May 23, 2011

The financial services global industry has been the leading consumer of identity management technology for decades, investing in 2011 more than $1.0 billion on the software, hardware, and services necessary to identify employees, customers, and partners electronically, and provide on-demand, on-device access to digital information and transactions, and protect customer interactions. But we could be at a point where the industry re-evaluates its role in the identity supply chain. Changing user demographics, the tremendous growth in digital data, the pervasiveness of mobile devices and applications, the increased sophistication of cyber-threats, regulatory pressures and the expanded use of cloud suggest we may be at the tipping point where traditional identity providers consider a wholesale re-architecture of current practices and prepare for a future where they can better manage identity management obligations and the increasing cost and the risks linked to electronic access to financial services.

For years, financial institutions have been required by both regulation and best practice, to offer clients multifactor and multilayered authentication for access to their Internet banking functions. FFIEC guidance requires U.S. banks to use multifactor authentication to confirm identifies of consumers and commercial customers engaged in online banking activities. This guidance expressly states that, although no particular technology solution is recommended, single-factor authentication by itself is insufficient. Prior to this guidance, it was typical for institutions to employ multifactor authentication for only their commercial and high-net-worth clients when they engaged in high-risk activities such as transaction initiation, while other customers simply used a single-factor authorization, most commonly, user ID and password.

But today, multiple layers and multiple factors are now a requirement to manage electronic identities. Along with these layers comes complexity and costs - multiple support infrastructures and systems, multiple vendor relationships, and multiple operational risks, and the related costs. Today, identity and access management represents as 30% or more of the total information security budget of a large institution, and there's nothing on the horizon that suggests the costs or risk will retreat any time in the future. The cost and risk impact on identity management strategies stemming from the industries response to recent large attacks on personal identity, including the RSA, Epsilon, and Sony breaches is not completely known, but could be significant over time.

Just the advent of cloud computing itself and the further expansion of new media and mobile everything underscores the need to rethink identity and access management and other obligations and capabilities in the use of technology to deliver financial services. According to recent IDC Financial Insights studies, CTOs, CIOs, and business executives now fully understand that virtualization and cloud computing represent the single-most-important re-design of the information infrastructure in the history of computing. Of course, however, the long term impact of this re-design in not yet completely understood, but the impacts of this trend will be seen over the next decade as these innovations begin to deliver almost everything IT as a service, including identity.

During this transformation, we believe that the financial industry should begin to transition their identity technologies and risk models from those that are based on the provisioning identities to those that can acquire, vet, risk score identities provided from customers, and to use these identities in business transactions. To do this, identity management capabilities will need to be re-architected, reintegrated, and delivered as a set of risk-aware services to customers, employees, and partners, enabling a better control of costs, greater connectivity and collaboration, and better protected and convenient user experience.