After discovering that Indian urban cooperative banks (UCBs) had been consistently failing to maintain an acceptable degree of security within their IT infrastructure, were highly vulnerable to attacks and sensitive data compromise was extremely likely, RBI released a circular with new mandates in late 2019 to ensure robust security in these banks.
RBI has explicitly mandated that Identity & Access Management (IAM) technology be adopted, and the best option for banks to fulfill this guideline is by implementing CI from Cross Identity that comes with a ‘Make in India’ certification. Cybersecurity purchases within India are also less expensive and more prudent given the sensitive nature of information in banking.
CI helps your organization achieve compliance with these RBI guidelines:
- Mandate ‘Level III, 4.1’ states that “(Banks must) implement a centralized authentication and authorization system through an Identity and Access Management solution for accessing and administering critical applications, operating systems, databases, network and security devices/systems, point of connectivity (local/remote, etc.) including enforcement of strong password policy, two-factor/multi-factor authentication, securing privileged accesses following the principle of least privileges and separation of duties.” A centralized system for authentication, access, and administration improves security by creating an auditable focal point for these processes. A strong password policy and a system to manage these processes easily make for a user-friendly experience. With CI, passwords can be complex as they need to be but do not pose a problem when they are forgotten or need to be changed. Privileged access involves elevated accounts with access to critical applications and systems and requires a different technology to manage as these typically need to be provided on a need-only basis to users. Lastly, a person should not have access to certain combinations of access, for example, both writing and authorizing cheques, lest they be tempted to write a company cheque to themselves. CI offers every one of these features with panache. It is a world-class solution that is used by many organizations around the world, including more than 18 out of the Fortune 100 list and has been featured by various industry analysts as a top-end product for being scalable, simple, and easy to use. It is the only technology in the world that offers Privileged Access Management, Authentication, Single Sign-on, Password Management, and Identity Governance and Administration (access request & approval, access recertification campaigns) from a single dashboard.
- ‘Baseline ii’ says that “UCBs shall put in place two-factor authentication for accessing their CBS and applications connecting to the CBS with the 2nd factor being dynamic in nature.”
Two-factor authentication improves security by requiring not just a password but one more authentication through a different mechanism to access an account or application. CI offers such a feature, wherein a second factor such as mobile biometrics, email OTP, or SMS OTP, is used for better security. - ‘Baseline iv’ reads, “There should be a robust password management policy in place (…) Usage of trivial passwords shall be avoided (…)”
Easy-to-guess passwords are the bane of any organization, more so in banking. People generally set their birthdays or anniversaries as their passwords so that they don’t forget their password but fail to realize that this information is publicly available on their social media – Making it very easy for hackers to guess or to even crack by brute force as it doesn’t take much effort for a hacking tool to crack them.
CI includes an enterprise-class password management tool. Common passwords can be blacklisted from use, and all passwords are stored in an encrypted format.
- Mandate ‘Level II, 10.1” states, “(banks should) capture the audit logs pertaining to user actions in a system. Such arrangements should facilitate forensic auditing if need be.”
It is not enough to have security systems in place – Organizations need to log events for when breaches do happen. This enables them to take reactionary measures and to prevent the same things from happening in the future. It is also no small point that regulations around the world, and in India, require auditable logs for user actions that have occurred in the system.
CI allows all user actions related to authentication and authorization to be captured and available for forensic auditing in audit-ready format. - ‘Baseline III, 2.2’. It reads, “(banks must) enable IP tables to restrict access to the clients and servers in SWIFT and ATM Switch environments only to authorized systems.”
IP address restrictions can be used to add an additional layer of security. One such application of this is outlined in the above mandate and CI supports restricting authentication based on IP address ranges. - Mandate 7.3 states “(Banks must) carefully protect access credentials such as login user-id, authentication information, and tokens, access profiles, etc. against leakage/attacks.”
It is not enough for a bank to have secure passwords, authentication, and authorization procedures. The IAM tool, which interacts with apps and systems and stores credentials must also store them securely. CI stores all data with AES 256-bit encryption. - Mandate 7.3 states that “(Banks must) implement controls to monitor and minimize invalid login counts and deactivate dormant accounts.”
Multiple invalid logins due to incorrect credentials indicate possible unauthorized login attempts. Before a hacker can keep trying passwords endlessly to find the correct one, they must be locked out of the system. Dormant accounts are those that exist and have access rights allocated to them, but are not in use, nor have they been deactivated. Such accounts must be deactivated promptly when they are found, or they provide an additional place from which attackers can infiltrate a bank’s IT systems.
In CI, user accounts can be disabled or forced password reset can be activated after a specified number of failed login attempts. Dormant accounts are also identified and periodically deactivated. - Mandate 7.5 dictates that “access to critical servers, network, and security devices/systems shall be provided through Privileged User Management Systems /Identity and Access Management systems.”
CI is a full-fledged, low-cost, and lightweight Identity and Access Management system which offers Privileged User Management as well. - Mandate 7.6 asks banks to “monitor any abnormal change in the pattern of logon.”
Risk analytics is the latest trend in Identity and Access Management. Security is improved when AI is used to check logins against existing valid patterns of login behavior. CI utilizes state-of-the-art analytics to monitor login patterns against various parameters and apply security policies automatically.
As seen above, the latest RBI cybersecurity guideline mandates a robust and comprehensive solution like CI to achieve compliance with the guideline. From password management to authentication, to detecting invalid login attempts and dormant accounts, to auditable logs, each one of these requirements can be met by CI.
The solution is powerful, lightweight, and user-friendly. It is low-cost and provides a high ROI. Rapid implementation timeline coupled with smart engineering so that a large portion of implementation and management can be performed by staff that is not even proficient in IAM. It is also the only solution with a “Make in India” certification. Click to learn more about CI or set up a demo with our product experts.
