Event Recording

The Business Case for PAM in Financial Services


Log in and watch the full video!

The Business Case for PAM is more than just keeping data safe, or making regulators happy. We’ll talk about 4 of the most common business cases for improving a security posture covering detection, remediation, audit, and forensics.  Looking forward to questions on which may be most relevant to your enterprise.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Well, thank you. Thank every, thank you very much, everyone. I think one of the things we we'd like to talk about, and, and Paul did a great job of, of, of introducing a lot of the points that I'm going to cover. It. It's more about, it's more than just about keeping bad actors out of your organization. When we look at privileged access management, I'm waiting for my slides to go through. We, we hold more than just money for our organizations. Now we hold data. We hold information about you, the users, your consumers, and, and employees for that matter. Everything from how we do spending, where we log in, how we do things and interesting enough, a lot of financial institutions hold information on the related markets. So think about when you're buying a home banks do track things like not just mortgages in your neighborhood, but all of the mortgages in the area.
So we know housing markets, are you getting enough? Is your house valued enough? Now the thing we have to concern ourselves with is protecting that information. And it's interesting. I included that one fact at the top, a lot of financial institutions hold more data on their users than their local governments. So we know more about who's doing what, when they're doing it, what's going on. And, and there's, there's, there's a little bit of fear to that. I, I, I get it. So we wanna make sure that everyone has that warm and fuzzy feeling, but we wanna minimize that attack surface. So anything we can do to protect our consumers and our employees is, is our key goal. So Paul used a, a great example. He, he mentioned think big. So this is a great segue. So when people think privileged access management, they think about privileged accounts, people with elevated privileges, we wanna control access, who can do what with documents with data.
Now there's also not just entitlements of who can log in and use a system, but there's also emergencies. We all know, depending on your region, I'm sure you've had major outages where systems have went down. You couldn't log into whatever it happened to be, could be a telephone company, could be a service provider. So there are situations where we have to call in people and there's an emergency. They have to break the glass and pull that password out. Centralized account. Management's a big thing now. I mean, in, in not too long ago, we all used to share passwords and share accounts. We had support people. We had service accounts, it was difficult to track who did what we just knew. It went into that group of individuals. So compliance and audit obviously came out with a number of rules and they said, you must do the following. And that's where, you know, they said, so, and APAL mentioned a great segue, zero trust, zero trust and privileged access management have actually been around quite a while.
It's, it's the question of, do we trust everyone or do we trust no one. And, and we, we, we grow through what we go through. So there were pain points. We grew through them and we've developed these technologies to protect us as, as individuals and financial institutions. Now, now, like you said, for FIS, there's a number of use cases, but we need to keep the data safe and, you know, make our auditors and regulators happy. So, you know, when we look at who we have to make happy, you know, the, the key things for us in banks, you know, we're, we're here to provide a service and we're here to make money. There's no question about it, but we have our, our customers. We have potential customers. We have shareholders that invest in our services. We have third parties that use our services. So a number of you're aware that banks provide extra insurances and services to third party people, white labeled products, there are partners.
And then of course, all the regulatory commissions that wanna make sure we're doing things the right way. And then there's the internal rules of compliance of who has access to what, who can control data, who can manage data and there's local regulatory requirements. Can data leave an organization? Can it leave the country who can see it? Who can view it? These are all things that the FI's sorry, financial institutions really keep top, top of mind. And granted, some of them do apply to a lot of other regulatory or regulated industries. When we look at what types of things, privileged access protects, and, and Paul did use entitlements management as well. So this does spill over the users. We wanna protect users. There's accidental things that happen. We understand that there is a large amount of data, consumer data, employee data, legal information, merger, and acquisition data, there's intellectual property.
So at the banks of how we do things, how we do transactions, how we calculate risk for the users, how we identify risky behaviors and situations. Now all that information is stored somewhere. So we have systems, you know, common numbers. Now we're looking at, for large enterprises, we're looking in the, in the, you know, hundreds of thousands of physical things that we need to protect. And if you think of a bank, those physical things could be bank machines could be telephone. Cabinets could be printers. Anything that has information that could be shared. There are analytics that we collect. And like I mentioned earlier, spending habits, transactions, we want to know to provide better services during holiday seasons and, and important times of the year, anything administrative. So we all know that we have to do our jobs day to day. We log into services. We perform actions, but who can run a report who can configure a system who can shut down a piece of infrastructure. And then there's transactional support when you call in as an employee, first thing in the morning and say, I have a problem with the person, the other end of the phone, or nowadays now automated bots need to validate that you are who you are and make sure that you have permission to do what you, what you need to do.
So we talk about these use cases and we have to figure out how we're going to do them. So Paul Paul nailed it. When he said, think big, you need to take inventory and prioritize. You've gotta focus on what things are keeping up at night. You need to figure out monitoring. So a number of technologies offer the abilities to, I don't wanna use the word big brother, but keep an eye on, on what types of things are happening. So, you know what key strokes are happening. Who's logging in what sessions are opened. That last one is key paths. How you got to that endpoint. Were you connecting from your laptop to something? Were you connecting from your phone and the, how you were connecting? Did you have a piece of code applications were mentioned? Was it a user interaction? Was it a system command there's systems that talk to systems all day long, every day in the banking space?
And then those systems do a number of things. Do they read, do they update, do they record data? Do they export data? And where are they coming from? A number of those breaches that you see are sometimes happening through tunnels, through VPNs, we've given access to someone inappropriately. The, and then of course, when isn't happening now, the scary thing we think about is we need to map those anomalies. So what's the norm. You know, if I log into, as an employee, into my banking applications to do my job on a Saturday, it's, it's probably allowed. I mean, Denny working on a Saturday is not uncommon. Denny working on a Saturday at 3:00 AM, probably uncommon. So that's when I wanna trigger some sort of alert or event. If there's an outage and Denny has to work on 3:00 AM, then maybe that, that deserves an exception. So that's something we need to take a look at.
So we found anomalies and now banks have to figure out what they're gonna do next. So we're, we're firm believers in auditing and recording, absolutely everything. We apply behavioral analytics to when users are working, how they're working, are they working more frequently, certain days earlier in the morning, and it's not just for network optimization it's so we can provide better service and privileged access management is a great way to know who's doing what cause these technologies help you record that. The prompt is, is one that I like. So there are, there are more secure systems, a number of times where you need to challenge the user to make sure they're doing what they should be doing. Sometimes if you're connecting to a system in the office, I happen to be sitting in, in one of our main offices today. If I access the system, it knows I'm physically in the bank and I don't get prompted.
If I'm connecting from home over a, a VPN, a virtual client, I will get challenged. I'll get a notification to my phone, or I may get asked some other piece of identity just to make sure I am who I say I am. And then block, if it's a bad thing, just stop it. I mean, remediation's a big piece in, in the use cases that we, we want people to consider. So stop the bad things that are happening. So we figured out how to remediate it, but now you you've done all this auditing. And like I said, banks, track and record absolutely everything. What are you doing with all that information? So one thing that FIS do as, as their use cases, we try to build a threat model. We wanna know how people are getting to certain machines, what users are working and when, and where they're working from in a number of the FIS in Canada, we call them patterns.
So they're, they're basically usage flows. If think them as, as a diagram of I connected to this machine through secure servers, by requesting an account and the big thing, it was always a running joke where when privileged access management in the vendor space, we talked about the art of no, and it wasn't N O it was K N O w. So we wanna know which actions are valid and which ones really should be stopped. And again, Denny working at 3:00 AM, please let me just do my job. I wanna get on with the rest of my weekend.
Now, when we look at now, we've got an audit, we've recorded all of our data. We know what we have to do, waiting for my slide to change. Here we go. Now we wanna do some forensics. We wanna, we wanna learn from it. So I mentioned at the beginning, we wanna grow through what we've gone through. So we start to do some cleanup. We realize that certain accounts people have been using the same password for how long maybe we need to do password rotation, or we need to know what was compromised. Is it common that people are breaching data systems or are they breaching financial transaction systems? What about a lingering presence? Did someone change an account and no one's logged in again. Maybe they've planted something, maybe they're doing something they shouldn't do. So we need to do this type of forensics. We wanna know as a use case and you know, where people have been in the organization. Everyone leaves a footprint. It is very, very difficult not to with that. I wanna thank you. And if you have any questions, feel free to put them into the chat window and, and ask away.