February 01, 2007

Perhaps nowhere in the banking technology space is change occurring more rapidly than in the area of information security. Several overarching trends will shape the landscape in 2007.

Identity and Access Management

Identity and access management (IAM) is becoming increasingly important, particularly within the banking industry because of regulatory compliance requirements. Sarbanes-Oxley has led many organizations to deploy IAM to allow better accountability and control over their financial systems. They also have looked to these solutions to centralize management and reporting, and provide more-consistent access control to systems and applications across the enterprise.

Security Comes Out of the Shadows

No longer are product managers of online banking services concerned that raising security as an issue will dampen acceptance of the electronic channel. An increasingly security-aware user community, highly publicized incidents of disclosure of personal information and regulatory pressure have combined to catalyze a fundamental change -- users are comforted by well-integrated security measures.

Standards-Based Security Assessments

Today, many organizations are interested in demonstrating due diligence in the security realm. Instead of one-time exhaustive testing, they embrace ongoing, periodic independent assessments and audits that are standards-based.

FFIEC Guidance

Though the deadline for substantial compliance was Dec. 31, 2006, the banking industry will continue to deal with the ripples of the FFIEC's guidance throughout 2007. Fortunately, the FFIEC's guidance allows each bank to ground its authentication decisions within its own overall information security framework and allows the selection of authentication methods to vary with relevant business risk. The guidance also addresses the importance of customer security awareness -- many banks still have a long way to go in rolling out customer security awareness programs.

Stricter Management of Service Providers

FFIEC regulations and other security guidelines spell out the need for understanding and taking responsibility for the security practices of service providers with access to customer data. Banks must have a program in place to assess the risk of compromise of the information provided to their service providers, evaluate the adequacy of their security practices and monitor their performance.

Tech to Watch: SOA

The promise of reduced development costs and faster time to market through code reuse makes deployment of service- oriented architecture (SOA) technology inevitable in the banking industry. Securing SOA environments is going to be a long-term challenge, and it is important to create a governance structure up front. There are big issues that need to be resolved, including data confidentiality when data is communicated among services and stored within a service, how services authenticate one another, and whether it is important to track various services' changes to transactions as they flow through a system that has no defined beginning or end.