Jun 26 2024

What Is Privileged Access Management in Financial Services?

To avoid phishing attacks and data breaches, institutions such as banks and payment card providers should use PAM to carefully monitor who has access to accounts and when.

Privileged access management is an essential tool for controlling network access to valuable resources, particularly in the financial services industry.

“Financial services is obviously a pretty juicy target for hackers because of not only the monetary assets themselves but also the amount of sensitive user information and data,” says Geoff Cairns, principal analyst at Forrester.

The use of stolen credentials is among the dominant causes of system intrusions, according to Verizon’s 2024 Data Breach Investigations Report. The report finds that 22 percent of data breaches in the finance and insurance sector in the past year involved compromised credentials, and 27 percent of breaches affected bank data. Meanwhile, the X-Force Threat Intelligence Index 2024 by IBM reveals a 71 percent year-over-year increase in the number of attacks that used valid credentials.

LEARN MORE: Join CDW’s Larry Burke for a live webinar about the new NYDFS regulations and how to stay compliant.

Privileged access management is an identity security solution that keeps organizations secure by “monitoring, detecting, and preventing unauthorized privileged access to critical resources,” as Microsoft explains. PAM limits the number of users who can access administrative functions.

Financial services organizations are confronted by a sprawling — and growing — set of regulatory burdens designed to protect consumers from cybersecurity risk. For example, the New York Department of Financial Services in November introduced revised regulations calling for stricter cybersecurity controls for financial services companies.

PAM is a critical tool for financial services companies striving to maintain compliance with such regulations.

“It’s basically the ability to define fine-grained controls for access management,” says Jay Bretzmann, research vice president for identity and digital trust and cloud security at IDC. As part of these controls, some users in financial services organizations may have access to data without the ability to change it.

Click the banner to learn how to overcome budget hurdles to zero trust success.


How Privileged Access Management Works

PAM also consists of “authorization to use certain applications and to look at certain data sets,” Bretzmann adds.

“It’s always great to have some PAM data in your back pocket,” he says. “If you don’t, people would spend months trying to satisfy the requirements of an audit.”

The first people to receive privileged access were IT administrators in the days before security teams, Bretzmann says. Then admin people who needed access to the general ledger in financial services would receive it. Organizations would have to monitor this access to ensure that employees didn’t alter transactions or issue unauthorized payments, he says.

Bretzmann credits CyberArk with inventing PAM. The company’s Privileged Access Manager secures privileged identities using a tamper-resistant repository. It also maintains a full centralized audit and authenticates users on a single web portal without a VPN.

Cybercriminals can undermine multifactor authentication by using social engineering tactics to prompt users for access to accounts using push notifications. However, authentication apps have improved to be able to withstand such attacks, Cairns says.

“That’s now somewhat overcome by the number-matching capability with those push notification authentication methods,” he says.


The share of data breaches in the finance and insurance sector in the past year that involved compromised credentials

Source: Verizon, "2024 Data Breach Investigations Report," May 1, 2024

Why PAM Is Important to Financial Services

The lack of an effective PAM strategy puts customers in danger, particularly for businesses such as banks, mortgage services and payment card services.

Remote call centers for financial services apply PAM to safely access customer accounts, Cairns explains. PAM provides visibility into who is accessing the accounts.

A strategy that financial services institutions can take with PAM is to apply a “just in time,” approach, Cairns says. That means an organization provides access privileges only during the time that they would be necessary.

“With a time-bound task, you would have a window of opportunity to perform the task within a certain period,” Cairns says. In financial services, such tasks could be an overnight change activity during a maintenance window or the preapproval of a transaction at a certain time.

“There would be a workflow built into the PAM system to trigger the right approval levels to get that access,” Cairns explains.

Click the banner below to learn why cyber resilience improves threat defenses.


How Can Financial Services Evaluate the Effectiveness of Their PAM Approach?

Financial services can use metrics to assess how many privileged accounts have assigned owners, according to Cairns.

“If you have a lot of privileged accounts without any ownership assigned, that’s a signal that things are astray,” he says.

Organizations such as financial services can evaluate the effectiveness of their PAM approach by monitoring compliance with rules and regulations. That involves a board of directors exercising oversight of cybersecurity risk management, says Larry Burke, principal and vice president of CDW’s Global Security Strategy Office.

DIG DEEPER: Why cybersecurity risks are more expensive for financial services.

“Part of that monitoring process is to have management report to the board and say, ‘Here’s what we’re doing. If we have gaps, here’s how we’re going to fix it,’” Burke says. “And now you start to establish accountability, because if the board doesn’t follow up on these things, it can be subject to not only civil liability from the regulators but also civil liability from shareholders.”

Financial services organizations can evaluate PAM effectiveness by considering whether they passed their audit. Organizations should also consider whether they have given the right people access to the right data and can prove it, Bretzmann says.

“Don’t just allow credentials to exist perpetually,” he says.

getty images/dem10

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.