This article comes to us courtesy of Dean Wiech, Managing Director at identity governance and administration solution provider Tools4Ever. He gives us his insight into password management in the financial industry:
Throughout my 18-year tenure in the Identity Governance and Administration industry, I have had many conversations with IT leaders in the financial industry regarding the challenges they face; namely in relation to security and compliance.
The need to manage user accounts, multiple sets of credentials, complexity requirements, identity verification, help desk calls (such as password resets) and ensure employees have the right access to data, can be very overwhelming. That, coupled with meeting compliance for audits and regulations standards such as SOX and PCI, can require a huge amount of resources when approached manually, and leaves room for human error (automated solutions used only be within reach of enterprise level financial institutions), however with a recent saturation in the IGA market, prices have been driven down and these tools are affordable for financial institutions of all sizes.
So where do you begin? What do you prioritize? I always recommend starting with passwords. Through years of research, I have found that users have on average 17 passwords to different applications and systems. How efficient would it be if your end users only had a single password to remember and manage for their critical business applications?
With a password synchronization solution, one password securely manages all of the critical business systems and applications your end users need to access. When an end user resets their Active Directory password, it ensures that all connected applications receive the new password in real time. The result is end users only need to remember one password for all applications and never have to worry about updating their password in multiple systems. Simplicity is key and what’s more simple than managing a single password.
Now that we’re down to one password, let’s simplify what happens when we forget it. Helpdesks are often overwhelmed with mundane password resets This takes time away from your technical staff that could be used on more important projects; not to mention the unproductive downtime users face when waiting on a password to be reset. This can be particularly frustrating for mobile or off-peak workers, who may need resets outside of the helpdesk norm (Monday – Friday 9am to 5pm). Implementing a self-service password reset ensures compliance and maximum productivity; best of all, it can be up and running in your environment in a matter of hours.
You can add multi-factor authentication to ensure the self-service password reset solution is secure and ensures the identity of the correct user. Identity in a system can be many things, but generally it is the username or login name. The identity is not meant to be secret or hidden in any way, but the authenticator or authentication factor is. This secret authenticator in your most basic cases is “something the user knows” – a password. The system accepts the credentials (provided they are correct), and the user is given access.
This is a good first step to securing a system, but as we’ve seen over the years, passwords are easily gained by others. In addition to the identity and password, another factor must be provided to the system to gain access. This additional factor is generally “something the user has”, or “something the user is”. Some examples of these factors are:
- Something the user has – a smart card, a pin sent to a mobile device
- Something the user is – fingerprint, facial recognition
Adding a smart card, pin, or a biometric factor can greatly increase security over the username and password, which can easily be gained through breaches or even simple social engineering. Advanced authentication helps to prevent a malicious party from spoofing the identity of a valid user to gain access to the system.
We have seen many high profile data breaches occur in recent years for companies such as Yahoo, eBay, Equifax, Target and many more. These breaches have opened our eyes to just how fragile the security infrastructure of the internet can be. This is why pro-active measures need to be taken against threats.
If you are a financial industry institution looking to meet compliance and regulations affordably and easily, consider password synchronization, self-service password reset and multi-factor authentication.
Thanks again to Dean Wiech of Tools4Ever for his contribution!