IAM Trends: Financial Services is at the Leading EdgeSmaller Institutions Now Taking Cues from Early-Adopting Large Banks The need to implement viable identity access management (IAM) solutions for the financial services industry has never been greater. The industry's largest entities have been at the front edge of adopting IAM solutions for nearly a decade. Now, mid-sized and smaller institutions are looking toward IAM to help prevent unauthorized access to sensitive systems and provide better regulatory compliance.
And while financial institutions that have implemented IAM haven't necessarily been innovators, they are knowledgeable and experienced, says Ray Webster, an analyst at Gartner, offering insights on IAM at financial institutions. "Traditionally, financial services usually lead in technology focus, based mainly because they have money to spend and they're fairly good at implementing it," Webster says.
Industry at Front Edge of IAM
Financial institutions have been at the front edge, not the bleeding edge of the adoption of IAM, Webster notes. IAM technology first appeared at the beginning of 2000, when organizations began to do much more with shared computing and more with the Internet. As their application infrastructure became highly complex, moving off the mainframe to use hundreds of applications over their networks and the Internet, the need for a central management system of access was needed.
Financial services organizations don't have a lot of specialization when it comes to IAM, and they've realized they can't adequately manage them on a one-off basis, thus the need for management programs. "Driving this is the regulatory atmosphere and the need for audit controls and data protection that produces reports quicker and makes this more transparent," he says. This is one of the key reasons that financial institutions tend to be at the front of the pack of adopters of this technology.
Webster says IAM interest hasn't reached full maturity yet, based on when it first started in 2000. Most of the Fortune 2000 have IAM initiatives in place, in terms of centralized management of identity; on average they're at a moderate level of maturity. "In two to three years they'll be closer to maturity, reaching operational efficiency, and there will be less of a need to talk about IAM."
There has been recognition across financial services and other industries that IAM is a core infrastructure that has to be given some attention. That doesn't mean institutions have to automate everything, or that they have to revamp what they're doing, he says "Institutions need someone to assess and plan for a modern identity management infrastructure. Most organizations have recognized that at this point in the game and are working on a plan for their infrastructure."
Among some of the trends Webster sees:
Among the IAM trends in recent years is outsourcing of applications to service providers, which has morphed into a discussion of software as a service, which in turn has morphed into a discussion about cloud service. Both Saas and cloud service must be well thought out before being implemented by institutions, Webster notes.
"Those SaaS and cloud questions are things that have clear identity and access management requirements and concerns," Webster says. "These are the problems that institutions are trying to figure out today."
The Debate: Internal vs. External
Larger institutions, especially the top banks, are relatively mature in the use of internal IAM. "They have automated systems in place for their tasks and a fairly good audit and information management facility that allows them to show auditors that they are practicing IAM consistently with their requirements," he says.
So, when a bank or credit union thinks about externalizing services, this brings its own set of concerns and questions. "Am I going to allow my service providers to manage my identity access, and will they do it in a secure fashion, or am I going to continue to do it on my own, and still outsource some of it?"
The move toward IAM federation is an example of this trend. "Five years ago, if I wanted to outsource an application, I would have had to outsource the identity access for that application. Now, I can keep that portion internal and outsource the application to a service provider," Webster says.
Two reasons to keep the IAM internal and not outsource it, according to Webster: An institution isn't dependent on an outside party who may not be as timely or thorough in keeping access lists up to day. The institution has to tell them when to take people off lists. Also, the institution must have trust that the other organization will maintain control over the lists, and the information in the application itself is intact.
Consumer-Side Use of IAM
On the consumer side, there has been a great deal of activity on how customers and users are authenticated, and the focus of regulatory agencies has been here.
GLBA and PCI audits revealed to many institutions the need to move toward IAM. It was a quick hit, and the solutions can put in an infrastructure to report who had access to what, when, what they did, and who gave them authorization to the system, Webster notes.
A general trend in IAM is in forcing the principle of least privilege, (people only have access to systems/applications they need to do their job.) This has taken the form of putting in systems that allow organizations to set policy and then monitor to see that those policies are enforced. "For example, I want to know that only the people in accounting have access to the accounting system, and that nobody can both create a transaction and approve that transaction. Second, I want to know who is creating transactions and who is approving them," Webster notes. This is the direction institutions are moving toward -- more transparency.
There have been user provisioning systems and technology solutions available for 8-9 years, "but organizations have found the projects to be rather complex, and it takes some time to get it right," he notes.
IAM in the Mid-Market
As he looks at the smaller sized institutions, Webster sees the $5 billion and smaller institutions have obviously got less money to spend on an IAM project than larger organizations. "They will be more conservative in their choices of technology and timeframe for doing an IAM project. Some of them are at very early stages, but some have made significant steps."
Institutions that are not in the top banks that are just starting to look at IAM aren't alone by any means, he says. There is a lot of IAM technology in place already in every organization. Most are working off a centralized directory and active directories. Many are tied into active directory groups, for email and other large applications.
"What they have is something that has grown organically, and meets 60 to 70 percent of their needs, but they need to create a plan and architecture and begin adopting to it," Webster says. Institutions aren't being lax. On average they have at least some of an infrastructure in place, even before they start. They need to think about what their needs are, and what policies and procedures need to be in place, Webster advises. "Only after that should they begin real technology upgrades," he concludes.