Adaptive access key to experience and effectiveness
A top financial services security chief has said adaptive access technology could prove critical in driving customer acceptance of online identity management and fraud prevention security systems.
Announcing plans to deploy Oracle Identity and Access Management technology, Brian Barbour, chief information security officer for Standard Life plc told us the software would mean adaptive and risk-based authentication procedures could soon be in place across the business.
The software will be used to secure and coordinate access controls across the company’s worldwide websites and will allow access to be secured all the way throughout a transaction, rather than relying solely on sign-on authentication at the very start of the process.
This adaptive approach to online security means stronger levels of authentication can be imposed according to the specifics of a transaction. Barbour explained these could include the type of endpoint device being used to access the insurer’s systems, whether an ID was that of a customer or of a financial services intermediary, or if any unusual user behaviour was detected during a transaction.
Oracle and others have developed adaptive access schemas to underpin online fraud prevention with multifactor authentication and unique authentication strengthening.
Its products blend authentication with real-time and offline risk analysis to prevent fraud at critical login and transaction checkpoints. The system examines and profiles a large number of contextual data points to determine the level of risk during each unique login and transaction attempt.
Standard Life’s investment in identity management was being made to enhance the customer proposition, rather than to meet any compliance or regulatory obligations, the CISO said. “We want customers to be able to trust us with their personal information, just as they can trust us with their money.”
He added, “It’s important that the customer experience is not damaged in any way by security. There has to be complete transparency, and there has to be the very highest level of confidence.”
Barbour explained that Standard Life does not see the ID programme as being driven by risk, but views it as a way of building a strong level of trust for the business.
“We want be able to offer customers some positive assurances that they can trust us to do business with,” Barbour said. Good enough security is not enough when it comes to managing sensitive customer information. “There is very strong buy-in from the chief executive about security. We have a very top-down approach to the subject. The CEO sees security as a crucial business requirement, rather than some stand-alone bolt-on.”
The insurer’s plan is to use the Oracle Identity and Access Management system as a kind of ID hub that will share and switch information between existing information repositories such as Microsoft Active Directory, Novell e-Directory, Oracle Database and Oracle Internet Directory.
The insurer said its programme would bring a higher level of security and process diligence, while at the same time helping drive down operating costs and further centralising the administration of associated information security services.
The deployment, which is based on a single design that will be adopted to secure all Standard Life’s internet-facing online business systems, is just entering the build stage.
Roll out will begin in Canada, with UK sites following shortly thereafter. Eventually, it will be used by ‘several million’ staff and customers, Barbour has estimated. “We have been very careful to deploy a system that can handle both the requirements of local geographies, and the scale we need to reach a global business base.”