Wednesday, 15 March 2017

Securing your data in the cloud

Organisations are continually moving business applications and services to the cloud. Alongside the growth of remote workers within an organisation, securing and controlling access to cloud-based infrastructure and services has become increasingly challenging.

While some organisations have mature Identity and Access Management (IAM) solutions protecting internal systems; with the rapid adoption of cloud, many are using these existing policies to secure the cloud. This is not the way to approach the issue. Cloud must be treated for what it is, a different solution which requires its own policies and controls.

Risks and threats

Often cloud providers will have their own security controls in place to protect their services. However, businesses must be aware it is their responsibility to protect their own data in the cloud. As such, the security controls provided to an end user are usually limited and in some instances, simply do not exist. Some of the most common risks to cloud-based services can be overcome by ensuring an IAM solution is in place.

The most common risks which can be reduced through an IAM solution are:
  • Poor identity and access governance and management
  • Data breaches caused by poor credentials and identity management and procedures
  • Unsecure user interfaces and API
  • Compromised accounts
  • Insider threats

Whilst an IAM solution will provide the ability to reduce these risks and threats, unless it is combined with a mature strategy and the correct processes and procedures, the reduction of risk will be far less.

The key consideration when moving to the cloud is to evaluate and understand the gaps in existing process, policy and procedures, the potential need for additional security controls and the requirement for detailed planning and project governance is critical. If these key actions are carried out it will ensure any adoption of cloud services or infrastructure is a success.

To read our full paper, ‘Securing the Cloud’, click here.

Tuesday, 7 March 2017

Open Banking initiative: What does this mean for the UK banking sector?

By: Barry O’Donohoe, Co-Founder, RAiDiAM Consulting

A report from Identity and Access Management specialists Ilex International and RAiDiAM Consulting looks at the upcoming Open Banking legislation and the impact on UK banking organisations.

The Open Banking initiative has formed as a result of the UK Competition and Market Authority’s (CMA) latest effort to promote increased competition and consumer choice among banking service providers. In addition, the CMA intends to expand upon the European Banking Authority’s Payments Services Directive 2 (PSD2) directive by being more definitive in specifying the technological implementation of standards.

These APIs will transform the existing relationship between banks and their customers and raise complex identity assurance and access management challenges. Providing a standard set of APIs will be challenging for many functional and technical reasons. Perhaps most challenging from a security perspective will be the replacement of bespoke application protection mechanisms, protocols and internal standards with a single modern Identity and Access Management (IAM) capability that can integrate with third parties.

Open Banking in action

Open Banking API offerings are broadly categorized into three services: Public information, account information services (AIS) and payment initiation services (PIS). The CMA’s high-level roadmap schedules the delivery of APIs in the order of their security or risk levels. APIs requiring no security to implement will be delivered first, starting with the delivery of financial product descriptions and ATM / branch locations by the end of Q1 2017.

Achieving assurance in a headless world

These days, customers almost always interact exclusively with banking services via first party channels, whether mobile, telephony or Face2Face. Such channels require customers to perform an appropriate degree of identification and verification before services or information is provided.
Alternatively, with an API channel consumed by third parties, bank’s will need to address use cases where TPPs are performing operations on a customer’s behalf when the customer may not be present during the course of the transaction. Banks must adjust security postures to reflect the loss of control, quality assurance and variable degrees of app security that may be used by customers to access banking services.


Digital identity assurance is leading to a change in the industry. The coming swarm of digital financial asset management APIs will enable new and innovative services to be deployed at a pace previously unseen in the financial services industry. API delivered services have the potential to significantly increase the threat surface banks are exposed to and pose new challenges for identity assurance. Delivery of an API channel will require significant investment in IT Security and IAM infrastructure. It will also require the re-engineering of business processes to manage the numerous new identity classes and their authorisations.

To read the full paper, ‘Open Banking and PSD2: An Inflection Point for Digital Identity Assurance’, click here.