Risk intelligence for financial industries
Risk-aware authorization reduces internal fraud risks. It also enables a more rapid deployment of new services to cater for new business opportunities. Not surprisingly, the financial industry is the fastest adopter of eXtensible authorization technology.
New trends in the financial services
Changing consumer patterns reflect a corresponding trend in the financial services industry; rapid deployment of new online services is no longer simply a means to gain market shares, it is a matter of survival.
Online payment, smartphone banking, payday loans, online private banking services - the list of new, internet-powered solutions in the financial industries is growing longer by the day.
New channels, new risks
For IT departments, this translates into a whole new set of combinatory complexities. New channels, new services, new user groups and new use cases must be serviced. A broad set of business rules need to be implemented, which further increases risk exposure. Access controls therefore need to be context-aware, risk intelligent and flexible.
Current access control techniques are unable to meet these requirements. They are static with pre-configured permissions, meaning they are unable to capture context or risk indicators.
The risk attribute in Attribute Based Access Control (ABAC)
Extensible authorization, by contrast, is well suited to include risk indicators in run-time authorization decisions. Policies include risk considerations – "yes, you may, provided the risk level is acceptable". The decoupling of application logic and authorization achieved through externalized access control, further simplifies implementation of access controls via centralized policy management.
Handling internal fraud risks
Another and possibly even more important driver for eXtensible authorization in the financial industries is the way it helps mitigate internal threats and fraud risks. For instance, the very nature of successful trading is time critical risk exposure. You need to buy faster than the competition to maximize gains from upward trends while making sure that portfolio assessments remain solid. Milliseconds count. Access controls that slow down trading are costly, while access controls that are unable to recognize fraud attempts may be lethal. Getting the balance right is essential.
In recent years there have too many documented examples of banks suffering severe losses or even being forced to close down due to the actions performed by individual traders - eXtensible authorization can help put a stop to this.
Banking business value
Extensible authorization brings value to the financial industries primarily due to the following characteristics:
- A top-down approach to governance. Authorization decisions are based on policies. XACML policies can include any number of attributes to describe the conditions in which a user should be granted access. Corporate policies can thus be implemented at a central point and then be pushed down into the infrastructure where Policy Enforcement Points (PEP) components enforce access control decisions.
- Risk-awareness in access controls. Attributes used in policies can capture risks calculated in real-time. A rule can mandate “If the risk level is less than three then permit else denyâ€, whereby the risk level can reflect risk such as abnormal user behavior, account balance in relation to transaction size, insufficient authentication strength etc.
- Proven compliance with regulatory requirements. Rather than having to compare incompatible security settings of many different information systems, one audit of policies in use will verify regulatory compliance.
Axiomatics authorizes the world's largest banks
Extensible authorization solutions from Axiomatics power online banking and trading applications in some of the world's largest banks.
