Over the past 5 years, the global foreign exchange market has been transformed from inefficient client server, phone and fax processes to a totally Web based highly automated trading service with advanced straight through- processing capabilities, real-time buyer-side quotes and complete settlement confirmation and SSI data. A leading global financial institution reported that total FX transaction times were reduced from 2 days to less than 5 minutes with the rollout of their online FX Trading solution. The implications of the decreased transaction times means that banks can effectively increase the number of transactions processed thereby increasing top line revenue, while at the same time decrease transaction costs increasing profitability.

The Internet systems also creates significant risks not least of which is security. The Internet is plagued with weekly reports of malicious hacking, virus attacks, denial of service attacks, identity theft and fraud. So the question that IT and business managers alike must ask is, Can the risk that offering high value financial services through the Internet creates be managed to a level that makes its use a sound business decision?

To answer this question, one needs only to look as far as the financial industry itself. Every leading financial services institution already offers highly valuable services over the Internet including FX Trading solutions and even more sophisticated financial portals. Companies like Bank One, eTrade, Merrill Lynch, HSBC, Morgan Stanley and ABN AMRO all have aggressively and successfully deployed web based services including highly valuable FX trading systems. What these companies have learned is that there is no single easy answer to managing security, but if an organization can understand and manage the risks as part of an overall security strategy, then the Web offers an unparalleled path to competitive advantage.

Understanding the Risks

IT managers must understand and protect against the vulnerability of using the Internet by understanding both the types of risks they will face and from whom they will face them. The most notorious and well-publicized risk comes from hackers, but the majority of real risk and damage actually comes from misuse by legitimate end-users including customers business partners, and most of all employees of your own organization.

Identity Theft and Internet Fraud

Identity theft is defined as the wrongful obtaining and using of someone else's personal data in some way that involves fraud or deception, typically for economic gain. There are many ways thieves exploit identity theft, including opening new financial accounts under the stolen name or changing an account address and then cleaning out the account. Identity theft can be accomplished with as little user information as a users name and social security number. The challenge here is that this information is often available to hundreds of employees at financial institutions, with very few internal checks and balances to assure that private data is not being made public. Recent cases of employees taking part in identity theft include; company employees selling user identity information to thieves, employees fraudulently using the information for their own gain, to employees unwittingly leaving private content on a computer screen or print-out that is copied by another person and fraudulently used. Identity theft and fraud are manageable risks, but require a coordinated security effort that combines the management of technology, process, and training. This coordinated security effort is often referred to by the military term, defense in depth.

Defense in Depth

Defense in Depth, when applied to managing online security, is the principle of combining your network architecture, security infrastructure, and security processes together to form an integrated defense that keeps your mission critical applications as far away as possible from any potential threat. The defense in depth strategy creates a highly potent security system that will discourage hackers and minimize exposure to identity theft and fraud. This article will focus on the newest layer of a defense in depth strategy, commonly referred to as Identity and Access Management (IAM).

Identity and Access Management

IAM is a relatively new, but crucial layer in managing online security for large distributed organizations, and is the key to enabling organizations to secure access to enterprise information assets and manage the identities of users accessing those assets. It combines authentication management, access control, user administration and resource provisioning to create a comprehensive and efficient approach to managing account identities in a heterogeneous environment. The goal of IAM is to establish a logical, policy based security system that can uniformly enforce security policies across all Web facing applications for all users. Because of its centralized administrative features IAM produces an impressive ROI. For example, in a Gartner analysis of a company with 6 applications and 50,000 customers, an IAM solution produced a 375% ROI and a 9-month payback period.

IAM consists of two complimentary layers, one being administrative the other being runtime enforcement. The administrative layer consists of user administration and the provisioning of users to resources. The runtime enforcement layer is comprised of a set of shared services that dynamically determine who the user is (authentication) and what the user can do (authorization) as users attempt to interact with resources. The enforcement layer is provided by an access management solution that enables IT managers to define security policies that link user entitlements stored in user directories to Web facing business applications.

Runtime Enforcement Layer

An IAM solution replaces the traditional practice of hard-coding security into the business logic of backend applications. By centralizing all authentication and entitlement management, companies can greatly reduce the complexity involved in managing large distributed environments. The use of an access management solution enables companies to improve access for external users and tighter levels of control over Internet users on the basis of their identities and relationship with the organization. IAM solutions offer a set of shared services including:

Authentication Management
One of the greatest challenges facing IT managers administrating a large distributed network of Web facing applications is determining the value of each application, who (what types of users) will access the applications, and what authentication scheme is required to protect each application. Is a simple password policy appropriate, or are stronger controls needed? Access management solutions enable IT managers to match the value of each application based on the services they offer and protect them with the appropriate authentication system, all from a central management point.

Authorization Management
Authorization management is the practice of enabling access to the right resources for each user. This service is based on security policies that bind users to resources. Authorization management provides an integrated authorization mechanism capable of enforcing security policies across multiple Web applications with granularity to protect objects, files, transactions and the Web pages through which they are accessed. It also results in single sign-on functionality for users, which drives savings for both the IT and help desk organizations and for the users themselves.

Session Management
A key security feature of an access management product is keeping a user positively identified after they have been authenticated. This is done through session management, and utilizes ei