Identity management and access control are major concerns for financial companies doing business online today. But just as financial services companies make it easier for their customers to conduct business online, crooks are becoming correspondingly smarter. "Identity has graduated from an emerging technology to a critical piece of enterprisewide infrastructure. You have to be a lot more deliberate about who is accessing your systems," says Oracle's Mary Ann Davidson Read about CUNA Mutual's efforts to centralize security issues to control access and protect their customers. Learn about the latest techniques designed to foil thieves and protect users' identities. Find out about the benefits of deploying identity management software. How does this affect the behavior of users? Two experts in the field discuss identity management and walking the fine line between protecting users and imposing constraints that scare users away.

As Published In August 2005

Who's Who in Cyberspace
By David Baum

Identifying users and securing data has become significantly more complex.

The financial services industry has led the way in online business practices, and it's easy to see why. Most financial products can be quickly approved, originated, accessed, traded, and manipulated online. As a result, many banks, investment brokers, and insurance companies now allow customers and business partners to perform multiple functions through secure Web portals.

Self-service access implies new levels of convenience, and new types of security risks. "Especially in today's compliance- and regulatory-minded business environments, you have to be a lot more deliberate about who is accessing your systems, how you identify those users, and how you authorize access to various information resources," says Mary Ann Davidson, chief security officer at Oracle.

As financial services companies deal with a host of security vulnerabilities, they are centralizing identity and access management functions—generally by using software solutions that aggregate control and visibility across multiple applications. This approach protects network resources, safeguards financial assets, and puts in place the auditing and reporting capabilities necessary for high levels of security and compliance.

Authorizing Users

There are two main aspects to safeguarding information: identity management and access control. Companies need to identify each network user and then determine which resources he or she is allowed to access. Some companies enforce separate access policies for each application. While this approach provides maximum flexibility in the short term, it soon becomes a liability as online business processes grow in number and complexity. Developers must create a new identity management framework for each new application, and users must remember a growing number of user names, passwords, and login procedures.

David Meunier, vice president and chief information security officer for CUNA Mutual Group, believes the solution is to centralize security using an identity management system shared by all applications. By providing a central means to securely connect users to applications—and applications to one another—CUNA Mutual has been able to reduce the cost, complexity, and risk of managing identities, meeting regulatory compliance, and strengthening network security for its credit union partners.

Extending the Infrastructure

Meunier and his team not only manage the identities of their own employees, they must also authorize various access levels for credit union employees and members. As the leading financial services provider to credit unions and their members, CUNA Mutual partners with nearly 95 percent of the 9,000-plus credit unions in the U.S. CUNA Mutual uses Oracle COREid technology (formerly Oblix COREid), integrated with Microsoft Active Directory, to perform role-based authorization and handle complex identity relationships. Oracle COREid simplifies the process of creating centralized policies for managing identities and authorizing users. It also enables federated access control—allowing multiple partner companies to operate independently, yet cooperate for business purposes.

"We needed to bring our repositories into a central place," says Steve Devoti, CUNA Mutual's manager of identity management. "Our identity infrastructure can support potentially millions of credit union members."

Snapshot CUNA Mutual Group www.cunamutual.com Location: Madison, Wisconsin Through credit unions, CUNA Mutual offers insurance, annuities, mutual funds, and other investment products to more than 9.3 million credit union members nationwide. It also offers loan protection, credit disability, and credit life insurance products to 10.2 million credit union members. Assets: US$14 billion Products and services: Oracle COREid (formerly Oblix COREid)

Access at Multiple Levels

"Three techniques are available today to make it more difficult for hackers to gain entry," says Meunier. "The first is to update software and patch systems appropriately—in essence, to stop the means by which a hacker might exploit your system. The second is via two-factor authentication, which is based on a combination of something the user has, like a token, and something he knows, like a password. The third is to use certificates on Web servers to verify that users access the correct Web sites."

Meunier believes security should be like the brakes and seat belts on a car—a necessity—rather than something that gives a financial services company a competitive edge. "It's fundamental—we should be competing on the bells and whistles, not the basic functions."

While CIOs may complain that security technology is a necessary evil with no real ROI, Davidson insists that identity management software pays off. For one, there are far fewer password resets, meaning fewer help desk calls. Secondly, employees are more productive because they no longer have to manage multiple usernames and passwords.

Centralized identity management software also facilitates regulatory compliance, and it helps developers deploy new systems faster, since they already have a security infrastructure in place that they can leverage. "Oracle identity management solutions can be integrated into the application-development process," Davidson says. "This allows developers to design cohesive identity management systems that support multiple applications—from Oracle and other vendors."

Sharing the Load

These security issues become even more complex in business-to-business (B2B) and business-to-consumer (B2C) settings, in which customers might be accessing multiple Web sites during a single session. To simplify these scenarios, CUNA Mutual can establish federated or shared identities among partner credit unions. The technology streamlines the process of integrating B2B applications and helps maintain user privacy, since having a centralized repository means fewer copies of each user's identity data floating around.

CUNA Mutual is working to create a secure yet convenient online environment for credit union members who wish, for example, to view insurance policy information from one organization and conduct online banking from a second. With Oracle COREid, CUNA Mutual can manage access control in its own directory, then seamlessly route users to partner Web sites as necessary. Self-service features from Oracle COREid allow credit union members to register accounts, manage identity profiles, and change passwords. With millions of potential users, this could be an immense time-saver for CUNA Mutual's support staff. According to Devoti, CUNA Mutual can now delegate administration to help desks and call centers so that they're able to do certain things with people's identities in the directory. "COREid provides us with a very granular mechanism of delegating this administration," he says.

Fighting Internet Crime

"Recent data security breaches show that banks and their data providers must invest in stronger security controls to prevent the theft of personal information from consumers, third-party data providers, and banks themselves," says Sophie Louvel, research analyst with the consumer banking and credit practice of Framingham, Massachusetts-based Financial Insights, an IDC company.

In a B2C setting, the biggest issue is strong authentication, which can be achieved using a combination of passwords, tokens, encryption technologies, and biometrics. Many financial services firms are adopting these stringent procedures not only to bolster security but to boost confidence among consumers.

Meunier acknowledges that the financial services industry is on the verge of a shift to online services, but if customers lose confidence in electronic business practices, they will revert to handling transactions in person. "We can continue to build up our infrastructures to handle online financial transactions," he concludes. "But if the users aren't there to use them, then where are we?"

Q&A Q&A with former META Group senior analyst Mike Gotta Analysts Sophie Louvel and Bill Bradway, from Financial Insights, talk about identity management, fraud detection, and moving cautiously through cyberspace. Crimes against financial institutions are as old as money itself, but the ways in which criminals are using the internet to commit fraud are brand new. Financial institutions have a huge stake in making sure that customers trust that their privacy—and their cash—are being safeguarded appropriately. Profit talked to Financial Insights analysts Sophie Louvel and Bill Bradway to find out how consumer behavior is being affected and what financial enterprises must do to protect their systems. Profit: Why are financial services companies centralizing identity management functions? Bradway: It's partly driven by security, partly by compliance issues. From an auditing standpoint, being able to centralize data about who's accessing what, when, and where facilitates regulatory disclosure, in case an information security examiner comes to do a checkup. It also facilitates security management by making it easier to detect a breach, and it simplifies application development by creating a common infrastructure that multiple applications can access. Profit: There is a fine line between securing transactions and imposing constraints on users. Is there a point at which security becomes too onerous or difficult to be worthwhile? Bradway: Given all of the security breaches that we've been seeing recently, and the ease with which criminals are able to steal log-ins and passwords, the industry as a whole is emphasizing security more than ever right now. Banks are getting more aggressive in their efforts to help customers adopt tight security methods. But, admittedly, it is a balancing act. Emphasizing security too much can have the adverse affect of actually scaring customers away. Part of the challenge is for the bank to develop a program that is adaptable to their clients. For example, you might impose secure ID tokens for power traders who trade more than 10 times per month. Profit: Are the high-profile stories we have been hearing about lost corporate data and stolen identities affecting customer behavior? Louvel: I'm afraid so. Close to 60 percent of the 1,000 U.S. consumers we sampled in January 2005 said that they are worried about identity theft, which we define as stealing information such as name, address, telephone number, social security number, or driver's license registration with the intent to commit unlawful activity. Eight percent stated that they had been a victim of such a crime, and close to six percent admitted to switching banks in order to reduce their risk of becoming a victim of identity theft. About 18 percent actually said that they had stopped shopping online. Profit: What is the financial services industry doing to restore faith in the security of Web-based information systems? Bradway: Financial services companies are investing in more-secure authentication technologies, as well as in solutions that can monitor online behavior and detect consumer fraud. Credit card processing is well-known for incorporating sophisticated transaction analysis techniques to detect unusual patterns, such as if your credit card was suddenly used in St. Thomas to buy a watch. These same types of applications can be used to detect abnormal activity in an online bank account. Louvel: In addition to authorizing users on the front end, you need a second level of fraud-detection technology to determine if a particular transaction is normal for a particular customer. Is it normal for this person to be logging in from Sri Lanka when they're a U.S. customer, or to be logging in from a different IP address? Either of these examples should raise red flags, regardless of how that user is authenticated at the beginning. Profit: Are we spending enough time on security awareness? What are the key issues that should be conveyed to employees and users? Louvel: Bank employees and customers need to be more sophisticated and security conscious. Social engineering tactics are going to evolve and they're always going to get better. Fortunately, many consumers are waking up to the fact that personal information is extremely valuable and not something to share readily. You need to make sure you are dealing with a trusted party at the other end of the line. Bill Bradway is group vice president of the banking practice at Financial Insights, an IDC company based in Framingham, Massachusetts. Sophie Louvel is a research analyst with the consumer banking and credit practice at Financial Insights.