Show a little enterprise

The Financial Services Authority’s (FSA) detailed report on financial crime – entitled ‘Countering Financial Crime Risks in Information Security’ – was published last November, setting out the findings of a recent review of industry practices and standards in information security risk management relating to electronically-held data. The report (which reviewed 18 companies, including retail and wholesale banks, investment companies and insurers) covered the internal and external threats to UK financial services firms.

The report concludes that firms could do much more to address the potential risks rather than responding to attacks once they’ve already occurred. It highlights the need for senior management to take on responsibility for information security that includes the need for firms’ defences to be continually reviewed and updated. In this way, they’ll be able to keep on top of the increasingly sophisticated methods used by data criminals.

“Hackers and fraudsters are refining and improving their techniques all the time,” claims Philip Robinson, financial crime sector leader at the FSA. “In the fight against fraud, firms will have to run to stand still if they’re to protect their assets and those of their customers.

“Having been the target of criminals in recent times, via the Internet and other technologies, the major banks tend to have strong defences in place. There’s no room for complacency. Criminals will exploit vulnerable points where they can find them, including those in other sectors or smaller firms.”

Robinson continues: “Firms should follow a preventative approach rather than reacting to a situation once it has happened, which can be costly and damaging to reputations.”

According to the FSA report, traditional threats to information security still existed in some firms because they didn’t invest adequately in their security frameworks. Some didn’t control employee access rights or user administration in their networks, while legacy systems with poor security design were also identified as a common threat.

The FSA report states: “The user administration function at a firm – which includes adding, maintaining and deleting user accounts and updating access privileges – is critical to maintaining information security. This is because correct user administration restricts access to functions, applications or networks and can enforce the proper separation of roles and responsibilities.”

With direct reference to user administration, the report concludes: “Weak user administration is a common and long-standing failing. Firms need to ensure that only current employees have access to systems, and that these employees have the correct account privileges. Unless user account reviews are conducted on a regular basis, there’s a genuine risk that staff will leave or move and that user accounts will subsequently be interrogated for unauthorised access.”

The FSA observes a range of solutions across medium-sized and larger firms – from manual user administration to automated identity management solutions that capture and maintain details of employees’ access rights across the company using centralised or decentralised administration. That said, whatever the solution firms have deployed, a number of common issues have arisen.

A failure to reconcile

The first area of concern highlighted by the FSA’s report is a “failure to reconcile between employees listed on human resources systems and live user accounts on a timely basis in order to identify redundant accounts.” Security managers should note that the latest enterprise provisioning technology addresses this issue by including a reconciliation engine ‘out of the box’ as a core element of the system’s design. It supports ongoing audit initiatives by ensuring controls and policies are strictly enforced by way of ensuring compliance across the enterprise.

Reconciliation becomes an ongoing process that monitors the resources being managed. If the engine detects any accounts or changes to user privileges effected in non-conformance of the policies defined within the system, it can undo the change or notify an administrator, depending on how it’s configured.

The engine provides sophisticated features for scheduling intervals for reconciliation with target resources. More sensitive resources may be reconciled frequently, whereas those that are lower risk can be reconciled less frequently. This is an important benefit because it provides enterprises with a powerful detective and corrective control mechanism that automatically performs continuous real time monitoring, making sure the enterprise is meeting defined control objectives.

A reconciliation engine can also reduce the serious risk posed to enterprises by rogue accounts (accounts created outside of the provisioning system’s control) and orphan accounts (operational accounts for invalidated users). Once a managed resource has been brought under control, rogue accounts and privileges are immediately detectable. In response, the provisioning solution executes the requisite corrective actions as defined by the enterprise. These actions could include an e-mail alert to the administrator, accepting and linking the account or privilege to the system, or deleting the account on privilege.

Reconciliation adaptors are now available. Essentially, these are integration modules that enable the provisioning product to reconcile identity management data with heterogeneous resources across the enterprise.

Deletion of access rights

The second area of concern detailed in the FSA’s report centres on: “Failure to delete access rights when a staff member changes responsibilities or departments.” This is equally well managed by the latest batch of provisioning solutions. They will automatically reconcile identity information from the majority of Human Resources systems and directories – the trusted source of information relating to responsibilities and departments.

Effective implementation of a strong segregation of duties model will engage several access policy controls. However, sometimes a user’s responsibilities aren’t pre-defined, and therefore cannot be captured as access policies. In such cases, the user’s access rights are defined by the rights they are granted within a specific target application

As long as staff changes are reflected in at least one of these trusted sources, the provisioning system will automatically reconcile the change and amend the user group membership accordingly – a process often referred to as role-based access control. The alteration in membership will trigger the appropriate provisioning processes to reflect the change within managed applications. For example, deleting existing user accounts, deleting existing user privileges or entitlements within an application, modification of user rights and the creation of new user accounts or privileges.

The FSA report also expresses worries over the fact that many financial enterprises have “no review of user account rights or application privileges by the business or IT to determine if a user has excessive rights or incompatible privileges for their job role”. A problem that’s overcome by a periodic review of access levels.

Leading edge enterprise provisioning systems may be configured to periodically remind individuals to generate various reports (detailing who has access to what, exceptions and so on), acknowledge that they’ve examined the results and are satisfied that they properly reflect the firm’s policies. Inevitably, this allows for greater confidence that proactive controls are working properly, and that the appropriate personnel are validating that they are working.

Segregating the key duties

The lack of segregation of duties between IT and security staff administering user accounts and those who review the appropriateness of account privileges is another problem faced by financial institutions.

Segregation of duties is indeed a key vehicle for preventing fraud and detecting errors in the processing of financial transactions. It ensures that same person doesn’t participate in more than one key function of a transaction, and that actions are properly monitored while being overseen by others.

Effective implementation of a strong segregation of duties model will engage several access policy controls. However, sometimes a user’s responsibilities aren’t pre-defined, and therefore cannot be captured as access policies. In such cases, the user’s access rights are defined by the rights they are granted within a specific target application.

For instance, a company may specify that anyone in the office of the controller can be guaranteed access to a Systems Applications and Product in Data Processing (SAP) general ledger system, but only if that individual doesn’t already have access to SAP Business Warehouse. If that person already enjoys SAP Business Warehouse privileges, access to the SAP general ledger systems isn’t allowed. Successful implementation of segregation of duties requires a provisioning system that can dynamically recognise the privileges a user already has and make intelligent decisions that comply with the firm’s control objectives.

Powerful pre-provisioning extensions that support dynamic, real time entitlements calculation and prevent users from being granted an entitlements ‘basket’ that would violate segregation of duties policies is needed. Using a sophisticated framework that enables real time analysis of user’s entitlements, cutting edge provisioning solutions may model intricate controls to enforce duty segregation.

Reviewing end user accounts

The FSA report also expresses concern with regards to there being no review of generic accounts often used by technicians. Again, the latest provisioning technology addresses this by providing the capability for enterprises to manage the lifecycle of generic or service accounts used by technicians or any other systems within the organisation.

The report highlights the “use of personnel accounts for conducting user administration through the temporary assigning of administration privileges rather than using a dedicated systems administrator account” as an additional area for review. This is a risky practice that needs to be eliminated through the effective definition and enforcement of policies. While even the most cutting edge provisioning systems can’t really do much to help define these policies, once they’ve already been defined they can help enforce them over time in an efficient, cost-effective manner.

Outsourcing user administration

A final concern detailed by the FSA report with regards to provisioning focuses on the outsourcing of user administration to a third party without reviewing the effectiveness of the arrangement. Outsourcing user administration makes firms particularly vulnerable to financial crime risks but, by using a reputable company with a proven track record in working with a third party, the concerns associated with outsourcing are often negated. Ideally, however, the enterprise should always have direct control over such a critical process, and work closely with their preferred vendor.

By employing a secure enterprise provisioning system, organisations are able to ensure that only current employees have access to systems, and that these employees possess the correct account privileges.