Earlier this year, former UBS PaineWebber systems administrator Roger Duronio was found guilty of infecting the company's network with malicious code that cost the firm millions of dollars. While his conviction does little to calm the nerves of the financial services community, recent research from RSA Security indicates, however, that a rising number of Wall Street firms are addressing the vulnerabilities of their IT systems by looking to create best practices around identity and password management procedures. Though UBS did have security measures in place at the time, experts say it is possible that a more-stringent password and ID management policy could have helped the firm avert the incident.
But employing effective security measures while continuing to provide systems access to employees, customers and partners remains a challenge. "Financial services companies have to struggle with doing business over the Internet while running under the assumption that their systems are compromised," says Johnathan Penn, principal analyst, identity and security, Forrester Research. "That's a tough thing to do. They are beginning to realize they need more than just password protection."
Understanding Access Rights
Since users need to access multiple areas both internally and externally, ID management becomes difficult to track. "Organizations need to understand who has access to what," says Penn. "Having a sense of identity is an important aspect to protecting customer and corporate data and audit requirements."
Service provisioning -- managing the process of user administration -- is gaining more attention as financial services firms reexamine access rights to sensitive data. A vast majority of users, especially in the financial services community, have access to data and accounts they simply do not need, asserts Penn. "On a quarterly basis, managers can sign off on the type of privileges that their direct reports have to determine if they still need all of those privileges," he suggests.