How To Comply With Ffiec



Similar documents
CA Arcot RiskFort. Overview. Benefits

SOLUTION BRIEF Improving SAP Security With CA Identity and Access Management. improving SAP security with CA Identity and Access Management

expanding web single sign-on to cloud and mobile environments agility made possible

Authentication Strategy: Balancing Security and Convenience

solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?

how can I provide strong authentication for VPN access in a user convenient and cost effective manner?

How can Content Aware Identity and Access Management give me the control I need to confidently move my business forward?

SOLUTION BRIEF SEPTEMBER Healthcare Security Solutions: Protecting your Organization, Patients, and Information

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

WHITE PAPER May How Can Identity and Access Management Help Me with PCI Compliance?

Strong Authentication for Secure VPN Access

How CA Arcot Solutions Protect Against Internet Threats

Protecting Online Customers from Man-inthe-Browser and Man-in-the-Middle Attacks

SOLUTION BRIEF CA TECHNOLOGIES IDENTITY-CENTRIC SECURITY. How Can I Both Enable and Protect My Organization in the New Application Economy?

CA point of view: Content-Aware Identity & Access Management

The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide

identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible

Advanced Authentication Methods: Software vs. Hardware

how can I virtualize my mission-critical servers while maintaining or improving security?

Citrix Ready Solutions Brief. CA Single Sign-On and Citrix NetScaler: Quickly Adapt to Your Dynamic Authentication Demands. citrix.

CA Technologies Healthcare security solutions:

SOLUTION BRIEF CA TECHNOLOGIES IDENTITY-CENTRIC SECURITY. Identity-centric Security: The ca Securecenter Portfolio

SOLUTION BRIEF ADVANCED AUTHENTICATION. How do I increase trust and security with my online customers in a convenient and cost effective manner?

SOLUTION BRIEF THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE. How Can the CA Security Solution Help Me With PCI Compliance?

CA Viewpoint. Meeting the European Banking Authority Guidelines and EU Payment Security Directive for Secure Authentication

Closing the Biggest Security Hole in Web Application Delivery

CA SiteMinder SSO Agents for ERP Systems

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

SOLUTION BRIEF CA ADVANCED AUTHENTICATION. How can I provide effective authentication for employees in a convenient and cost-effective manner?

CA Technologies Solutions for Criminal Justice Information Security Compliance

Logica Sweden provides secure and compliant cloud services with CA IdentityMinder TM

CA ArcotOTP Versatile Authentication Solution for Mobile Phones

ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

STRONGER AUTHENTICATION for CA SiteMinder

SECURING IDENTITIES IN CONSUMER PORTALS

Guide to Evaluating Multi-Factor Authentication Solutions

Product overview. CA SiteMinder lets you manage and deploy secure web applications to: Increase new business opportunities

Key Authentication Considerations for Your Mobile Strategy

Identity Centric Security: Control Identity Sprawl to Remove a Growing Risk

Identity Access Management: Beyond Convenience

Strengthen security with intelligent identity and access management

ACI Response to FFIEC Guidance

ADDING STRONGER AUTHENTICATION for VPN Access Control

Governance and Control of Privileged Identities to Reduce Risk

SOLUTION BRIEF Enterprise Mobility Management. Critical Elements of an Enterprise Mobility Management Suite

CA Adapter. Installation and Configuration Guide for Windows. r2.2.9

Global Bank Achieves Significant Savings and Increased Transaction Volume with Zero-Touch Authentication

Leveraging Privileged Identity Governance to Improve Security Posture

User Authentication for Software-as-a-Service (SaaS) Applications White Paper

Entrust IdentityGuard

how can I improve performance of my customer service level agreements while reducing cost?

Understanding Enterprise Cloud Governance

Adding Stronger Authentication to your Portal and Cloud Apps

Protect Your Customers and Brands with Multichannel Two-Factor Authentication

TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management

content-aware identity & access management in a virtual environment

Case Study SMS Two Factor Authentication. Contact us Infracast Ltd, Merlin House Brunel Road, Theale, Berkshire, RG7 4AB

how can I comprehensively control sensitive content within Microsoft SharePoint?

A brief on Two-Factor Authentication

agility made possible

Securely Outsourcing to the Cloud: Five Key Questions to Ask

can you improve service quality and availability while optimizing operations on VCE Vblock Systems?

CA Technologies Strategy and Vision for Cloud Identity and Access Management

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Authentication Solutions. Versatile And Innovative Authentication Solutions To Secure And Enable Your Business

Identity and Access Management (IAM) Across Cloud and On-premise Environments: Best Practices for Maintaining Security and Control

agility made possible

accelerating time to value in Microsoft Hyper-V environments

Strong Authentication. Securing Identities and Enabling Business

The Authentication Revolution: Phones Become the Leading Multi-Factor Authentication Device

White paper. Four Best Practices for Secure Web Access

TECHNOLOGY PARTNER CERTIFICATION BENEFITS AND PROCESS

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

RSA Adaptive Authentication and Citrix NetScaler SDX Platform Overview

How Can Central IT Use Cloud Technologies to Revolutionize Remote Store Operation?

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

can you effectively plan for the migration and management of systems and applications on Vblock Platforms?

CA Compliance Manager for z/os

RSA Solution Brief. RSA Adaptive Authentication. Balancing Risk, Cost and Convenience

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

How To Choose An Authentication Solution From The Rsa Decision Tree

CA NSM System Monitoring Option for OpenVMS r3.2

Contextual Authentication: A Multi-factor Approach

Out-of-Band Multi-Factor Authentication Cloud Services Whitepaper

can I customize my identity management deployment without extensive coding and services?

Powering Security and Easy Authentication in a Multi-Channel World

Top 5 Reasons to Choose User-Friendly Strong Authentication

CA SOLVE:Central Service Desk for z/os

Designing a CA Single Sign-On Architecture for Enhanced Security

Provide access control with innovative solutions from IBM.

SOLUTION BRIEF PAYMENT SECURITY. How do I Balance Robust Security with a Frictionless Online Shopping Experience for Cardholders?

An Enterprise Architect s Guide to API Integration for ESB and SOA

assure the quality and availability of business services to your customers

TECHNOLOGY BRIEF: PREVENTING UNAUTHORISED ACCESS TO CRITICAL SYSTEMS AND DATA. Colruyt ensures data privacy with Identity & Access Management.

Solution Brief Efficient ecommerce Fraud Management for Acquirers

CA Configuration Automation

300% increase 280 MILLION 65% re-use passwords $22 per helpdesk call Passwords can no longer protect you

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

Authentication Solutions VERSATILE AND INNOVATIVE AUTHENTICATION SOLUTIONS TO SECURE AND ENABLE YOUR BUSINESS

FFIEC CONSUMER GUIDANCE

Transcription:

SOLUTION BRIEF authentication in the internet banking environment: The solution for FFIEC compliance from CA Technologies agility made possible

Introduction to FFIEC Compliance In October of 2005, the Federal Financial Institutions Examination Council (FFIEC) issued a guidance entitled Authentication in an Internet Banking Environment in response to increasingly sophisticated electronic attacks that compromise personal identity information and erode customer confidence in online banking security. The goal of the FFIEC guidance was to improve security for online banking transactions, due to the consensus view that simple username/password authentication was not sufficient for today s online banking environment. With several years of experience and analysis under their belts, and the continued growth of online fraud, in June of 2011, the FFIEC circulated a Supplement update to this guidance, entitled Interagency Supplement to Authentication in an Internet Banking Environment. This paper will review the original guidance and how CA Technologies exceeds the requirements outlined in the new Supplement document. Essence of the Guidance the type and method of authentication should be appropriate to the risk level associated with a given transaction type. Key Requirements of FFIEC The Original Guidance The FFIEC came to recognize that with the rise in volume of online banking transactions, single-factor authentication techniques were simply not adequate security anymore. With this situation in mind, the original Guidance included three important recommendations. 1. Strong Authentication A common misperception about the original regulation is that it requires specific 2-factor authentication technologies to be implemented for online banking. In fact, it only requires authentication methods that are appropriate and reasonable, from a business point of view, for the reasonably foreseeable risks associated with a given online banking transaction. Since the minimum standards for effective and appropriate authentication might change over time based on technology advances, this requirement implies that an ongoing process for reviewing authentication strategies needs to be implemented. 2. Risk Assessment Each bank should perform a detailed risk analysis of their entire online banking environment, including all factors or activities that are involved in all supported customer transactions, including the following factors: Types of customers Sensitivity of all private customer information Typical transaction types and the expected size of the transaction Expected transaction rates The potential for loss for each transaction type 2

3. Customer Awareness The final area of the Guidance relates to education and training programs intended to increase customer awareness of the risks and potential threats associated with online banking transactions. Although the Guidance is unspecific about how this awareness effort should be done, it suggests the importance of tracking security-related information such as the number of unauthorized attempts to obtain authentication information, the size of identity-theft related losses, and other such events. See ffiec.gov/pdf/authentication_guidance.pdf Requirements in the FFIEC Supplement The Supplement to the original Guidelines called for improving security for online transactions in several areas: Improved risk assessments Increased use of multi-factor authentication, especially for high-risk transactions Layered security controls to detect and respond to suspicious activity, including increased control over administrative functions More effective authentication techniques (for example, device identification) Improved customer awareness and education The supplement calls for an overall strengthening of authentication technologies. It notes that out-of-band authentication has taken on a new level of importance given the preponderance of malware running on customer PCs, which can defeat OTP tokens, simple device identification with cookies or basic knowledge-based questions. These additional mandates are based on the increasing sophistication and organization of financial attacks, as well as the continued increase in the volume and size of financial transactions being conducted online. The solution for FFIEC compliance from CA Technologies CA Technologies has built a flexible set of authentication solutions to support a layered, risk appropriate approach to strong authentication and fraud prevention. Many banks attempted to comply with the original FFIEC guidance by simply implementing some basic risk-based authentication techniques but the increase in online financial fraud and the new supplement has increased the pressure to find more sophisticated risk-based solutions. One approach can t alleviate all threats but CA Technologies works with our customers to reach the ultimate goal which is not just compliance, but a strong, flexible, and effective authentication and fraud prevention system to protect the full range of financial transactions. 3

The CA Technologies solution for Advanced Authentication includes the following: CA AuthMinder provides flexible and broad capabilities for strong user authentication CA RiskMinder provides real-time protection against identity theft and online fraud via risk based, adaptive authentication. CA ArcotID a secure software credential that combines strong key protection with the low cost and simplicity of a software solution, providing strong, two-factor authentication. No hardware tokens are necessary. You are able to add strong authentication to any application without changing your user s login process. The CA ArcotID delivers the strength of PKI with the simplicity of a password, making it ideal for both enterprise and consumer uses. CA ArcotID OTP a software application that runs on a mobile phone and generates a one-time password that is used to authenticate to online applications and to verify valid credentials for online purchases. CA AuthMinder and CA RiskMinder, when deployed together, provide the strong, layered security that is the foundation of effective FFIEC compliance. When planning an FFIEC compliance effort, there are at least three critical areas that need to be considered: Strong, two-factor authentication (2FA) capabilities Risk-based fraud detection and prevention capabilities Fine-grained control of privileged users Strong Authentication FFIEC compliance does not require a specific authentication technology for all cases. Rather, it requires authentication that is appropriate for the risk level of a given transaction profile. Therefore, depending on each organization s needs, different authentication methodologies might be chosen. When selecting authentication methods for a particular transaction, these factors are important: Ease of use for the customer Ease of IT administration Relative level of security offered by each authentication method Total cost to purchase Total cost to deploy CA AuthMinder is a versatile authentication server that allows organizations to deploy a wide range of strong authentication methods in a cost-effective and centralized manner. It supports a range of authentication methods which include username/password, security Q&A, OTP via SMS, email or voice, OATH tokens, and the unique software-based CA ArcotID and CA ArcotID OTP credentials. It helps increase security and improve your compliance profile without burdening users or your service desk. 4

CA AuthMinder can provide the following business benefits to an organization: Deploy multi-factor authentication invisibly: Your users never have to know that you upgraded them to multi-factor authentication, unless you want them to. They can keep the same username/ password sign-on experience with which they have become so accustomed. The solution invisibly protects and verifies their identity without burdensome additional login steps. Lower cost of ownership: CA AuthMinder s authentication server allows you to authenticate users with a wide range of authentication methods. It can help you manage your authentication environment more efficiently by creating a central point for authentication policy creation and enforcement. If you use CA ArcotID or CA ArcotID OTP software-only approach, there is no hardware to lose, fail, or break. It provides a low cost, easy to distribute second factor authentication method that hardware-based alternatives cannot match. The simplicity and transparency of this approach helps reduce both management and support costs. Reduce risk: CA AuthMinder centralizes the management and execution of strong authentication. It authenticates users via a wide range of methods, giving you the flexibility to choose the authentication methods that best suit your user groups. It also helps you manage competing compliance demands by creating a central point for authentication enforcement. When CA ArcotID is used as the second factor it helps protect the digital identities of your users behind proven, patented cryptographic technology. Block Man-in-the-Middle (MITM): CA AuthMinder when used with CA ArcotID, helps prevent MITM attacks. CA ArcotID authenticates only with the domain that issued it, helping protect your users from Phishers and Pharmers where OTP tokens and Grid Pads cannot. Achieve high-performance: To meet the rigorous security, availability, and data integrity demands of the financial services industry, CA AuthMinder was designed from the start to provide industry leading security and performance. To provide authentication services to millions of users, it was designed with virtually unlimited horizontal scalability, with a goal of unparalleled ease-of-use and extremely low latency. Enjoy virtually unlimited scalability: CA AuthMinder provides excellent vertical scalability through increasing memory/disk/processors. It achieves full-featured horizontal scalability with additional local or remote servers. Horizontal scalability provides performance gains as well as high-availability features for critical deployments. Risk Assessment: Fraud Detection and Prevention The incidence of identity theft and online fraud continues to grow as financial organizations are trying to find a good balance between the strength of security necessary and the level of inconvenience for their business and retail consumers. It is critical that organizations have the ability to enforce riskbased rules and parameters and use analytical modeling techniques to reduce their exposure to fraudulent activity. However, overbearing countermeasures that require repetitive user interaction can create a negative experience and affect customer loyalty. The challenge is to instantaneously detect and block fraudulent activity before fraud losses occur, without affecting or distracting legitimate users. 5

CA RiskMinder is an effective first line of defense against identity fraud. You can verify and detect suspicious activity for consumer and enterprise online services without burdening intended users. It is a robust, multi-channel risk assessment and fraud detection solution that transparently helps you detect and prevent fraud before losses occur. You can create an adaptive risk analysis process that assesses the fraud potential of every online login and transaction based on level of risk, user and device profiles, and organizational policies. As a result of the real-time, calculated risk score, users can be allowed to continue, be required to provide additional authentication credentials, or be denied access. CA RiskMinder can provide the following business benefits: Reduce losses due to fraud: CA RiskMinder helps prevent fraud losses by blocking high-risk transactions before they complete, or requiring additional authentication for unusual or suspicious transactions. It can also be combined with CA AuthMinder to implement step-up authentication when encountering a suspicious transaction as part of a comprehensive multi-factor authentication solution. It can also be deployed alone to assess risk of individual login attempts to a portal based on a variety of input factors. Address regulatory requirements: CA RiskMinder helps you to meet a number of government and industry regulations including FFIEC, HIPAA, and SOX as well as your own internal security requirements. Protect existing infrastructure investment: You can integrate CA RiskMinder with any Internetfacing application via API s or web services in order to add real time fraud detection. It integrates with your existing access management, VPN, online banking, and e-commerce software and other security products, avoiding the need for you to upgrade other parts of your network to add Web fraud detection. Match rules to your environment: The customizable rules engine enables you to configure CA RiskMinder to match your business practices and risk tolerance, rather than forcing you to change your operations to fit your security tool. This allows you to reach the appropriate balance between the strength of your security and the impact on the end user. Deploy and use multi-factor authentication invisibly: Your Web users can keep the same username/password sign-on experience with which they are familiar. CA RiskMinder affects only those users whose behavior does not match their personal profile, historical data and your policies. There is no change to the user experience and therefore no new calls to the help desk or additional support costs. Control of privileged users The FFIEC Supplement specifically calls out strong and effective control over privileged users as a requirement for compliance. Whether inadvertent or malicious, improper actions by privileged users can have disastrous effects on IT operations, and on the overall security and privacy of corporate assets and information. Therefore, it is essential that privileged users be allowed to perform only those actions that are required for their specific responsibilities, and only on the appropriate assets. In addition, the use of Admin shared accounts (such as root ) pose a compliance challenge because each activity must be associated with a single person, in order to identify the culprit in the case of unauthorized behavior. 6

CA ControlMinder helps eliminate over-privileged users and the use of shared Admin accounts. CA ControlMinder is a leading solution for privileged user management that controls access to host systems and critical data and files residing on these systems. Policies can be defined that help ensure that only properly authorized users can gain access to each such system or resource. In this way, CA ControlMinder extends the basic security capabilities supported by each native operating system and provides an expanded, consistent, and more granular set of security capabilities across the systems in your environment. The solution also supports extensive privileged user password management (PUPM), which helps provide the accountability of privileged access through the issuance of passwords on a temporary, one-time-use basis, or as necessary while providing accountability of users actions through secure auditing. It also includes CA User Activity Reporting (CA UAR) which provides user activity and compliance reporting usage across physical, virtual, and cloud environments. It verifies security controls and streamlines reporting and investigation of user and resource access activities to accelerate and simplify compliance and improve efficiencies. CA ControlMinder can provide the following business benefits to an organization: Fine-grained access control policies: helps ensure that only authorized privileged users can access your critical data and applications. It provides improved and more granular security than is available through native operating systems. Improved compliance: allows you to proactively and more easily display fine-grained control over privileged users. This helps to simplify and reduce the cost of compliance audits since you have evidence of compliance. Improved password security: supports one-time use administrative passwords so that privileged users cannot share passwords, thereby improving security and helping to reduce the occurrence of over-privileged users. In addition, it helps eliminate shared accounts so that each action can be associated with a specific individual, further helping simplify compliance audits. Improved security for virtual environments: helps enforce segregation of duties rules on the hypervisor, so that the hypervisor administrator cannot access virtual machine configurations via the hypervisor. Hardening of the entire operating environment: helps to harden the operating system as well as the hypervisor, reducing both external and internal security risks and improving operating reliability. 7

Solution Capabilities and Benefits FFIEC Requirements CA Technologies Solution Solution Benefits Better Risk Assessment Adopt Stronger Authentication Standards for High Risk Transactions CA RiskMinder provides a comprehensive risk and fraud detection system that uses device, location and historical user information to assess the risk of any specific transaction. CA AuthMinder: Provides two-factor authentication with our patented CA ArcotID solution. Provides two factor authentication with our CA ArcotID OTP solution. Can generate One Time Passwords (OTP) and use Out of Band (OOB) channels including SMS, IVR and email to send an OTP to the user. Users can then enter the correct code back into the portal to identify themselves. Provides a solution to protect against MITM attacks. Uses standard rules, customized rules, and external data sources to arrive at a risk score. Uses fraud modeling to help identify and prevent fraud in real time. Makes a suspect transaction appear to complete correctly to the user, while moving it to a special queue for further analysis prior to actual transaction completion. CA ArcotID appears to the user as a username and password so it s easy to use. With PKI under the covers it brings the strength of PKI to the solution without the related complexity for the institution or the user. Automatically helps protect users from phishing and MITM attacks. CA ArcotID OTP appears just like an OTP generated from a single purpose token except it uses the customer s own mobile device. It can support multiple accounts on the same device and protect the seed value with patented technology. Delivers second factor information through any number of out of band channels. Provides flexibility in using additional information in the authentication process as required. Layered Security Programs Effectiveness of Certain Authentication Techniques Control over privileged users CA RiskMinder and CA AuthMinder Provide a comprehensive layered security solution that provides: Fraud monitoring Authorization from multiple devices OOB verification Step up at certain levels IP blocking CA Technologies provides: Complex device identification Challenge questions Shared secret OOW CA ControlMinder Password Vault CA RiskMinder and CA AuthMinder The layers can include: Strong 2FA authentication. Device, location, transaction information collection. Built in rules and custom rules for determining risk based on collected factors as well as custom models. Ability to incorporate additional external data into the risk evaluation process. Increased effectiveness of device identification due to: the use of over 50 different parameters the ability to work without a cookie Increased effectiveness of challenge questions due to: the ability to customize the number and type of questions required (including out of wallet ) the ability to use additional 3rd party, identity proofing questions Increased granularity of control over what resources Admins can access. Ability to control use of critical system services. Reduced risk of inadvertent or malicious improper actions by privileged users. One-time use passwords improve security and eliminate the use of shared accounts. Easier and less costly compliance audits due to the ability to prove what Admins have done on the system. 8

Summary FFIEC is an important driver of compliance activities for a large number of major financial and banking institutions. This standard was initiated in order to ensure that adequate security, in the form of strengthened authentication, was being used for high-value online banking applications. FFIEC compliance requires risk-based authentication policies, strong two-factor authentication capabilities, as well as improved control over the actions of privileged users. Some companies adopt a minimalist approach to FFIEC compliance, and do only the minimum required to satisfy auditors. But, this approach is short-sighted because it fails to incorporate the business benefits of increased confidence (and therefore loyalty) on the part of a financial institution s customers, which often results from a comprehensive approach to strong user authentication, coupled with a simple and effective user interface. The CA Technologies solutions for Advanced Authentication and Privileged User Management can provide an effective and layered platform for reducing authentication risk and simplifying compliance with FFIEC. For more information on these solutions, please visit: ca.com/iam 9

CA Technologies is an IT management software and solutions company with expertise across all IT environments from mainframe and distributed, to virtual and cloud. CA Technologies manages and secures IT environments and enables customers to deliver more flexible IT services. CA Technologies innovative products and services provide the insight and control essential for IT organizations to power business agility. The majority of the Global Fortune 500 rely on CA Technologies to manage their evolving IT ecosystems. For additional information, visit CA Technologies at ca.com. Copyright 2012 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document as is without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised in advance of the possibility of such damages. CA does not provide legal advice. No software product referenced herein serves as a substitute for your compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, standard, policy, administrative order, executive order, and so on (collectively, Laws )) referenced herein or any contract obligations with any third parties. You should consult with competent legal counsel regarding any such Laws or contract obligations.. CS1992_0212

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information