- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
The Federal Financial Institutions Examination Council (FFIEC) places significant emphasis on user security controls and the mitigation of potential risks posed by privileged users. To comply with FFIEC guidelines and safeguard critical systems, strong access management measures are crucial.
Legacy privileged access management (PAM) tools support a limited set of privileged users and can’t support cloud, modern databases or ephemeral resources. Dynamic Access Management (DAM) is privileged access for today, supporting just in time (JIT) for all resources on-premises or in the cloud, and enable Zero Standing Privilege (ZSP) strategies.
This document highlights how StrongDM Dynamic Access Management can address FFIEC controls and help organizations mitigate internal access risks effectively.
The Need for User Security Controls and Access Management for FFIEC
FFIEC's II.C.7 emphasizes the importance of granting access based on job responsibilities, minimizing risk exposure, and preventing unauthorized activities by privileged users. Here are some key risks and challenges highlighted by FFIEC:
- Unauthorized Actions: Privileged users, including employees, contractors, and third-party service providers, may exploit their access rights for unauthorized activities, such as data alteration, deletion, or misuse.
- Increased Internal Risk: The degree of internal access granted to some users elevates the risk of information and system damage, misdirection, disruption, or misuse for personal gain, fraud, or espionage.
- Compliance and Auditing: FFIEC expects institutions to establish appropriate user access controls and regularly review access privileges to ensure compliance. Auditing and reporting capabilities are essential for demonstrating adherence to FFIEC guidelines.
StrongDM Dynamic Access Management: Meeting FFIEC Controls
StrongDM provides a robust Dynamic Access Management solution – a next-gen PAM– that addresses the specific requirements outlined by FFIEC. By implementing StrongDM, organizations can achieve the following:
1. Centralized Access Control
StrongDM provides a centralized platform for managing and controlling access to databases, servers, and cloud infrastructure across multiple environments. This approach also eliminates any knowledge of credentials by the user, thereby reducing user based credential theft to critical assets and improving overall security. It allows administrators to set granular permissions, enforce security policies, and maintain a unified access control system.
2. Multi-Platform Support
StrongDM supports a wide range of platforms, including databases (e.g., MySQL, PostgreSQL, MongoDB), servers (e.g., Linux, Windows), and cloud providers (e.g., AWS, GCP, Azure). This broad platform compatibility ensures that organizations can effectively manage and secure their diverse infrastructure stack.
StrongDM also provides bespoke access solutions for "non-traditional" IT systems, such as Operational or Industrial Control Systems. StrongDM's unique "Vault Agnostic" capabilities allows customers to leverage existing tools and emerging Cloud tools. This allows for easy and non-disruptive implementations and future-proofs StrongDM's access platform as technology evolves.
3. Real-Time Activity Monitoring
With StrongDM, administrators have real-time visibility into user activities, offering native language queries (e.g., SQL, K8S, and Cloud), logins, and session details which allows for far faster analysis and provides customers with vastly improved MTTR and MTTI incidents. Other legacy solutions just offer screen recordings which are difficult to search through. With advanced monitoring capabilities, you can enhance security by allowing organizations to detect and respond to suspicious or unauthorized activities promptly.
4. Secure Proxy Technology
StrongDM utilizes secure proxy technology to establish encrypted connections between users and target resources. By acting as an intermediary, it provides an additional layer of security, isolating critical assets from direct external access and protecting sensitive data. StrongDM's relay component provides customers with the unique ability to further secure access without cumbersome, and hard to manage and maintain, firewall rules.
5. Auditing and Compliance
The platform offers comprehensive audit logs and reporting capabilities, enabling organizations to meet compliance requirements and demonstrate adherence to security standards. These features assist in compliance audits, internal assessments, and security incident investigations. These specific types of auditing capabilities are called out in NIST 800-207, recent CISA Zero Trust guidelines, etc. Specifically, 800-207 recommends ongoing monitoring of privileged access to detect and respond to any unauthorized or suspicious activities. It emphasizes the importance of logging and auditing of privileged access, as well as real time monitoring and analysis of privileged user behavior.
6. Seamless Integration
StrongDM seamlessly integrates with popular identity providers, such as LDAP, Active Directory, and SSO solutions. This integration streamlines user management and authentication processes, reducing administrative overhead and improving overall user experience. StrongDM also integrates with leading EDR providers (e.g. Crowdstrike) which uniquely allows StrongDM to meet Executive Order M-22-09, specifically assessing the devices security posture prior to providing access to internal resources.
7. Role-Based Access Control
Administrators can define and enforce role-based access control (RBAC) policies within StrongDM. RBAC simplifies permission management by allowing administrators to assign users to predefined roles with specific privileges, ensuring the principle of least privilege is upheld.
8. Flexible Deployment Options
StrongDM provides flexibility in deployment, offering both SaaS and self-hosted deployment options. This allows organizations to choose the deployment model that aligns with their security requirements, operational preferences, and infrastructure architecture.
9. Modern, Low Impact, “Easy-to-Deploy” Architecture
StrongDM's unique Gateway and Relay technology is lightweight and easily supports environments where compute resources are scarce.
10. Extensive APIs and SDKs
StrongDM offers a comprehensive set of APIs and SDKs, enabling organizations to programmatically manage access controls, integrate with their existing tools and workflows, and automate processes. This flexibility empowers organizations to customize and extend StrongDM's functionality to fit their unique needs.
Mitigate FFIEC Penalties and Reputation Damage
Non-compliance with FFIEC controls can result in severe penalties for example:
- In 2018, the OCC fined a large bank $500 million for risk and compliance deficiencies, to include deficiencies in access management controls. The OCC identified failures related to the bank's access controls that allowed employees to create unauthorized accounts, leading to widespread consumer harm.
- In 2019, the OCC fined a large bank $25 million due to inadequate controls related to access rights and user privileges. The OCC found that the bank had failed to establish effective controls and oversight for access to its mainframes and systems, which increased the risk of unauthorized access and potential data breaches.
- In 2019, the OCC fined a large bank $80 million for a data breach that exposed the personal information of millions of customers. The incident highlighted the importance of robust access controls and privileged access management to prevent unauthorized access to sensitive customer data.
By adopting StrongDM Dynamic Access Management, financial institutions can:
- Reduce Security and Compliance Risks: StrongDM mitigates internal access risks, prevents unauthorized activities, and aligns with FFIEC controls, reducing the likelihood of penalties and reputational damage.
- Enhance Data Protection: StrongDM's robust access controls and auditing capabilities minimize the risk of data breaches and unauthorized access to sensitive customer information, safeguarding an institution's reputation and customer trust.
- Ensure Efficient Compliance: StrongDM streamlines user access management processes, making it easier to demonstrate compliance, respond to audits, and meet FFIEC reporting requirements effectively.
StrongDM Dynamic Access Management offers a comprehensive solution to meet FFIEC controls and mitigate risks associated with privileged user access. By implementing StrongDM, financial institutions can ensure secure access, adhere to the principle of least privilege, streamline user access management, and protect critical systems and data from unauthorized activities. With StrongDM, organizations can confidently navigate FFIEC controls, avoid penalties, and maintain a robust security posture.
See StrongDM in action, book a demo.
About the Author
Shane Stephens, Director of Solutions Architecture, is a seasoned cybersecurity professional with over 20 years of expertise. Prior to his role as Director of Solutions Architecture at StrongDM, Shane assisted numerous government and commercial customers on their Network Access Control journey, offering invaluable guidance and tailored solutions at ForeScout Technologies. He also led incident response and vulnerability management operations at the Defense Information Security Agency Command Center and made contributions to data analytics at the National Security Agency. His engineering work at The Johns Hopkins Applied Physics Laboratory focused on developing secure platforms for the modern battlefield. Shane is dedicated to safeguarding the digital future.