Their solution was built around SmartSoft’s SRM (Smart Risk Manager) Fraud Management System and Oracle Adaptive Access Manager, our solution in the area of strong authentication and proactive, real-time fraud prevention. SmartSofts’ expertise in EMV and payment card systems means that they understand credit card fraud at a deep level. This understanding is the basis for the fraud controls that SRM introduces at the merchant and issuer sides, detecting fraud in real-time and taking just-in-time precautions and actions. The bank has been using SRM for over 2 years to secure their credit and debit card operations.

The Challenge

The bank wanted to bring the same level of fraud management that they had achieved with their credit and debit card operations to their internet banking channel. This would require understanding the mechanisms of internet banking fraud, enable comprehensive and automated tracking of online transactions, and use this to identify instances of frauds in real time. The bank also wanted to make sure that they fully complied with international and domestic regulations for internet banking.

The Solution

In order to do this, the bank worked with SmartSoft and Oracle to add OAAM Adaptive Risk Manager (ARM) into their fraud controls system. ARM is OAAM’s back-end, proactive real-time fraud detection product, providing a behind-the-scenes comprehensive anti-fraud software solution. ARM provides a strong second and third factor of security by verifying a host of factors used to confirm identity – from device characteristics (the computer and mobile device used to login) to a user’s location and online behavioral profiles. Adaptive Risk Manager can also trigger numerous actions based on its analysis, such as challenging or blocking the user.

For the deployment, the project team conducted a broad analysis of requirements in terms of internet banking fraud rules, and configured more than 50 OOTB rules in OAAM’s rule engine. They also developed an advanced scoring mechanism for real-time analysis of each transaction’s fraud probability, aimed at achieving a detection rate of nearly 99% of all fraud attempts.

An information channel was defined between OAAM and SRM, whereby the two systems can enrich each others decision-making data. For interactions originating in the internet banking channel, OAAM can calculate risk levels and notify SRM about high risk transactions. Conversely, SRM can send fraud data for risky transactions it encounters to OAAM for use in its behavioral analysis. This integration between the two systems makes the fraud analysis richer and more reliable.

On top of this, the bank’s fraud analysts are using existing reporting capabilities and Oracle BI Publisher for deep down reporting and trend analysis to identify zero-day fraud patterns. Case management also enabled the organization to take care of risky activities and provide flexible service to end-users in real time.

The Results

The bank deployed OAAM in just three months, providing the bank’s fraud analysts with comprehensive visibility and monitoring capabilities for internet banking transactions. With the deployment in production, the bank was able to achieve a previously unmatched level of security for internet banking and fully ensure Şekerbank’s compliance with international and domestic regulations. They were also able to realize a decrease in operational costs for surveying internet banking transactions of ~70%, as now only 2% of all transactions require manual control following a system alert.

It’s always good when you come across a success story like this one, and when especially when the project teams get the recognition they so richly deserve (but seldom get). Kudos to them on the success of the project and the award.

Tags: Adaptive Risk Manager, EIC10, EIC2010, European Identity Conference, Fraud Prevention, OAAM, Oracle Adaptive Access Manager, Oracle Identity Management, Risk Management

Kurt Johnson at Courion blogged about a ruling in a case (LVRC Holdings v. Brekka) regarding wrongful use of enterprise accounts by an employee after being terminated. Read his post for a more detailed description of the case and the ruling, but it basically boils down to this: It is the employer’s responsibility to terminate access, and therefore the (terminated) employee did no wrong by using it since their access was not taken away.

I’ll stay out of the moral/ethical implications here, but what this means to a business is that making sure you take away access from your employees/contractors when they shouldn’t have it any more has suddenly become a much higher priority. Because if that person uses their accounts to do anything when you no longer want them to, it is not their fault, it’s yours. Ensuring prompt revocation of access was always good business practice, but now it becomes a business imperative because your legal protections (employee contract be damned) are greatly weakened.

When compliance became a bigger driver for IAM than IT efficiency, the approach to rolling out identity management projects did evolve to reflect this kind of thinking. But this case is as good a reason as any to reiterate what we have been preaching for years now – that your IAM deployment must have both proactive and detective controls in place to ensure compliance. The proactive control in this instance is Deprovisioning, while the detective control is Attestation.

A common best practice staged approach (thought not the only one) to IAM projects that incorporates this idea is:

• Start by building up your Who-Has-What database (either in your provisioning product or in your identity governance product)
• Put in place a periodic attestation process to force review and sign-off of user access by those in the know (managers, application owners)
• Create a deprovisioning project. Start off with manual processes that are triggered off your HR and Contractor management systems. Evolve to an automated process over time, which should include linking your attestation process to your deprovisioning process for handling rogue accounts
• Start rolling out request-based provisioning for application access. Start with manual processes and evolve to automated processes in a phased manner
• Start working on a role management project as a way to implement role-based provisioning. Again, follow a phased approach.

The stakes in the IAM game just got a little bit harder. Make sure your project has these goals in its sights.

Tags: Attestation, Audit & Compliance, Compliance, Deprovisioning, Risk Management, Rogue Accounts

I’ll be taking part in two of their panel discussions, one on the topic of Separation of Duties (SoD), and the other on the topic of Attestation (or re-certification). Both are on Wednesday, December 9th:

• How to Efficiently Implement SoD Controls: Which Level Works?
  • 11am EST| 8am PST | 5pm CET
• How to Start: Recertification or Active Access Controls First?
  • 12pm EST | 9am PST | 6pm CET

Both panels will be focused on determining the right approach to rolling out these solutions, and where they should fit into your overall IdM program. This sometimes become a vendor driven conversation, so the opportunity for fireworks is always there.

Check out the conference if you have time. It’s virtual, so you can do it from the comfort of your home/office (which is always good in the winter). And it’s free (you can’t beat that)! Should be an interesting discussion.

Tags: Access Governance, Attestation, Conference, Identity Governance, Risk Management, Separation of Duties, SoD

The session had a nice flow to it, starting with a vendor presentation (Oracle, of course), followed by an analyst presentation (Bob Blakley and Lori Rowland from the Burton Group) and concluding with a customer presentation (our old friend Ramin Safai from Barclays Capital). Getting to discuss identity management from all points of view was quite a valuable exercise, and I gleaned lots of useful nuggets.

Security Inside Out

Amit Jasuja (who heads up the Identity Management team at Oracle) kicked off the day by talking about “Security Inside Out“, Oracle’s new message on putting together a complete security practice by bringing together Database Security, Identity Management and Information Rights Management. Weaving all of these elements together allows an enterprise to get a complete handle on the nature of their security risk across all tiers – database, middleware and application – and in all contexts – data at rest or in motion, internal users vs. external users, and so on. This led to a lot of discussion on moving towards risk-based identity management, which can be more adaptive to an enterprise’s needs and allow identity management to be a business enabler, not a hindrance.

One of the concepts I particularly liked was using identity management to enable “Break The Glass” scenarios that allow for contextual security decisions. In such a scenario, a user who ordinarily does not have access is allowed to get access but with added controls (like heightened audit, approval and attestation) to address the unique, emergency-like situation that presents itself. Being able to adapt to sensitive contextual situations without sacrificing on security and compliance is a powerful message that resonates in the enterprise world. Another topic that proved fertile for conversation was for risk-based IdM to leverage One-Time Passwords delivered via SMS or over land-line phones in order to implement higher levels of identity assurance (LOA). As two-factor authentication goes, enterprises increasingly view this as an attractive way to increase levels of assurance without having to invest in tokens and biometrics.

Complete Security

The Burton Group team talked about the state of identity management in the market today, especially emerging trends and hot-button topics. Lori validated my observation that cloud computing is going to have a huge impact on the future of identity management, and gave a nice shout out to my OpenWorld session on the topic. One of the interesting takeaways from their talk was this point that Bob made about achieving complete security: An enterprise needs to have preventive controls that allow business to be conducted as usual but flush the bad guys into the open, where detective controls can identify them and their activities, which would then allow responsive controls (aka the cops) to take action.

Down In The Trenches

Ramin then gave a customers perspective on implementing identity management – from “down in the trenches”, as he called it. There were a lot of good lessons in his talk – about scoping the project correctly and dividing it into small, achievable mini projects that demonstrate ROI, about the processes and architecture they put in place to ensure success of the project, and some of the achievements they had with their IdM implementation, especially when Barclays acquired Lehman Brothers. One of the major points made in the room during discussion was that security within the enterprise needs to be driven top down by an “Executive Governance Board” in order to achieve  consistency and completeness. It cannot be done piecemeal at the IT level.

I love taking part in sessions like these, as it is great to be able to hear so many different perspectives. And thanks to Greg Belanger from the Apollo Group for giving me a shout out during the analyst discussion on Oracle’s differentiators in the identity management area. The point he was making about Oracle demonstrating vision in IdM is an important one that we are very serious about here, and I am glad to be a small part of that.

Tags: Identity Assurance, Identity Controls, OOW09, Oracle OpenWorld, Risk Management