2023 State of Authorization Report offers guidance on critical issues impacting authorization Learn more  

ABAC, part and parcel of an effective anti-fraud program

So how should financial institutions act? Well, in its 2015 report “Current Fraud Trends in the financial sector”, PwC identified the key components of an effective anti-fraud program. Not surprising, the focus is on three areas intrinsically linked to the battle against internal fraud, namely: People, Processes and Technology.

So where does Axiomatics come into this? As a company that facilitates secure data access we are not involved with the people financial institutions employ (although we can help with access control-related training). But we do help with processes and technology components that contribute to secure access control. And this is how:

Policies and procedures: Attribute Based Access Control (ABAC) is also commonly referred to as Policy-Based Access Control, due to its ability to strictly enforce business policies. This can be a real help if you are responsible for developing business policies on any level, but particularly those that concern access to sensitive or business critical data. ABAC will give you peace of mind that policies can be enforced no matter how complex they are, or what they are related to, be it product, service, location, or user access permissions.

Effective data: Captured data is only valuable if you can use it effectively, which means being able to share and process it. Equally important is the ability to ensure the data isn’t compromised. ABAC supports this by ensuring data is only accessible to users who require it and that it only can be viewed or edited under the right conditions. On top of this, Axiomatics’ authorization services filter out or mask data that a user or application should not have access to. Your policies are enforced and only those who have the approval to do so can touch data. In this way, data will only be compromised if a user abuses his or her position.

Technology framework: The technology solutions you choose have to sync with your business, and support constant availability of data – as long as only the right user is accessing the right data. ABAC is an industry-standard access control model that has been approved by the National Institute of Standards and Technology (NIST). It can span multiple technology frameworks and can be used across different IT environments, no matter how complex or disparate they are. And thanks to the ease of scalability it can be deployed on a single application or database and rolled out progressively across an organization.

Periodic review: Reviewing who can access what information is an important part of any anti-fraud program. The Axiomatics Review Manager allows you to ask the conditions under which a person, team or department, etc. can view sensitive data and compare it in relation to the business policy. By the same token, you can check the conditions under which and by whom a particular piece of data can be access. Additionally, all questions posed are saved in the system and can be asked again periodically or when policy changes are made.

In Conclusion…

ABAC is the ideal authorization model for securing sensitive data, and thus an essential tool for reducing exposure to insider fraud. But the benefits of it don’t end there. It also reduces security overheads and development costs, as policy changes only have to be made at one central point, before being rolled out across the enterprise – rather than every related application or database. Finally, it enables firms to be compliant in all market served, as fine-grained access controls can be enforced per jurisdiction.

Find out how ABAC can help solve the burning security issues in the financial services sector.

Archived under:
  Join us on LinkedIn for more insights
About the author

Babak Sadighi is founder and head of strategy at Axiomatics. His extensive experience in the fields of access control and authorization management and has also led multiple collaborative R&D projects. He is also an advisor and mentor to tech several start-ups.