After discovering that Indian urban cooperative banks (UCBs) had been consistently failing to maintain an acceptable degree of security within their IT infrastructure, were highly vulnerable to attacks and sensitive data compromise was extremely likely, RBI released a circular with new mandates in late 2019 to ensure robust security in these banks.
RBI has explicitly mandated that Identity & Access Management (IAM) technology be adopted, and the best option for banks to fulfill this guideline is by implementing Compact Identity from Ilantus that comes with a ‘Make in India’ certification. Cybersecurity purchases within India are also less expensive and more prudent given the sensitive nature of information in banking.
Compact Identity helps your organization achieve compliance with these RBI guidelines:
- Mandate ‘Level III, 4.1’ states that “(Banks must) implement a centralized authentication and authorization system through an Identity and Access Management solution for accessing and administering critical applications, operating systems, databases, network and security devices/systems, point of connectivity (local/remote, etc.) including enforcement of strong password policy, two-factor/multi-factor authentication, securing privileged accesses following the principle of least privileges and separation of duties.” A centralized system for authentication, access, and administration improves security by creating an auditable focal point for these processes. A strong password policy and a system to manage these processes easily make for a user-friendly experience. With Compact Identity, passwords can be complex as they need to be but do not pose a problem when they are forgotten or need to be changed. Privileged access involves elevated accounts with access to critical applications and systems and requires a different technology to manage as these typically need to be provided on a need-only basis to users. Lastly, a person should not have access to certain combinations of access, for example, both writing and authorizing cheques, lest they be tempted to write a company cheque to themselves. Compact Identity offers every one of these features with panache. It is a world-class solution that is used by many organizations around the world, including more than 18 out of the Fortune 100 list and has been featured by various industry analysts as a top-end product for being scalable, simple, and easy to use. It is the only technology in the world that offers Privileged Access Management, Authentication, Single Sign-on, Password Management, and Identity Governance and Administration (access request & approval, access recertification campaigns) from a single dashboard.
- ‘Baseline ii’ says that “UCBs shall put in place two-factor authentication for accessing their CBS and applications connecting to the CBS with the 2nd factor being dynamic in nature.”
Two-factor authentication improves security by requiring not just a password but one more authentication through a different mechanism to access an account or application. Compact Identity offers such a feature, wherein a second factor such as mobile biometrics, email OTP, or SMS OTP, is used for better security.
- ‘Baseline iv’ reads, “There should be a robust password management policy in place (…) Usage of trivial passwords shall be avoided (…)”
Easy-to-guess passwords are the bane of any organization, more so in banking. People generally set their birthdays or anniversaries as their passwords so that they don’t forget their password but fail to realize that this information is publicly available on their social media – Making it very easy for hackers to guess or to even crack by brute force as it doesn’t take much effort for a hacking tool to crack them.
Compact Identity includes an enterprise-class password management tool. Common passwords can be blacklisted from use, and all passwords are stored in an encrypted format.
- Mandate ‘Level II, 10.1” states, “(banks should) capture the audit logs pertaining to user actions in a system. Such arrangements should facilitate forensic auditing if need be.”
It is not enough to have security systems in place – Organizations need to log events for when breaches do happen. This enables them to take reactionary measures and to prevent the same things from happening in the future. It is also no small point that regulations around the world, and in India, require auditable logs for user actions that have occurred in the system.
Compact Identity allows all user actions related to authentication and authorization to be captured and available for forensic auditing in audit-ready format.
- ‘Baseline III, 2.2’. It reads, “(banks must) enable IP tables to restrict access to the clients and servers in SWIFT and ATM Switch environments only to authorized systems.”
IP address restrictions can be used to add an additional layer of security. One such application of this is outlined in the above mandate and Compact Identity supports restricting authentication based on IP address ranges.
- Mandate 7.3 states “(Banks must) carefully protect access credentials such as login user-id, authentication information, and tokens, access profiles, etc. against leakage/attacks.”
It is not enough for a bank to have secure passwords, authentication, and authorization procedures. The IAM tool, which interacts with apps and systems and stores credentials must also store them securely. Compact Identity stores all data with AES 256-bit encryption.
- Mandate 7.3 states that “(Banks must) implement controls to monitor and minimize invalid login counts and deactivate dormant accounts.”
Multiple invalid logins due to incorrect credentials indicate possible unauthorized login attempts. Before a hacker can keep trying passwords endlessly to find the correct one, they must be locked out of the system. Dormant accounts are those that exist and have access rights allocated to them, but are not in use, nor have they been deactivated. Such accounts must be deactivated promptly when they are found, or they provide an additional place from which attackers can infiltrate a bank’s IT systems.
In Compact Identity, user accounts can be disabled or forced password reset can be activated after a specified number of failed login attempts. Dormant accounts are also identified and periodically deactivated.
- Mandate 7.5 dictates that “access to critical servers, network, and security devices/systems shall be provided through Privileged User Management Systems /Identity and Access Management systems.”
Compact Identity is a full-fledged, low-cost, and lightweight Identity and Access Management system which offers Privileged User Management as well.
- Mandate 7.6 asks banks to “monitor any abnormal change in the pattern of logon.”
Risk analytics is the latest trend in Identity and Access Management. Security is improved when AI is used to check logins against existing valid patterns of login behavior. Compact Identity utilizes state-of-the-art analytics to monitor login patterns against various parameters and apply security policies automatically.
As seen above, the latest RBI cybersecurity guideline mandates a robust and comprehensive solution like Compact Identity to achieve compliance with the guideline. From password management to authentication, to detecting invalid login attempts and dormant accounts, to auditable logs, each one of these requirements can be met by Compact Identity.
The solution is powerful, lightweight, and user-friendly. It is low-cost and provides a high ROI. Rapid implementation timeline coupled with smart engineering so that a large portion of implementation and management can be performed by staff that is not even proficient in IAM. It is also the only solution with a “Make in India” certification. Click to learn more about Compact Identity or set up a demo with our product experts.