Governing access: why it’s time banks embraced a smarter approach to authorisation

Gal Helemski, co-founder and CTO, PlainID

In comparison to many other industries, banks have a long legacy in the field of data protection and authorisation management. Accountable for protecting the transactions and personal information of the individuals they serve, over the decades they have become highly adept at building and maintaining complex access control systems designed to keep the sensitive data of customers safe.

However, the accelerating digital transformation of the sector means that systems have become outdated from a usability, adaptability, scalability, and suitability perspective. This then makes delivering the dynamic, seamless and friction-free digital banking experiences that today’s consumers expect to encounter a difficult proposition.

That’s not the only challenge; operating in a highly regulated industry, banks need to know exactly who has access to what at all times. Yet, as authorizations are often managed in siloed IT platforms, applications that are highly cumbersome to manage and administrate become very difficult to audit. Worse still, these systems were never designed to support digitization initiatives such as microservices and API-driven applications.

Therefore, to participate effectively in a modern banking world, where agility needs to go hand in hand with increased accountability and security, implementing more modern and flexible frameworks for handling access control is becoming a mission-critical priority.

The key requirements checklist

Banks have an array of specific needs when it comes to finding a modern and advanced authorisation and access control management solution, especially one that checks every requirement box and will operate effectively. However, if they find the right one, banks can unlock higher risk protection and create new business value.

In addition to securing the personal financial data held on platforms that consumers use on a day-to-day basis, banks need to be able to define access control policies that will support key business objectives. For example, enabling customers to use different digital channels in highly customizable ways.

To keep pace with a rapidly evolving compliance landscape, banks will also need to be able to continuously adapt their access policies in line with current and new regulations; undertaking systematic audits to ensure that access control rules meet ongoing compliance needs and maintain truly effective governance.

Finally, banks need to be confident that the authorisation management tools they deploy will be versatile enough to operate across multiple applications and IT platforms – whether that be on premises or though a public, private or hybrid cloud. This capability will be vital for ensuring that policies can be applied everywhere in one platform, and that future infrastructure migrations won’t pose unnecessary complexity from an access control management perspective.

Policy-based access control (PBAC): a modern approach to authorisation

Policy-based access control, or PBAC, represents a major shift in approach to authorization management for the banking industry. It builds upon the foundations laid by its predecessors (namely Access Control Lists (ACLs), Role-Based Access Control (RBAC), and Attribute-Based Access Control (ABAC)) by taking a more holistic approach – integrating the strengths of each model while addressing their limitations.

Unlike legacy access management systems, which are expensive and require extensive technical expertise to understand and run, PBAC enables organizations to write access policies using plain language and automatically apply these across all their diverse environments.

Plus, as there’s no requirement for specialist technical know-how, line-of-business management teams are able to take full control of their own access management decisions, leaving IT specialists free to focus on other business initiatives.

For optimized process efficiencies, common and consistent policies can be defined that can enforce access for the most demanding use cases in all environments. PBAC also enables the use of policy mining to help automate the creation and approval of policies themselves, utilizing policy testing tools to deliver an end-to-end view of policy impact and effectiveness.

Since policies can be audited and updated at any time, banks are able to gain full visibility into who can do what within their systems alongside being able to easily change access rules as needed in a responsive and timely manner.

PBAC: the key to effective security in the modern banking era

New operational realities mean that more and more banks are looking to PBAC as an efficient approach to authorising who has access and to what.

PBAC enables dynamic and real-time authorisation decisions based on contextual information. By considering factors such as user attributes, resource characteristics, and environmental variables, PBAC ensures that access is granted or denied in a highly granular and context-aware manner.

Unsurprisingly, legacy systems are proving both cumbersome and ineffective for today’s rapidly changing business world. Resource intensive and lacking in scalability, they also can’t deliver against increasingly rigorous governance requirements.

In today’s fast-changing business landscape, banks need to have the mechanisms in place to ensure that all essential data is available to whoever needs it, whenever they need it – but only under predetermined conditions, with data protected by agile yet context-based security policies that support specific governance objectives.

The emergence of PBAC is a significant milestone in authorisation controls because it brings forth numerous advantages for organisations. Its efficient management of access controls, simplified development lifecycle, dynamic decision-making capabilities, and enhanced visibility make it a valuable solution in the modern era of cybersecurity. 

With PBAC, banks are able to implement access controls using ready-made services while taking full advantage of distributed enforcement capabilities. Therefore, by simplifying how they create, manage and enforce authorization policies that fit fast-evolving needs, PBAC is enabling banks to optimize their business processes and capitalize on new opportunities. Regardless of how legislative requirements will evolve in a highly regulated sector, PBAC will ensure that banks are able to stay on top of their responsibilities in a streamlined fashion.