enabling new services and efficiently balancing risks in the financial services industry
DESCRIPTION
YouTube recording: http://www.youtube.com/watch?v=BS2n3A3B4lQ If IT empowers users to take on risks beyond corporate policy limits, the bank may have to pick up the bill. This is the reason multi-factor authorization is becoming increasingly popular in the financial services industries. It enables deployment of new services subject to strict enforcement of corporate policies. If you can define exactly who is authorized to do what, why, where, when, and how, your risk assessments can have an immediate impact on access control. Based on customer experiences, we discuss business values achieved from externalizing authorization in the financial industries. Enabling more precise control over financial transactions in trading applications or consolidating and streamlining controls across multiple channels - the use cases differ but externalized authorization is the common denominator. The webinar covers topics such as: Drivers for externalized authorization Experiences of customers Benefits achievedTRANSCRIPT
Webinar:
Enabling new services and efficiently balancing risks in the financial services industry
© 2013 Axiomatics AB 1
Webinar:
Enabling new services and efficiently balancing risks in the financial services industry
2:001:591:581:571:561:551:541:531:521:511:501:491:481:471:461:451:441:431:421:411:401:391:381:371:361:351:341:331:321:311:301:291:281:271:261:251:241:231:221:211:201:191:181:171:161:151:141:131:121:111:101:091:081:071:061:051:041:031:021:011:000:590:580:570:560:550:540:530:520:510:500:490:480:470:460:450:440:430:420:410:400:390:380:370:360:350:340:330:320:310:300:290:280:270:260:250:240:230:220:210:200:190:180:170:160:150:140:130:120:110:100:090:080:070:060:050:040:030:020:01NOWthis webinar will start in:
© 2013 Axiomatics AB 2
3
Guidelines
You are muted centrally The webinar is recorded Slides available for download Q&A at the end
© 2013 Axiomatics AB
PresenterGerry Gebel, President, Axiomatics America
© 2013 Axiomatics AB 4
@axiomatics
#XACML
6© 2013 Axiomatics AB
© 2013 Axiomatics AB 7
Agenda
Externalized Authorization – overview Security and compliance requirements evolving
Complex authorization requirements
“Internal controls” with a new meaning – avoiding penalties
New models for mature risk management and governance
Examples: Simplifying complex infrastructures
Maintaining existing applications drives up costs
Managing access across multiple channels
One application version per region vs. external policy definition
Conclusions – business values in the financial services
New opportunities, security/compliance, cost reductions)
© 2013 Axiomatics AB 8
Externalized authorizationBasic concepts
Axiomatics solution benefits
Secure access to sensitive information without sacrificing business agility
Execute business transactions with risk-aware controls
Provide accurate identity authorization governance
Enable secure information sharing across your value chain
Improve regulatory compliance readiness
Facilitate efficient software development
© 2013 Axiomatics AB 9
© 2013 Axiomatics AB 10
Axiomatics technology solutions – issues addressed
Who?
What?
Where?
When?
How?
Why?
Axiomatics technology solutions – what we do
Who?
What?
Where?
When?
How?
Why?
© 2013 Axiomatics AB 11
Authorization for applications:
Axiomatics Policy Server (APS)
Authorization for data storage:
Axiomatics Data Access Filter (ADAF)
12© 2013 Axiomatics AB
Policy enforcement in complex infrastructures
External partiesPartners
(supply-chain)
AssistedBranch Agent
End-user self service
External providers
Visa MasterCard
State agencies
Internal usersBusiness units
Connected systems
Business intelligence
Content managementDatabases
IntegrationETL – Data virtualization
Bus – Gateway - Bus
Transaction processing
13© 2013 Axiomatics AB
Industry trend toward externalized authorization
“By 2020, 70% of organizations will be implementing ABAC for authorization” Felix Gaehtgens, Gartner, November 2013
© 2013 Axiomatics AB 14
Internal controls changingEvolving security and compliance requirements
© 2013 Axiomatics AB 15
Risk of business loss and cost of penalties
© 2013 Axiomatics AB 16
Standard 2110: GovernanceStandard 2120: RiskStandard 2130: Control process
NYSE Listing Rules 2003 Internal audit requirements
Sarbanes Oxley
Observed Developments in the Last 25 Years...
Audit efficiency: re-performance
New focus on control frameworks
COSO Internal Control –
Integrated Framework
New focus on controls in operations for ongoing compliance & internal control over financial reporting
New focus on risk and governance
New compliance pressures: avoiding severe penalties
EU Data Protection Regulation and Directive 2014:severe fines, the right to be forgotten, notification mandates, audits
© 2013 Axiomatics AB 17
Conventional authorization management
User-centric
Coarse-grained
Bureaucratic
Inefficient identity authorization governance
© 2013 Axiomatics AB 18
Policies reflect different domains / concerns Regulatory compliance
Risk mitigation
Business process-specific or application-specific concerns
Combined they entail a 360° view
Policies for different domains of concerns
Legal requirements / Third-party obligations
Policies matching regulations / contractual obligations
Risks
Risk mitigating policies
Application-specific concerns
Application controls
© 2013 Axiomatics AB 19
From reactive to pro-active risk management
Authorization embedded in risk-management
20
Three lines of defense model
Policy Enforcement Policy Management Policy Analysis
© 2013 Axiomatics AB
© 2013 Axiomatics AB 21
Examples• Designing applications for risk-awareness and change• Simplifying complex infrastructures
© 2013 Axiomatics AB 22
Why externalize authorization – answers from a bank
© 2013 Axiomatics AB 23
Why externalize –Forrester/Microsoft study
Compliance with complex policy provisions urgent Access policies change after software was deployed –
hard coding authorization is not acceptable
24© 2013 Axiomatics AB
Multiple application versions drive up costs
Current situation Access controls are hard coded in the application
Multiple versions of an application must be deployed per region
Results Drives up operational costs
Slow to implement changes
Lack of consistency in access control
Goal state Manage access policies centrally
Deploy one version of the application
© 2013 Axiomatics AB 25
Privacy concerns take center stage
“Brussels, 25 January 2012 – The European Commission has today proposed a comprehensive reform of the EU's 1995 data protection rules to strengthen online privacy rights and boost Europe's digital economy.”
New Regulation (replacing Directive 95/46/EC) “General Data Protection Regulation”
New Directive (replacing Framework Decision 2008/977/JHA)
© 2013 Axiomatics AB 26
Banks grant access via multiple channels
Branch Backend Layer
TreasuryLendingCard mgmt
Finance/ Trade CorporateTradingRetail
27
Branch Backend Layer
© 2013 Axiomatics AB
The multi-channel challenge
Mobile Tablet PC POS InternetKioskATM
TreasuryLendingCard mgmt
Finance/ Trade CorporateTradingRetail
Enterprise Service Bus layer
Multi-channel services layersCentralized Policy Enforcement
28© 2013 Axiomatics AB
BYOD and Mobile Banking
Banks want the flexibility to Change application flows according to device type and access
channel
Distinguish between registered and unmanaged devices
Incorporating risk analytics in proactive, instead of reactive mode Utilize device type, user behavior and other risk scores during
the authorization process
29
Conclusions
© 2013 Axiomatics AB
