Identity and access management in the financial services sector in Germany

We are living in times where a majority of services is partly or completely provided digitally. The industry 4.0 holds a lot of advantages such as digitalization of our communication, services we use and logistics. However, it also holds a challenge for companies which have to fit in newly arising requirements going along with the usage of those new technologies. Companies from certain industries fall under legal regulations and have to enforce standards. If they fail to comply to those regulations, they risk to face substantial fines, sustained reputational damage as well as increased monitoring from auditors. Companies with critical infrastructure such as financial services provider (FSP) fall under the regulations of the BSI Act (BSIG). As of section 8 of the BSIG, operators of critical infrastructure have to regularly proof the compliance with the regulations considering the state of the art of technology.

With module “ORP.4 Identity and Access Management”, the BSI provides implementation guidelines and specifies requirements for operators of critical infrastructure such as FSPs.

Central points are:

• Transparency for approval and provisioning of accesses: processes have to be clearly defined, documented and actions have to be trackable
• Need-to-know/least privilege: accesses have to be restricted to a minimum of what is required to perform the job
• Admin and user roles should be segregated
• Risk management through segregation of duties
• Timely revocation of accesses which are no longer required
• Periodic recertification of accesses

To keep up with those requirements, it is highly recommended to develop an access concept and to implement an Identity and Access Management (IAM) tool.

Since the individual status-quo highly varies for each company, the first step should be an analysis of the existing IT infrastructure. It is commonly seen that FSPs already use a large variety of tools and processes which are often historically grown throughout different business areas. Due to the lack of connectors between tools and unaligned processes the workflows are often inefficient and require additional manual effort. This binds operational resources which could otherwise be assigned with analytical tasks or customer care to create value for the company.

A central IAM tool can help to streamline processes and can either be used as a replacement or in addition of existing tools. Most IAM tools already come with connectors for commonly used access control systems and databases. They can therefore be integrated into the existing IT infrastructure and allow to centralize access requests and to automate the provisioning of accesses. The reduction of manual involvement leads to cost benefits and minimizes human errors.

Another common pain point for FSPs is the timely access revocation for movers and leavers. Especially for companies with a big userbase and therefore a frequent fluctuation it is challenging to fulfil the strict regulatory requirements. Accesses for tool which aren’t in sync with a central directory (meta directory) have to be revoked manually. Process gaps are often only discovered in audits, lead to fines and put the company under pressure to resolve those issues.

With the use of an IAM tool not only the provisioning but also the revocation of accesses can be centralized and often be automated. Once the position of an employee in the HR database gets updated or the user leaves the company, the revocation process gets triggered and can be properly documented.

Practice has shown plenty of reasons to regularly analyze and question existing processes. However, it is essential for a successful transformation project to be initiated and actively supported by top management. The analysis, documentation and change of processes requires the collaboration of all impacted departments. Additional effort e.g. for attending meetings or providing documents has to be planned and directed by the managers. All involved parties should be absolutely clear about their responsibilities as well as the project target. Their contribution to the project should be considered in the individual goal settings to avoid a conflict of interests between personal and project goals.