So-called “FinTech” firms are shaking up the financial services industry. In the space of just over a decade, venture funded start-ups with new approaches to old problems like credit and risk ratings, payments processing and accounting have transformed once sleepy sectors like banking and insurance. But new companies like Stripe, Insurify, Wise, Robinhood, and others still have to play by the old rules, including established financial industry regulations for monitoring user entitlements and access.
The consequences of failure can be high. A ransomware attack on the financial services firm Finastra in March, 2020, disrupted banking services in the U.S. as the company struggled to regain control of their IT infrastructure from the ransomware gang. Compromise of existing user accounts was a key part of the ransomware gang’s strategy to compromise the company and gain control over critical IT assets, according to reports.
What should fintech start-ups know about the rules for managing user entitlements? Here are some key things to keep in mind.
If you are a startup operating in the financial services sector including banking, investments, insurance, or payments, managing your user entitlements is a common theme of regulations that govern your operations, including (in the U.S.) the Sarbanes-Oxley Act of 2002 (SOX) and the Gramm Leach Bliley (GLBA) Acts as well as state laws like the California Consumer Privacy Act and the New York State Department of Financial Services (NYDFS) cybersecurity regulations. Fintech companies are also subject to standards defined by the Security and Exchange (SEC) Commission’s Office of Compliance Inspections and Examinations (OCIE) and by the Office of the Comptroller of the Currency (OCC).
The requirements of these regulations are numerous and, at times, overlapping. The so-called Safeguards Rule component of GLBA, for example, asks organizations to monitor how users are provisioned and de-provisioned, ensuring that access to customer information based on employees’ role and responsibilities and that former employees no longer have access to sensitive financial information. Covered entities are required to use strong passwords and do frequent password cycling. NYDFS regulations also require covered entities, including FinTech firms, to create and maintain a cybersecurity program and policies, designate a chief information security officer (CISO), conduct penetration testing and vulnerability assessments, undertake cybersecurity training for personnel, secure sensitive data managed by third parties and so on.
What’s more: these already stringent regulations governing financial services firms are likely to get tougher. The FTC in 2019, for example, proposed a raft of changes to the GLBA Safeguards rule that would impose stricter cybersecurity requirements on GLBA covered entities. Among those are changes that would require financial institutions to implement access controls on information systems and to implement policies and procedures “to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.” While these recommended changes have yet to become law, the epidemic of ransomware attacks affecting firms across industries – and the disruptions caused by those attacks – suggests that tougher federal cybersecurity regulations are in the offing.
For cloud-native fintech firms beholden to regulations like GLBA, NYDFS, CCPA and others: visibility is the biggest challenge. The mixture of cloud-based and on-premises systems that make up most FinTech platforms can make tracking user access and entitlements across siloed platforms a challenge.
Similarly, the heavy reliance on application program interface (API)-based integrations to share data between partner firms, data aggregators and customers present challenges in both monitoring and detection that could run afoul of regulations like GLBA, CCPA and NYDFS and others. The credit rating agency Experian, for example, exposed data on tens of millions of Americans through an insecure API, allowing anyone to use websites that incorporated the API to look up credit information on individuals with just a name and mailing address.
Most security monitoring products were designed for legacy IT environments. FinTech organizations, which endeavor to provide established services in a new way, and by leveraging modern IT platforms, need new tools to help them review and monitor user entitlements as well as API-based integrations that increase their cyber risk.
For example, user access and permission data is frequently siloed within cloud-based applications, while FinTech firms almost certainly manage data and interactions across multiple cloud providers. That’s why the ability to aggregate permission data from multi-cloud environments as well as on-premises applications is key. FinTech firms need to understand and monitor data sharing between partner organizations as well as application-specific settings that may unknowingly violate data privacy and data security rules. Given the scale and complexity of FinTech firms’ operations, tools to automate permissions data monitoring is also key.
FinTech firms also need to scrutinize access permissions as they look for gaps in controls and configuration that may lead to compromises or violations of industry regulations. For example, as we’ve noted: security features like single sign-on and multi-factor authentication must be configured correctly for both the application and the identity provider to eliminate conflicts that can undermine access security. User access and entitlement management was already a complex undertaking in traditional IT environments. It is even more so in cloud environments, where hundreds of granular entitlements and chained abstractions such as group memberships or federated identities make manual monitoring nearly impossible.
FinTech firms also need to closely monitor and manage API-based access to their platforms. APIs are critical to the success of FinTech- and other cloud-native firms. They provide seamless, programmatic access to data and facilitate sharing and transactions across disparate platforms and services. But, improperly scoped, APIs can also give un-privileged or malicious actors access to sensitive data as well as permissions to create or destroy data that may violate the security model for the application and result in violations of state- or federal data privacy and security regulations.
Similarly, API integrations can change as applications evolve, silently drifting from the initial security scope envisioned by developers without notice. FinTech firms need to track API permissions on an ongoing basis, conducting access reviews on API with an eye to “least privilege” in the same way that user access is monitored and enforced.
Given the complexity and scale of modern FinTech applications, providers need to automate access and entitlements reviews to adequately manage their risk. Zilla’s technology allows companies to review both user entitlements and the permissions that API-based integrations have to cloud services. The platform’s automated collectors gather permission data from both cloud services and on-premises systems. Workflow automation makes it easy for users to review any findings, reducing the burden on your IT- and compliance teams.
If your firm is delivering next generation services for finance or banking and you’d like to learn more about how Zilla’s technology can help manage entitlements and keep you on the right side of state, federal and international data security regulations, contact Zilla!