How CI Helps Cooperative Banks Meet RBI’s Latest Security Guidelines
After discovering that Indian urban cooperative banks (UCBs) have been failing to maintain an acceptable degree of security within their IT infrastructure, RBI has developed new mandates in late 2019 that your cooperative bank must comply with.
Many of the mandates can be fulfilled by Identity and Access Management (IAM) technology. RBI has also explicitly mandated that IAM technology be adopted, and the best option for banks to fulfil this is Ilantus Compact Identity (CI). The solution is the only one with Make in India certification, and keeping cybersecurity purchases within India is both less expensive, and more prudent given the sensitive nature of what we are dealing with.
Below are various cybersecurity guidelines that CI fulfills.
- Mandate ‘Level III,, 4.1’ states that “(Banks must) implement a centralized authentication and authorization system through an Identity and Access Management solution for accessing and administering critical applications, operating systems, databases, network and security devices/systems, point of connectivity (local/remote, etc.) including enforcement of strong password policy, two-factor/multi-factor authentication, securing privileged accesses following the principle of least privileges and separation of duties.”
Having a centralized system for authentication, access and administration improves security by creating an auditable focal point for these processes. Having a strong password policy and a system to manage these easily makes for a user-friendly experience whereby passwords can be complex and yet not be a problem when they are forgotten or need to be changed. Privileged access involves elevated accounts with access to critical applications and systems and needs a different technology to manage as these typically belong to noone and need to be provided on a need-only basis to users. Lastly, a person should not have access to certain combinations of access, for example, both writing and authorizing cheques, lest they be tempted to write a company cheque to themselves.
Compact Identity offers every one of these features with panache. It is a world-class solution that is used by many organizations around the world and has been featured by various industry analysts as a top-end product. It is scalable, simple, and easy to use. It is the only technology in the world that offers Privileged Access Management, Authentication, Single Sign-on, Password Management, and Identity Governance and Administration (access request & approval, access recertification campaigns) from one dashboard.
- The second mandate of importance is ‘Baseline ii’, which says that “UCBs shall put in place two factor authentication for accessing their CBS and applications connecting to the CBS with the 2nd factor being dynamic in nature.”
Two-factor authentication improves security by requiring not just a password but one more authentication through a different mechanism to access an account or application. Compact Identity offers such a feature, wherein a second factor such as mobile biometrics, Email-OTP, or SMS-OTP, is used for better security.
- The next mandate that Compact Identity fulfils is ‘Baseline iv’. It reads, “There should be a robust password management policy in place (…) Usage of trivial passwords shall be avoided(…)”
Easy-to-guess passwords are the bane of any organization, banks in particular. They are easy to guess, or to brute-force as it doesn’t take much effort for a hacking tool to crack them.
Compact Identity includes an enterprise-class password management tool. Common passwords can be blacklisted from use, and all passwords are stored as hashed or salted rather than as plain text.
- Another mandate of note is ‘Level II, 10.1”. It states, “(banks should) capture the audit logs pertaining to user actions in a system. Such arrangements should facilitate forensic auditing, if need be.”
It’s not enough to have security systems in place, organizations need to log events for when breaches do happen. This enables them to take reactionary measures, and to prevent the same things from happening in the future. It’s also no small point that regulations around the world, and in India, require auditable logs for access that has occurred.
Compact Identity allows all user actions related to authentication and authorization to be captured and available for forensic auditing in audit-ready format.
- IP address restrictions can be used to add an additional layer of security. One such application of this is outlined in mandate ‘Baseline III, 2.2’. It reads, “(banks must) enable IP tables to restrict access to the clients and servers in SWIFT and ATM Switch environments only to authorized systems.”
Compact Identity supports restricting authentication based on IP address ranges.
- It is not enough for a bank to have secure passwords, authentication, and authorization procedures. The IAM tool, which interacts with apps and systems and stores credentials must also store then securely.
Mandate 7.3 talks about this. “(Banks must) carefully protect access credentials such as logon user-id, authentication information and tokens, access profiles, etc. against leakage/attacks.”
Compact Identity stores all data with AES 256-bit encryption.
- Mandate 7.3 says that “(Banks must) implement controls to monitor and minimize invalid logon counts and deactivate dormant accounts.”
Multiple invalid logins due to incorrect credentials indicate possible unauthorized login attempts. Before a hacker can keep trying passwords endlessly to find the correct one, they must be locked out of the system. Dormant accounts are those that exist and have access rights allocated to them, but are not in use, nor have they been deactivated. Such accounts must be deactivated promptly when they are found, or they provide an additional place from which attackers can infiltrate a bank’s IT systems.
In Compact Identity, user accounts can be disabled or forced password reset can be activate after a specified number of failed login attempts. Dormant accounts are also identified and periodically deactivated.
- Mandate 7.5 dictates that “access to critical servers, network and security devices/systems shall be provided through Privileged User Management Systems /Identity and Access Management systems.”
Compact Identity is a full-fledged, low-cost and lightweight Identity and Access Management system which offers Privileged User Management as well.
- Risk analytics are a big new thing in Identity and Access Management. Security is improved when AI is used to check logins against existing valid patterns of login behavior. Mandate 7.6 asks banks to “monitor any abnormal change in pattern of logon.”
Compact Identity utilizes state-of-the-art analytics intelligence to monitor login patterns against various parameters and apply security policies automatically.
As one can see, there are a large number of mandates under the latest RBI cybersecurity guidelines which need a solution like Compact Identity to fulfil. From password management, to authentication, to detecting invalid login attempts and dormant accounts, to auditable logs, each one of these guidelines can be met by Compact Identity.
The solution is powerful, lightweight, and user-friendly. It is low-cost and provides high ROI. Implementation time is very short compared to the industry standard, and it has been engineered in such a way that a large portion of implementation and management can be performed by staff that are not proficient in IAM. It is also the only solution with Make in India certification.
The latest mandates must be followed closely to avoid non-compliance with statutory regulations. The best solution for the job is Compact Identity from Ilantus, which fulfils every IAM related mandate, and provides additional enterprise-class features at a low cost.
To learn more about Compact Identity, click here.