Industry
Banking
Banking Services Transformation: Unlocking Exponential Value
Highlights
- Banks and insurers operating in multi-cloud environments access data from data lakes and data warehouses for analytics, risk modelling, and customer engagement.
- The scale and flexibility of access in multi-cloud environments has resulted in security vulnerabilities.
- Banks and insurers must implement robust identity and access management systems along with policy-based access control mechanisms to ensure the security of sensitive customer data.
Introduction
In the banking, financial services, and insurance (BFSI) sector, the use of data lakes and warehouses has become integral to harnessing the vast volumes of structured and unstructured data.
In multi-cloud environments, BFSI firms use these data lakes and warehouses to support diverse analytics, risk modelling, customer engagement strategies, fraud management, and compliance monitoring, among others. However, the fluidity and scale of access prevailing in banks and insurance organizations across multiple cloud platforms introduce critical security challenges. Implementing robust identity and access management (IAM) frameworks for data access has thus emerged as a foundational security imperative.
Many global BFSI firms centrally store data in data lakes or warehouses across multiple cloud platforms to reap several benefits: scalability to manage ever-expanding data, capability to consolidate diverse data from varied sources while ensuring continuous availability to enable comprehensive analytics, and cost efficiency. Clearly, cloud data lakes and warehouses have a lot to offer BFSI firms. However, there are a few pitfalls as well—ensuring the security of data stored on the cloud can be a big challenge especially as sensitive customer data is typically scattered across various cloud platforms making centralized security and governance difficult.
Given that BFSI firms handle large volumes of personally identifiable information (PII) and transaction data, guarding against malicious insiders potentially sharing it with external attackers also poses hurdles. Different cloud platforms come with unique security configurations which makes it difficult for BFSI firms to implement a uniform, enterprise-wide security policy in turn undermining security and creating compliance gaps. Compliance with global privacy regulations such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Personal Data Protection Law (PDPL) is another aspect that can pose difficulties.
The threat landscape manifests differently across different lines of business in the BFSI industry. For example, a global bank operating in a multi-cloud environment may have to contend with excess privileges granted to data scientists and business analysts, data silos resulting in exposure of sensitive financial information, and vulnerabilities in application programming interfaces (APIs) of cloud native services. On the other hand, a fintech firm leveraging data lakes across multiple cloud platforms for real-time portfolio risk analytics may grapple with data exfiltration due to third-party integrations and inadequate data tagging and classification. Similarly, an insurer operating in a hybrid cloud model may have to integrate sensor data, customer history, and claims data resulting in unauthorized access to and misuse of crucial customer information.
For banks and insurers, a data breach can have disastrous consequences—adverse impact on customer trust, stringent regulatory audit, reputation and financial losses, and lawsuits. The way forward is to adhere to the highest standards of data protection and privacy and safeguard against breaches by putting in place robust security mechanisms, which will also help avoid regulatory scrutiny and penalties due to non-compliance. Adopting a robust data access control strategy can help to address these challenges. Implementing such a strategy will help BFSI firms gain visibility into their data security risks, enforce controls, and mitigate vulnerabilities across multi-cloud environments.
Security approach for multi-cloud environments
BFSI firms must take steps to ensure secure access to data from platforms such as Snowflake, AWS S3, Amazon Redshift, Databricks, Azure Synapse and Google BigQuery in a consistent manner.
Given that firms would have enabled multiple data retrieval options such as APIs, cloud native interfaces, reporting tools, data platform native interfaces and so on, they must execute a centralized, policy-based access control solution, which is critical to prevent unauthorized access and misuse, as well as guard against cyberattacks from external actors. This will require firms to establish comprehensive data access control mechanisms with key components (see Figure 1).
Figure 1: Conceptual architecture for policy-based data access controls in multi-cloud environments
Banks and insurers must:
- Analyze their data platforms and sensitive data elements and products and define access control policies based on the key attributes that determine access to datasets.
- Standardize policy definitions across data lakes and data warehouses residing in cloud environments in addition to ensuring channel agnostic access control.
- Design an access control architecture underpinned by a centralized policy engine along with a comprehensive attribute dictionary and data catalogue.
- Leverage GenAI capabilities to extract embedded access control logic from various applications and translate them into digital policies.
- Identify the core data products that need to be protected along with the workflows that support data entitlement processes.
- Define a roadmap to ensure data protection regardless of the channel or the platform through which data is accessed.
- Identify tools based on organizational data platforms and supplement them with custom adapters.
- Establish well-defined data governance frameworks including data entitlement controls and self-service features for employees as part of the business process workflow.
Adopting policy-based access controls helps address common challenges that banks and insurers face (see Table 1).
Challenge |
Solution |
Requests are handled through a ticketing system or emails resulting in delayed access provisioning. |
Establish a loosely coupled IAM platform with the ability to support hybrid cloud environments and offer out-of-the-box workflow and self-service capabilities. |
Review and approval of access requests are time-consuming, delaying the provisioning process. Revocation of access is heavily dependent on review campaigns. |
Put in place real-time access provisioning and revocation based on attribute value change, which will eliminate the need for provisioning, deprovisioning, and access review campaigns. |
Role or group explosion resulting in maintenance overheads. |
Eliminate uncontrolled growth of user roles and groups by considering attributes such as user, resource, and the environment while defining access policies. |
Audit process for regulatory compliance is complex and requires detailed analysis of entitlements within each application and data source. |
Set up channel-independent centralized policy administration, reporting, and auditing. |
Separation of duty and delegation of access is hard to achieve. |
Implement policies for common requirements such as separation of duty, privacy, secure data sharing, and delegation across applications and databases. |
Table 1: Policy-based controls to overcome common difficulties in access management
Case-in-point
A large wealth management firm with operations across the US and an army of advisors was functioning without comprehensive access control mechanisms.
Advisors regularly accessed confidential client information including portfolio summaries, risk assessments, tax documents, and retirement plans through a variety of channels to perform their role. Business analysts and senior leaders too accessed this data from data warehouses on the cloud while technology teams had access to data warehouses through their native interfaces. Given the sensitivity of the data and the potential for regulatory violations and consequent scrutiny, the firm wanted to implement a robust access control policy.
We helped the firm implement a centralized, policy-based access control system, ensuring consistent protection of data regardless of source and channel of access as well as seamless experience for advisors, leaders, and technology teams.
With this implementation, the firm realized the following benefits:
- 100% adherence to regulatory reporting timelines.
- Reduced development effort by 20% since the control policies were centrally managed and reused.
- Support for over 1,000 authorization service calls per second resulting in a high-performing system.
- Unearthed authorization rules buried inside application code resulting in well documented policies.
- Enabled channel independent access control through centralized policy administration, reporting, and auditing.
- Established a single system for fine grained authorization decisions (reports, web, mobile, micro services)
- Simplified authorization rule changes without any code changes.
Conclusion
The BFSI sector's adoption of multi-cloud data platforms is a strategic enabler of innovation, agility, and customer-centricity.
However, it also significantly expands the attack surface and regulatory exposure. Data access controls based purely on the native capabilities of data sources or cloud platforms are not sufficient to meet business and regulatory requirements as far as sensitive data sets are concerned. BFSI firms must implement a robust, context-aware, and policy-based access control system to ensure secure and compliant use of their data platforms while retaining the agility and analytical depth that multi-cloud environments offer.
