White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

Transcription

1 White Paper FFIEC Authentication Compliance Using SecureAuth IdP September 2015

2 Introduction Financial institutions today face an important challenge: They need to comply with guidelines established by the Federal Financial Institutions Examination Council (FFIEC) for securing their online products and services, while also maintaining a smooth and seamless experience for customers authenticating to their systems. This white paper can help. It explores the specific expectations of the FFIEC and details how SecureAuth IdP enables financial organizations to achieve FFIEC compliance while ensuring a positive user authentication experience. Assert Your Identity 2

3 Table of Contents FFIEC Expectations for Internet Banking Environments... 4 Stronger Controls Now Required Implementing a Layered System of Security... 5 Risk Assessments Customer Authentication for High-Risk Transactions Layered Security Programs Detection of and Response to Suspicious Activity Control of Administrative Functions Device Identification Challenge Questions Customer Awareness and Education The SecureAuth IdP Authentication System... 9 FFIEC Compliance Checklist for SecureAuth Authentication... 9 Summary... 9 Assert Your Identity 3

4 FFIEC Expectations for Internet Banking Environments Stronger Controls Now Required In 2005, the FFIEC initially released its publication Authentication in an Internet Banking Environment (Guidance), which provides a risk management framework for financial institutions offering Internet-based products and services to their customers. In 2011, the FFIEC supplemented the document to reinforce the original risk management framework and update its expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment. Specifically, the council determined that its initial recommendations did not go far enough in protecting online banking users and specified that financial institutions should: + Review and update their existing risk assessments as new information becomes available, prior to implementing new electronic financial services, or at least every twelve months. + Implement more robust controls as the risk level of the transaction increases in order to better protect high-risk transactions (defined as electronic transactions involving access to customer information or the movement of funds to other parties). + Implement a layered approach to security for high-risk Internet-based systems, where a weakness in one control is generally compensated for by the strength of a different control. This approach should include: Processes designed to detect anomalies and effectively respond to suspicious or anomalous activity related to either the initial login and authentication of customers requesting access to the institution s electronic banking system or the initiation of electronic transactions involving the transfer of funds to other parties. Enhanced controls for system administrators who are granted privileges to set up or change system configurations, such as access privileges and application configurations or limitations. + No longer consider simple device identification, as a primary control, to be an effective risk mitigation technique. Instead, organizations should leverage complex device identification with a more complex digital fingerprint that looks at a number of characteristics, including PC configuration, Internet protocol address, geo-location, and other factors. Assert Your Identity 4

5 Implementing a Layered System of Security The concept of customer authentication in the 2005 Guidance is broad, including more than the initial authentication of the customer when he or she connects to the financial institution at login. Since virtually every authentication technique can be compromised, the FFIEC maintains that financial institutions should not rely solely on any single control for authorizing high-risk transactions, but rather institute a system of layered security that includes the following: + Risk assessments + Customer authentication for high-risk transactions + Layered security programs + Detection of and response to suspicious activity + Control of administrative functions + Device identification + Challenge questions + Customer awareness and education The following sections explore each of these expectations and explain how SecureAuth IdP can help you meet them. Risk Assessments The FFIEC recommends that institutions review and update their existing risk assessments to consider factors like the following: + Changes in the internal and external threat environment + Changes in the customer base adopting electronic banking + Changes in the customer functionality offered through electronic banking + Actual incidents of security breaches, identity theft, or fraud experienced by the institution or industry While this recommendation is currently outside of the scope of the SecureAuth IdP solution, IdP does enable organizations to quickly alter their authentication and security policies with minimal effort through an intuitive graphical interface. Assessments made one day can easily be implemented the next. Assert Your Identity 5

6 Customer Authentication for High-Risk Transactions FFIEC recommends that financial institutions implement layered security consistent with the risk for covered consumer transactions, utilizing controls consistent with the increased level of risk for covered business transactions. Additionally, FFIEC recommends that institutions offer multifactor authentication to their business customers. SecureAuth helps organizations meet these guidelines by providing layered security controls around transactions, at either the application or transaction level. Either directly or through its APIs, IdP can enforce FFIEC-compliant transactional security in the manner and with the user experience the organization wants. Layered Security Programs The FFIEC states that effective controls in a layered security program should include, but are not limited to: + Fraud detection and monitoring systems that include consideration of customer history and behavior and that enable a timely and effective institution response + The use of dual customer authorization through different access devices + The use of out-of-band verification for transactions + The use of positive pay, debit blocks, and other techniques to appropriately limit the transactional use of the account + Enhanced controls over account activities, such as transaction value thresholds, payment recipients, number of transactions allowed per day, and allowable payment windows (e.g., days and times) + Internet Protocol (IP) reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities + Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud + Enhanced control over changes to account maintenance activities performed by customers, either online or through customer service channels Given this guidance, it is apparent that the FFIEC is looking for strong, adaptive authentication that looks at user behavior and factors like IP risk scoring to step up authentication when appropriate. SecureAuth provides all of these tools to enforce your policies, in a single solution that is easy to configure and use. Assert Your Identity 6

7 Detection of and Response to Suspicious Activity In addition to protecting resources with strong authentication options, SecureAuth IdP also dynamically detects and responds to suspicious activity. You can layer adaptive authentication techniques together to provide a comprehensive, secure, and user-friendly authentication experience. These techniques include: + Device fingerprinting Each device can be enrolled and recognized on subsequent visits, streamlining the user experience. Device characteristics are recorded and checked server-side to ensure the user s device is the device that was registered. If something changes, SecureAuth IdP responds. + Real-time threat analysis Using the Norse DarkMatter platform, IdP has access to a globally distributed distant early warning network of millions of sensors, honeypots, crawlers, and agents that deliver unique visibility into the darknets, where bad actors operate. By identifying Tor browsers, anonymous proxies, nation-state actors, and more, SecureAuth IdP removes the masks from the bank robbers and takes away their getaway car before they get in the door. + Geo-velocity checks SecureAuth IdP can enforce real-world travel constraints on user accounts. For example, a user authenticating in New York at 10:00 a.m. would physically be unable to log in from Los Angeles at 10:15 a.m. + Geo-location Flexible authentication workflows change the user experience based on the location of the user. For example, users outside of their home country may always have a stepped up authentication workflow that requires out-of-band, two-factor authentication. When something simply doesn t look right, SecureAuth IdP takes the action you define, such as stepping up the authentication, redirecting the user to a different authentication workflow, passing the user to a honeypot, or stopping them altogether. The solution s power to detect and respond to anomalous behavior is unparalleled. Control of Administrative Functions FFIEC recommends that, for business accounts, layered security should include enhanced controls for system administrators who are granted privileges to set up or change system configurations, such as access privileges and application configurations or limitations. SecureAuth IdP can enforce multifactor authentication and layered security at the operating system level or at the application level to ensure that administrative identities are fully vetted before a user can access the keys to the kingdom, in accordance with FFIEC guidelines. IdP can protect Windows-, Linux-, and Unix-based servers with its multifactor credential providers and PAM modules. The solution also can enforce different security policies for web applications based on group membership (administrators), device type, location, risk score, or resource. Assert Your Identity 7

8 Device Identification In response to the 2005 Guidance, many institutions implemented simple device identification, which typically uses cookies to verify that a device is the same device previously enrolled. However, the 2011 FFIEC supplement notes, experience has shown this type of cookie may be copied and moved to a fraudster s PC, allowing the fraudster to impersonate the legitimate customer. Similarly, geo-location and IP address matching can be circumvented by proxies. Therefore, FFIEC recommends organizations should no longer consider simple device identification, as a primary control, to be an effective risk mitigation technique. Instead, they should adopt more sophisticated forms of device identification that use one-time cookies and create a more complex digital fingerprint by looking at a range of characteristics. SecureAuth IdP s device fingerprinting solutions enable organizations to accurately identify enrolled devices, minimize fraud, and dynamically react when things don t look right. Challenge Questions The amount of information about people that is readily available on the Internet and the information that individuals themselves make available on social networking websites makes basic challenge questions inadequate for authentication. As a result, institutions should require sophisticated challenge question systems that require the customer to correctly answer multiple out of wallet questions that do not rely on information that is often publicly available. SecureAuth IdP supports sophisticated challenge questions out of the box. Whether you use the SecureAuth IdP question functionality, leverage your organization s own implementation, or choose some other third-party functionality, IdP is compliant with this FFIEC guideline. Customer Awareness and Education The FFIEC holds institutions accountable for providing a certain level of awareness and education for their customers. As this requirement is simply informational and depends on the organization s policies, this functionality is not currently provided by SecureAuth IdP. Assert Your Identity 8

9 The SecureAuth IdP Authentication System SecureAuth solves the problems of securely authenticating customers while meeting the FFIEC s guidance. The SecureAuth IdP appliance-based solution: + Requires no software download + Works with any browser on any site + Includes more than 20 methods of authentication + Provides the latest in adaptive, dynamic, context-based authentication techniques + Allows step-up and step-down authentication at the general and transaction level, depending on the organization s defined polices + Includes built-in out-of-band authentication options for SMS, telephony, and + Supports federation protocols like SAML, WS-*, OpenID Connect, and OAuth Provides multi-factor password reset workflows FFIEC Compliance Checklist for SecureAuth Authentication FFIEC Requirement SecureAuth IdP Risk assessments Customer authentication for high-risk transactions Layered security program Detection of and response to suspicious activity Control of administrative functions Device identification Challenge questions Customer awareness and education Summary Financial institutions face the challenge of meeting government regulations while also providing a secure and affordable service to their customers which eliminates solutions that require consumers to download software. SecureAuth IdP provides the solution financial institutions need, delivering deployable and scalable solutions that meet both today s complex security requirements and growing regulatory pressures. Assert Your Identity 9

10 ABOUT SECUREAUTH Based in Irvine, California, SecureAuth offers identity and information security solutions that deliver innovative access control for on-premises, cloud, mobile and VPN systems to millions of users worldwide. SecureAuth IdP provides adaptive and Two-Factor authentication alongside Single Sign-On (SSO) in one solution. Its unique architecture enables organizations to leverage legacy infrastructures while also embracing next-generation technologies, to preserve existing investments while also meeting today s security challenges and tomorrow s. For the latest insights on secure access control, follow the SecureAuth blog, on Twitter, or visit Assert Your Identity 10

11 8965 Research Drive Irvine, CA p: f: secureauth.com WP-FFIEC Authentication Compliance