Are outdated access controls holding back digital banking innovation?

By Stuart Hodkinson, VP EMEA, PlainID

Although the banking industry has had a long history of developing effective access and authorisation controls to keep sensitive data safe, these systems were often conceived years ago and are now showing their age. At the time, they were not architected to support the complex requirements of a digital world, as well as guard against data breaches whether accidental or criminal.

With today’s consumers now expecting far better digital journeys and experiences than in the early days of online banking, companies are looking to find more efficient ways of making largescale transformations that don’t in any way compromise on security requirements.

Holding back this mass migration to digital banking are a plethora of siloed IT platforms and applications that have been knitted together with APIs and complicated security access integrations. Not only do these systems require skilled, costly maintenance but they cannot scale any further to meet evolving requirements. Add to this, that banks operate in a tightly regulated industry which requires detailed auditability for a raft of compliance obligations, then it is not hard to see why the banking industry could be struggling to keep pace with the needs of today’s consumer.

One way of helping to remedy the situation is to simplify and modernise legacy authorisation and access control across the enterprise. This can free up valuable IT resources which could be utilised to accelerate much-needed innovation and transformation. By taking a new approach to authorisation with policy-based access control (PBAC), organisations can take advantage of significant efficiency gains through centralised management, plus deploy more effective, granular security policies. If they choose, senior management can also relieve a further burden on IT by handing back access control decisions to line-of-business teams.

PBAC explained

Effective policy-based access control (PBAC) relies on the accurate definition of criteria that determine who can access data or resources. This ensures that permissions are granted only on this pre-defined basis, minimising the risk of data breaches. It provides a structured and efficient way to manage user permissions, maintain security, and adhere to compliance requirements across an organisation’s distributed IT environment.

An automated PBAC solution combines user attributes and roles to manage access rights to systems and applications whether they are on premise, in a cloud or in a hybrid environment. Importantly, a modern PBAC system enables sophisticated control policies to be written and implemented using natural language, without the need for extensive IT knowledge and programming.

Permissions are determined by combining business logic with attributes, roles, conditions, and contextual signals such as risk scores. Tackling the challenges that conventional access control models struggle with, PBAC can respond to changes which occur during digital interactions by factoring in elements including identity, context, location, time, and type of resource. In essence, this means controlling user access according to a sophisticated combination of factors that identify who is accessing what, where, and when.

Additionally, PBAC systems provide a centralised management capability which enables organisations to react rapidly to global changes in business needs, compliance regulations, and security threats, and update access rights accordingly.

Security first and foremost

For the banking industry, this provides a compelling combination of security and the agility needed to facilitate digital transformation, while ensuring data is kept safe throughout the process. By enabling easy deployment of highly granular access policies organisations can ensure that essential data is available to whoever needs it, whenever they need it, without compromising security. 

In addition to securing personal financial data held in platforms and applications that consumers use on a day-to-day basis, banks can also define access control policies that will support key business objectives in other areas. For example, restricting internal access to analysis of sales performance, product launch details, research reports, and employment records.

To keep pace with new compliance regulations, banks can quickly adapt their access policies in line with current and forthcoming obligations. Having policies centralised also facilitates regular audits to ensure that access control rules maintain effective governance and continuously strengthen data security.

Enabling innovation and agility

Unlike legacy access management systems which are costly to maintain and require in-depth technical knowledge to operate, modern PBAC solutions allow access policies to be written in plain language and applied easily across diverse platforms and applications. Therefore, what used to be a technically-owned process can now be managed by line-of-business teams, cutting out delays waiting for IT to make updates, or grant or revoke access. Relieved of the burden of coordinating different IT specialists to implement access controls, empowers business managers to roll-out applications securely in quicker timeframes.

To optimise process efficiencies across an enterprise, policies can be standardised, but as necessary, special instances can be defined and enforced for the most demanding use cases in any environment. 

PBAC solutions can also include policy mining to help automate the creation of policies, and testing tools which deliver an end-to-end view of policy impact and effectiveness.  Policies can be audited at any time giving full visibility into what’s happening within the system and updated quickly to resolve any issues.

Providing a structured and adaptable framework for managing and controlling access is crucial to ensure that standard policies can be applied to new products and apps without the need for additional tooling or infrastructure changes. This will help banks to swiftly deliver innovative solutions to keep up with consumer expectations in the rapidly changing digital banking landscape.