and customers (Credit Institutions, Central Securities Repository, Intern. Institutions and Third parties). efficient distribution of tasks and applications in the ESCB, new collaboration models. greater collaboration between NCBs by the re-use of IAM security services regardless location or implementation details. Authentication in the ESCB – ECB, the NCB, banks and their customers
Example 2 Authentication in the ESCB – ECB, the NCB, banks and their customers
CONTACTS THANK YOU FOR YOUR ATTENTION ! Dr. Mircho Marchev, Ph.D., Director of the Information Technology Directorate of the Bulgarian National Bank, Member of ECB ITC 1, Knjaz Alexander I Str., Sofia 1000, Bulgaria Tel. ++ 359 2 91459 Fax. ++ 359 2 980 2425 e-mail: m.marchev@gmail.bg Konstantin Zografov, AFCEA International RVP for the MT&BS Region, Deputy Chairman of the Supervisory Board of Industrial Holding Bulgaria AD 47, Vassil Levski Blvd. Sofia 1000, Bulgaria Tel. ++359 2 980 71 01 Fax: ++ 359 2 980 70 72 Mobile: ++ 359 888 70 82 81 e-mail: zografov@bulgariaholding.com www.bulgariaholding.com