How Banks Are Using ABAC to Balance Customer Security and Innovation
As the breach of Equifax a few months ago showed, data security should be one of the top concerns for any organization, no matter the size.
Join the DZone community and get the full member experience.Join For Free
To help balance regulatory compliance and the demand for mobile customer-centric services, financial institutions can look to ABAC for modern access control.
Protecting customer data is a major feat across industries, but the banking industry faces a particularly heightened challenge due to the constant threat of data breaches and the increasing demand for personal, digital, and customer-centric financial services.
Local and global banks alike have come to the realization that if authorization is not modernized, their regulatory compliance and digital initiatives will become even more challenging and costly to implement. In addition, new customer and sales enablement applications can be delayed or halted altogether.
A policy-based approach to application, database, and API authorization can address a bank’s major security issues. When done correctly, it meticulously controls access rights to confidential customer information, ensuring permission is only granted to the proper personnel under the right conditions (who, what, when, where, and why are all considered). With Attribute Based Access Control (aka ABAC), a policy-based approach, customer data is protected, compliance is achieved, and banks can get ahead of the competition.
Why Is Regulatory Compliance Such a Challenge?
Compliance is a challenge in banking for two main reasons. First, banks are operating in a highly regulated industry, which is further compounded by separate sets of laws/regulations for specific lines of business. For example, regulations for credit card operations are different than those for mortgage lending, trading, etc. In addition, regulations come from different government authorities, which can result in overlapping or conflicting regulations in certain situations.
Second, operating across borders compounds the compliance challenge even further. For local banks, this can be an issue that manifests itself in different privacy regulations across states in the US. For larger banks, banking regulations and privacy laws can vary greatly between countries and regions. In Europe, GDPR (General Data Protection Regulation) goes into effect in May 2018 and brings stricter privacy laws along with potentially very steep fines for non-compliance. GDPR is a significant change from the current privacy directive and is an example of the cost and complexity of a constantly changing regulatory environment.
By using an ABAC approach, financial institutions can meet compliance needs by mapping access policies to the different regulatory regimes. A centrally managed ABAC service will ensure consistency of enforcement, maps more easily to the nuances of regulatory schemes across jurisdictions, provides a consolidated view for audit, and is much more agile in adapting to changing regulations over time vs. legacy approaches where much of the security logic is hardcoded in the application, API, or microservice.
A More Refined Approach
Attribute-Based Access Control, also referred to as ABAC, is the latest advancement to both control access to sensitive data, and open it up when necessary. ABAC uses a policy-based approach to access control and can be used at multiple layers within an enterprise such as through databases, Big Data, applications, APIs, and microservices.
With ABAC, authorization decisions are based on policies - not on individual roles. Policies include any number of factors to describe the conditions in which a user should be granted access. For example, device type, location, time of day, customer status, risk scores, and the user’s relationship to the data being accessed are all examples of different factors that can be used in policies. Corporate policies are implemented in a centrally managed service which can be physically distributed and operated. The ABAC service can be deployed on-premise, in the cloud, or in hybrid configurations depending on how application resources are deployed.
Enterprises can realize other benefits of this approach because ABAC is built on industry standards technology. Industry standards enable interoperability across access control systems, ease integration with third-party products, and provide the enterprise with vendor independence.
Access control is critical to ensure personal banking data is protected and regulation compliance is met. An ABAC approach makes innovation much easier and allows banks to successfully deliver their customers a full omnichannel and digital experience. When banks deliver customer-centric services they gain a major competitive advantage.
Opinions expressed by DZone contributors are their own.