Monthly Archives: September 2017

Meet us @ Gartner Security & Risk Management Summit 2017

EZMCOM team would be present at Gartner Security & Risk Management Team 2017. Implementing PSD2 or GDPR or MiFID(II), our team can help you find right solutions to meet your requirements.We will be represented by:

  Deepak Panigrahy, Head of UK & Europe, EZMCOM and  Anupam Ratha, CTO, EZMCOM

You can schedule a 1-1 meetings by dropping an email to sales@ezmcom.com

Our product suites include:

  • Biometric Authentication (Face, Voice)
  • Behavioural Biometrics Authentication
  • ID Proofing for remote eKYC and AML
  • 2FA/MFA: Support all integrations with 360-degree coverage of form factors
  • Risk based Adaptive Authentication
  • 3D Secure 2.0 Authentication
  • Financial Fraud Risk Management
  • PKI Tokens

We have been covered by Gartner in their reports for Hype Cycle for Risk management 2017 and Hype Cycle for Identity and Access Management last month.

Venue of the Event: InterContinental London – The O2, Waterview Drive, London, United Kingdom – SE10 0TW

Date:  18-19 September, 2017

Local Contact Number: +44 (0) 74832 14871

3-Steps for Compliance with “SWIFT customer security controls framework 1.0”

A deadline of Jan 2018 looms upon Banking & Financial Institutions for compliance with the Security Guidelines issued by SWIFT. This guidance from EZMCOM provides a concise summary of controls that can be implemented for compliance.

Typically we can classify the operators of the SWIFT software as – “IT / OS admin” or a “User”. The “IT / OS admin” typically login to the SWIFT server and administer, manage, update, upgrade the SWIFT software and perform general maintenance. The “User” performs the financial transactions/ functional work on the web-based SWIFT Alliance software.

The following security guidelines must be implemented for both these types of users (“operators”).

Compliance for the “Password”

Banks are most likely compliant with this requirement. But if not, here below is the guideline from SWIFT:

The Password should be at least 8 characters long

It should be a combination of digits, special characters, uppercase and lowercase letters

The Passwords should be uniquely used for accessing the SWIFT account (and not a common Password used to generally login to the Bank’s domain)

The Password should not be trivial (e.g. dictionary words)

EZMCOM recommends the use of standard password policies of an Active Directory (AD) server to enforce this compliance. The AD can be integated for OS login as well as a user repository in the SWIFT software.

The Isolated / Dedicated workstation compliance

Typically bank users have access to the internet on their workstations. SWIFT requires you to have a dedicated workstation that is not connected to the internet and preferrably any other external content (e.g. mail, FTP, SFTP etc). This would be an inefficient and expensive approach.

Alternatively, SWIFT recommends that the bank user connect to a JUMP server and then from this jump server the operators connect further to the SWIFT software. The jump server must be isolated from any other network and should not be connected to the internet or have any other mail, ftp, sftp software etc. and be firewalled appropriately.

EZMCOM recommends;

Establish a jump (intermediate) server infrastructure – Viz. Microsoft Windows Server(s) for Remote Desktop of your SWIFT users. If you have a VDI infrastructure (E.g. CITRIX XenApp XenDesktop Receiver), then you can use that as well

Firewall and restrict the access to SWIFT Servers and the URL of the SWIFT Alliance web application so that they are only accessible from the JUMP server(s)

Two-Step Verification (2SV) compliance

2SV or in other words a 2-Factor Authentication is typically the use of an additional credential that is usable One-Time and valid for a limited time duration ensures that a compromise in the Username and Password credential due to any reason doesn’t compromise and provide unauthorized access to the SWIFT software.

The compliance requires the operators to perform a 2SV in at least one of access procedures to SWIFT software.

EZMCOM recommends;

Implementation of 2SV during the remote (desktop) access to JUMP server. Its very unlikely that Banks will allocate additional dedicated and isolated workstation to each SWIFT software operator and the JUMP server access can be a uniform and consistent 2SV experience for all operators (IT/ OS admin as well as the users)

Alternatively, 2SV/ 2FA can be enforced during RDP by the “IT/ OS admin” operators of SWIFT but for the “User”, it can be enforced during the web-based browser login into the SWIFT Alliance software application. With this, the User operator of SWIFT will not be required to perform 2SV/ 2FA during every remote desktop session. Typically such remote connections auto-disconnect after an inactivity period or the lock screen appears and the 2SV/ 2FA can become inconvenient.

You may consider implementaion of some behavioral authentication that monitors the keystroke dynamics of the users during the remote desktop and an Artificial intelligence/ Machine learning based solution grants access to the remote desktop without a 2SV/ 2FA if there isn’t an anomaly in the way the remote desktop connection is getting establish. This will greatly increase the convenience for SWIFT operators while maintaining compliance.

EZMCOM cautions against;

  • Use of free (3rd party/ opensource) OTP/ 2FA/ 2SV authenticators that are natively integrable with SWIFT software’s internal capability of supporting Time based OTP (TOTP) authenticators.
  • Do not assume that by using the built-in 2FA/ 2SV capabilities of SWIFT Alliance software you can get compliance to all of the security guidelines stipulated in the “SWIFT customer security controls framework 1.0” issued by SWIFT. You will need to implement additional 2FA/ 2SV for the “IT/ OS Admin” operators nevertheless even if you chose to use a free/ opensource OTP authenticator that is compliant to SWIFT.

A sample illustration of SWIFT “IT / OS Admin” operator’s experience with 2SV during remote desktop connection to a JUMP server before accessing SWIFT software server for administration. The same experience can be for the “User” operator as well prior to launching the browser for login into the SWIFT web-application.

Disclaimer

EZMCOM is not endorsing any vendor, product or service mentioned in its guidance document, and does not advise Banks and Financial institutions to refer to this document only for compliance. This publication from EZMCOM consist of the opinions of EZMCOM’s own experience in working with Banks and Financial institutions for attaining comnpliance and should not be construed as statements of fact. EZMCOM disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About EZMCOM

EZMCOM is an Identity Fraud & Risk Management solution provider with innovative and easy-to-use technology that can be deployed to protect users, data, and applications from credential theft, account takeover and breaches. EZMCOM is working with companies worldwide to change the way we authenticate and authorize – across mobile devices, servers, workstations within enterprise and cloud services.

If you have questions, or would like a demo of EZMCOM’s authentication solutions that help you establish compliance to SWIFT security guidelines, please talk to an EZMCOM representative today!

1 (510) 396-3894 | 60 (0) 12 570-1114 | 44 (0) 7483-214871

For more information, please visit www.ezmcomcom or follow @ezmcom on Twitter, LinkedIn

EZMCOM recognised in Gartner Hype Cycles for Risk Management 2017 & IAM 2017

EZMCOM, Inc. (“EZMCOM”), an emerging leader in Fraud & Risk Management, Identity Access Management solutions has been recognised in two of Gartner’s 2017 Hype Cycle reports including “Hype Cycle for Risk Management, 2017”, “Hype Cycle for Identity and Access Management, 2017”. EZMCOM was also mentioned earlier in the year in the Gartner publication for “Technology Insight for Public-Key Authentication Tokens”.

According to Gartner’s Hype Cycle for Risk Management, 2017, “Risk management is rapidly maturing as a discipline to harness the benefits of digital business innovation in a safe and secure way.” EZMCOM’s innovative integrated approach to risk managaement comprising of – Identity Proofing, Biometric Authentication, Behavior & Risk-based Authentication as well as Predictive Analytics based fraud detection platform provides notional level of trust in the claimed identity of any user — employee, partner or customer — accessing an organization’s systems and data. Thus, they add value to security and risk management initiatives, such as monitoring, reporting, analytics, identity governance, enforcement of segregation of duties and fraud prevention.

Gartner Hype Cycle for Risk Management 2017
In addition, according to Ant Allan, research vice president at Gartner,

“No user authentication technology is infallible. Session-hijacking attacks can succeed regardless of the authentication method used. Invest in complementary safeguards within a multilayered approach.”
Since EZMCOM has an integrated multi-layered platform for fraud and risk management, users don’t have to stitch fragmented solutions to build a multi-layer defense in depth protection.

Gartner’s Hype Cycle for Identity and Access Management Technologies, 2017, mentions that “Phone-as-a-token authentication methods continued to have a strong adoption trend due to increased mobile device presence as well as their advantages over legacy hardware tokens. Mobile push methods have become broadly available and adopted. IAM as a service (IDaaS) adoption is beginning to accelerate due to a mixture of organizations truly finding faster time to value, and due to Microsoft’s seeding of the market with Azure Active Directory, which is included in enterprise deals for other products.”.

Gartner Hype Cycle for Identity & Access Management 2017

According to Ant Allan, research vice president at Gartner,

“Although device-embedded fingerprint modes are commonly integrated in mobile banking apps, face and voice are emerging as the modes of choice, with some adoption of scleral vein and camera-based fingerprint modes. These will likely gain traction in other mobile use cases in the near future. Behavioral modes are typically consumed as familiarity signals by fraud detection and other analytics-focused tools.”
EZMCOM provides a comprehesive suite of emerging technologies such as Biometric Authentication (Face, Voice, Behavioural), Phone-as-a-Token, X509v3 Public Key Token Identity and Access Management technologies that integrate with various industry leading IdaaS, IDAM platforms.

Disclaimer

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About EZMCOM

EZMCOM is an Identity Fraud & Risk Management solution provider with innovative and easy-to-use technology that can be deployed to protect users, data, and applications from credential theft, account takeover and breaches. EZMCOM is working with companies worldwide to change the way we authenticate and authorize – across mobile devices, servers, workstations within enterprise and cloud services.

If you have questions, or would like a demo of EZMCOM’s authentication solutions, talk to an EZMCOM representative today!

sales@ezmcom.com | 1 (510) 396-3894 | 60 (0) 12 570-1114 | 44 (0) 7483-214871