In October 2019, more than 1.3 million credit and debit card details from Indian banks were found available for sale for a meagre sum of Rs. 10,000 per card. This is only one example of the state of cybersecurity in Indian banks (including urban cooperative banks) in our country today. There have been numerous such hacks and cyberattacks in the past and the threats are only going to be more advanced and multidimensional in the future. RBI realized that security levels in the Indian banking sector to be suboptimal, and in December 2019, released stringent guidelines for new cybersecurity measures.
The largest chunk of the proposed mandates involve cybersecurity aspects like improved authentication schemes for accessing applications, better password management processes, and auditable logs of access. It also specifies that an Identity and Access Management system must be implemented to provide various specific technologies.
Improved authentication schemes have been proposed to improve security at login – Processes like two-factor authentication adds a level of difficulty for attackers to gain entry into the system.
Passwords are a humongous problem today – Both the quality of passwords (easy to guess passwords like birthdays and anniversaries) and lack of constant change are key issues. Good password management involves using passwords that are not so easy to figure out as well as changing passwords frequently.
Not just passwords – Every click and process that happens in an account must be logged and auditable – This is not exclusive to the RBI guidelines but a compliance issue that is being pressed all around the world today.
Many of the guidelines can be fulfilled by a technology called Identity and Access Management (IAM). Cross Identity, a technology company that focuses on innovation and develops its products exclusively in India with “Make In India” certification and offers IAM solutions to solve precisely this problem. Backed by 20+ years of experience and expertise in the cybersecurity domain, Cross Identity is your one-stop-shop for all things IAM.
Here are examples of RBI guidelines and how Cross Identity’ flagship product, CI can you help you achieve compliance:
- The ‘Baseline ii’ guideline mandates that “UCBs shall put in place two-factor authentication for accessing their CBS and applications connecting to the CBS with the 2nd factor being dynamic in nature.”
CI fulfills this guideline by offering 2-factor authentication for accessing applications, with a dynamic second factor such as SMS OTP, Email OTP, Mobile Biometrics, etc.
- The ‘Baseline iv’ guidelines mandates that “There should be a robust password management policy in place, with specific emphasis for sensitive activities like accessing critical systems, putting through financial transactions. Usage of trivial passwords shall be avoided.”
CI helps you comply with a robust enterprise-grade password management solution that comes with it. Common passwords can be blacklisted, and all passwords are stored encrypted rather than as plain text.
- With regards to logging and auditing, RBI mandate ‘Level 2, 10.1’ states that banks must “capture audit logs pertaining to user actions in a system. Such arrangements should facilitate forensic auditing, if need be.”
CI meets this criteria because all authentication and authorization actions are captured and available for forensic auditing.
- When it comes to IAM, RBI has provided guidelines specific to the technology.
Mandate ‘Level 3, 4.1’ dictates, “(Banks must) implement a centralized authentication and authorization system through an Identity and Access Management solution for accessing and administering critical applications, operating systems, databases, network and security devices/systems, point of connectivity (local/remote, etc.) including enforcement of strong password policy, two-factor/multi-factor authentication, securing privileged accesses following the principle of least privileges and separation of duties.’
Cross Identity fulfills all guidelines mandated by RBI while offering additional features to provide improved security, organizational efficiency, and improved user experience.
- A centralized, multi-factor enabled authentication system with a dashboard
- Strong password policies with blacklisting of common passwords
- Self-service password resets
- Privileged access management to secure accesses at granted to roles with special privileges.
- Tools for separation of duties(SoD)
- Available on-premise and in the cloud.
RBI’s latest guidelines are meant to ensure better security for Indian UCBs and their customers. Failure to meet the mandates is a risk to both your bank’s security, as well as opens you up to legal repercussions as these mandates are the law.
Click here to sign up for a free 15 minute conversation on how we can help you achieve compliance to RBI’s norms for cybersecurity.