U.S. banks already must satisfy numerous regulatory requirements around the privacy and security of customers' data, and that is only bound to increase when the European Union's General Data Protection Regulation takes effect May 25.
These regulations are in place for good reasons. Banks are the guardians of their customers' sensitive financial data, and they are the institutions that stand between their customers and cybercriminals who want to steal that data to make a profit.
A key element of any bank's strategy to protect customer data is privileged access management, or PAM, which gives banks' administrators centralized authentication and access control points in the IT environment. Privileged access helps mitigate the effects of breaches and can even help banks recover from insider attacks.
What Is Privileged Access Management?
Fundamentally, banks should operate on the principle of least privilege, meaning they should limit access rights for users to the bare minimum of permissions they need to do their jobs effectively. A privileged user is someone who has administrative access to critical systems. PAM monitors and controls that access.
PAM solutions include several critical elements, including single sign-on, multifactor authentication, password management and provisioning, and maintenance of a privileged identity.
PAM allows banks to reduce the risk of security breaches by minimizing the attack surface. PAM solutions let banks consolidate users' identities, deliver cross-platform, least-privilege access and control shared accounts, all while securing remote access and auditing all privileged sessions, identity and access management (IAM) provider Centrify notes on its website.
The Benefits of Privileged Access Management
How does that work on the ground at a bank? Essentially, PAM allows banks to create security zones that can shut down attacks.
Steve McCullar, an adviser for CA Technologies' PAM solutions, told BankInfoSecurity in 2017 that nearly 6 trillion records have been compromised by breaches since 2013, and said there is a pattern. Often, privilege escalation — an intrusion that takes advantage of bugs to give the attacker elevated access to the network and its associated data and applications — is not discussed.
The breach investigation's focus is often on the malware that an attacker used to gain access to a low-level employees' account and credentials, McCullar said. "But it was the step up to a high level of privilege that actually allowed them to bypass your security controls and take over your environment," he said.
With PAM, banks can institute security zones that limit how much access a person has between different areas or systems, Brian Krause, Centrify's director of North America channels, said in a 2016 blog post. By using PAM and limiting a privileged user's access, even if a cyberattacker gains entry into a bank's systems via stolen credentials, they will only have a limited set of commands to execute. "Like breaking into the lobby or a single safe deposit box; there is not a ton of value," he says.
PAM also helps speed up the investigation and remediation of insider attacks because it "provides access control, session recording and auditing to prevent security breaches and speed up forensics investigations," Banking Technology notes.
PAM can help banks improve their security and their bottom line. A case study from IAM provider OneLogin found that private German bank BHF-BANK was able to centralize "the identity service for managing user identities and access rights for several thousand internal and external users."
Using OneLogin's technology, the bank has been able to provision users or systems up to 40 percent faster and cut access management time by around 20 hours per week.
As banks consider their portfolio of security solutions, privileged access management should be at the top of the list.