When it comes to cybersecurity, different industry segments often have different requirements. One of the main reasons for this is regulatory compliance. Regulations in the U.S. such as PCI (for retail and more), HIPAA (for healthcare), FISMA (for federal government) and SOX (for publicly traded companies) tend to have a big influence on how security is done in each of those sectors. Such laws can also have an impact on how compliance is viewed by companies within those sectors—our research has shown that companies that face strict compliance mandates tend to have a rosier view towards the effectiveness of compliance mandates at improving overall security. It’s also a big reason why publicly traded cybersecurity vendors tend to generate a disproportionate share of their revenues from the most regulated sectors: financial services, healthcare, retail and government.
“That’s Where the Money Is”
But there are other reasons why security needs can differ among verticals aside from compliance. Many of the same verticals also happen to be subject to the most attacks, and for good reason: most of them are juicy targets, chock full of valuable data. Financial services firms specifically are a big target for attackers, in part because—as Willie Sutton was famously misquoted—“That’s where the money is.”
Financial Services Face Privacy, Complexity Challenges
But aside from being targets, most financial services firms deal with issues that other industries don’t always have to deal with. For example, latency can be a big issue, particularly for trading applications. Privacy is another big issue for financial services firms, especially those involved in M&A. Financial services firms also tend to have highly distributed networks with extensive branch offices across many states.
Chained to On-Premises Resources: One Foot in the Future, One Stuck in the Past?
While many financial services firms are rapidly adopting the cloud, many are also dealing with extensive legacy resources such as trading applications or client-facing applications that were built years ago and are unlikely candidates for cloud migration. Regulatory requirements are just one reason why it’s impractical to move certain resources off premises, such as user directories. The result is that most financial services firms are operating in a hybrid environment, and will be for the foreseeable future.
What does this mean? Well, it means that any identity-related initiatives must be able to account for both on-prem resources as well as those in the cloud, ideally do so with a common management interface to help reduce “console fatigue” and use a consistent set of policies that function across both on-prem and off-prem assets.
Diverse User Populations
Banks also need to deal with a diverse set of end users. In addition to traditional employees, banks are often heavy users of contract employers, outsourcers and partners that may include independent agents that are not part of existing HR systems or enterprise directories.
Consumers Have Special Requirements
Banks also typically have customer-facing applications that require access controls and face a different set of needs and requirements. For example, consumers often have different expectations regarding the user experience since they can freely click to a competitor’s website. Consumers can also be unpredictable, so any identity and access management (IAM) solution must be scalable on demand. And consumer-facing identity systems have to handle user volumes that are often orders of magnitude larger than a typical enterprise IAM deployment—while a large bank might have 250,000 employees, a consumer-facing application for wealth management might attract potentially millions of users.
Many banks are creating custom applications that run in a public or private cloud, so an identity management solution would ideally make it easy for application developers to integrate features such as multi-factor authentication or single sign-on (SSO). Fraud is a growing issue for many banks, so a modern IAM solution would also ideally have some mechanisms in place to help identify and control losses from fraud.
High Standards for Financial-Grade IAM
In short, a modern bank often faces a range of application types and deployment methods as well as a continuum of constituent users with a wide range of access control needs. IDaaS solutions built specifically for internal employees often can’t support the scale, use case flexibility or on-prem integrations required for enterprise customer IAM deployments. Thus an identity management solution should ideally be broad enough to support each of these needs and be extensible to adapt to new requirements as they emerge, with a single view that allows for centralized management. Lastly, most financial services firms require a platform that will enable them to continue to leverage existing on-prem resources, while at the same time allowing them to migrate to the cloud at their own pace without undergoing “forklift” upgrades that can be disruptive to both internal staff as well as customers.
Read the white paper to learn more about how identity and access management can address some of the biggest challenges faced by financial services firms.