Enterprises and businesses are well into their digitization journey. Many have adopted digital strategies and tools that align with their businesses and goals. However, in their swiftness to adopt software and tools that enable them to be agile, many may have overlooked one of the most crucial aspects of their data security – third-party access and control. The issue arises as a result of the adoption of multiple diverse tools and technologies needed for digitization, the acquisition of contract talent, consultants and third-party support. This rings true even for Financial Service Institutions (FSIs). In a recent report, Gartner stated that 59% of organizations experienced a data breach due to third parties and only 16% of them say they are equipped to manage these risks.
“Today, organizations can manage up to thousands of identities which means more access points that may present significant risks. In order to mitigate the risks of breach and protect digital identities, data and resources, enterprises need a comprehensive identity security solution for complete visibility into all user types and their related access, including all entitlements, roles, and attributes, to ensure employees receive the right access to the right resources to do their job.”
Chern-Yue Boey, Senior Vice President, Asia-Pacific, SailPoint
While it can seem like a daunting task for IT departments and CIOs to get a handle on the issue, the truth is that it’s a simple task of managing access on a “just-in-time” and/or “as-needed” basis. With an increasing number of such instances, it becomes a conundrum of how to dynamically manage these permissions. One emerging approach is to manage these permissions or instances as “identities”. Using this approach, it’s a matter of mapping these identities and the data they have access to. Essentially, a holistic view of who (identities) can access what data (what), is needed. While it can be a little complicated to administer this on a dynamic level, companies like SailPoint provide turn-key solutions fortified with artificial intelligence (AI) that allow just that.
An Increasing Concern for Financial Service Industries (FSIs)
As banks and other FSIs start embracing digitization and move towards becoming digital services, we’ve seen an increasing emphasis on data security and privacy particularly when it comes to user data. However, like many other enterprises, the digital infrastructure and tools that they have in place may pose a risk when it comes to data security. What’s more, when it comes to FSIs, the consequences of poor security can result in millions of dollars of loss for both the client and the institution itself.
In Malaysia alone, we’ve seen an increasing number of scams and data breaches in the past 5 years. This seems to have skyrocketed during the pandemic and is not showing any signs of slowing down. In fact, in the past year alone, we’ve had breaches of large service providers like Telekom Malaysia and Maxis. More worryingly, we’ve had breaches of FSIs like Maybank and iPay88. Of course, under the watchful eye of regulators, these issues are constantly being investigated and fines are dolled out for mismanagement.
“The reality is a large majority of cyber security breaches today occur as a result of non-employee identities. According to a research by Ponemon, 59% of respondents confirm that their organizations have experienced a data breach caused by one of their third parties and 54% of these respondents say it was as recent as the past 12 months”
Chern-Yue Boey, Senior Vice President, Asia-Pacific, SailPoint
That said, it’s important that these institutions move from a reactive approach to a more preventative and proactive one. This change has to happen with both policy and adoption of security technologies which give CIOs and data security experts a clear view of who is accessing what data and why.
Creating A Data Secure Environment for Business
FSIs like Maybank and iPay88 may point to their apps with features like SecureKey and their implementation of one-time pins (OTPs) as potent security measures. However, as Chern-Yue Boey, Senior Vice President at SailPoint puts it, “Authentication is like giving someone the keys to your front door, but identity security is where you can control whether this person can have access to your rooms and other aspects in your home.”
What’s needed is a system that can cross-check and verify if access to the information is allowed. Mr. Boey weighs in on this, “A complete identity security strategy involves understanding, controlling, and managing user identities and access to all resources holistically, in line with authentication methods. This means building an identity security foundation to enable authentication and comprehensive identity governance.”.
Identity governance will entail creating unique profiles to manage access to data. This also entails structuring data so that it can be accessed on an “as-needed” basis. While many systems for cybersecurity do include options for Zero Trust environments, the implementation of identity management ups the ante and creates an environment where small silos of data can be made available to external users and contractors. This will enable access to data on a restricted basis and allow CIOs and IT Departments to manage data based on job function, role and levels of access.
Mitigating Risk with Identity-based Security
This is where Identity Security can play a huge role for FSIs and even other corporations. The creation of these identities limits the potential exposure even if a breach occurs. That said, in order to mitigate the risk, it falls to the C-suite executives – particularly the CIO or CSO – to understand which job functions should have access to what data. Only with this understanding can they deploy solutions like SailPoint effectively.
Having this understanding – which can be fostered at every level of management – will help mitigate risks associated with third-party workforces. In fact, it helps with a key risk: unauthorized access to sensitive data. As access becomes limited, so too do the entry points for bad actors.
That said, understanding is only one part of the equation, FSIs and other organizations will need better oversight over the identities in their system and the data being accessed across the entire distributed IT ecosystem. This includes the ability to grant or restrict access as necessary. Doing this will create a perimeter of security when it comes to pertinent, sensitive data.
Maximizing Security with Informed Access
This transparency and oversight will allow for better-informed decisions as CSOs and CIOs have access to a central repository of all users – third-party or otherwise – and their relationship to the organization. This includes their job functions and the data they have access to. It helps with managing risk when it comes to third-party access. IT Departments are able to assign risk ratings to individual third-party users based on who they work for, location, access level and other parameters as set by the organization.
It also allows them to better manage the onboarding and offboarding of employees and non-employees as they enter and exit the organization. Essentially, the visibility, relationship data and governance will necessarily give rise to a lifecycle for each identity in the organization. While it may seem like a simple matter of managing the current access of users to the data, it goes further than that with identity management. It gives granular control and visibility to a CIO, CSO and IT Departments allowing them to react effectively and in a timely fashion. It also allows them to automate compliance audits with minimal manual intervention.
A Necessary Measure for Dynamism and Agility
As much as it may seem like an added layer of complications and headaches for IT departments, the shift from managing data based on access vs. through identities is the difference between being reactive and proactive. Managing data access with Identity security is a necessary measure for FSIs and organizations to remain agile in operations as well as respond dynamically to a landscape of uncertainties.