[blogger: Trent Henry]
In identity management, there’s considerable discussion about understanding organizational roles and how toxic combinations of user access can result in fraudulent activity.
At Burton Group’s Catalyst Conference today, UBS’s Mark Swift described this as a “classic” approach to examining security and said it wasn’t adequate for his organization. Mark said, “What we thought of as roles would actually not help us” in the fight against fraud (no small issue in today’s financial-services environment).
Although UBS initially created functional job descriptions and mappings of user activities, they found that these weren’t sufficiently granular and missed important details because of its top-down approach. Instead, they needed a bottom-up approach that focused on data and business process.
Here’s an example challenge: Switzerland has a multiple-hundred-year-old rule mandating that if a party has entered into a contractual relationship, their identity can’t be revealed. Typically in an enterprise, “account representatives” (as a role) would be granted fairly liberal access to a customer record. But for Swiss clients, even an account representative can’t be allowed to see such information, so a role-based model won’t be granular enough to properly enforce policy. This is what Mark described as “jurisdictional data protection” and requires a new process:
- Map out data (Ask: what information and attributes do applications care about?)
- Determine what actions must be performed on this data to carry out business processes
- Analyze what conflicts in data processing can cause harm (or lead to fraud) [For example read/write access to data that allows both booking a financial trade and settling/reconciling the trade]
- Create a heat map that provides an at-a-glance assessment of where data, applications, and user access allows for potentially fraudulent activity
This is not a simple task. Mark commented, “Application rights for anything other than trivial systems are complex and are often dynamic depending on application-side rules.” This means that security and risk management teams must have deep understanding (or engage with business leaders who have such understanding) of application processes.
Here’s a challenge that comes to mind for me…
It seems there’s a fundamental economic problem for security teams in financial services. Nick Leeson implied this in his talk as well. In order to prevent fraud, management and security/audit oversight teams must have deep understanding of business processes (and in trading, financial instruments) to determine when bad things can happen. The problem is that when someone has obtained this level of understanding, then they are well positioned to actually serve as a trader rather than risk manager. And there's a strong economic pull to go in that direction, rather than as security personnel.
So data-centric security is powerful and important, and leads to much better understanding of business process. But will that have an adverse impact on retaining knowledgeable risk professionals? Let's hope not, because I think data-centric approaches are the road ahead.