Navigating the Complexities of IdAM in Financial Services: A Guide to Choosing the Right Platform

The High Stakes of IdAM in Financial Services

Identity and Access Management (IdAM) plays a critical role in ensuring security, compliance, and operational efficiency in any organization. For those operating in the financial services sector, this is especially true. Many financial services institutions are classed as Critical National Infrastructure (CNI), managing and processing vast amounts of sensitive data, including personal and financial information, making them prime targets for cyberattacks from unscrupulous characters. The consequences of such attacks can be monumental, including lost operating revenue, fines, legal penalties, and reputational damage.

IBM’s Cost of a Data Breach Report 2024 revealed that financial services continue to bear the highest costs of data breaches, averaging £5.4 million per incident. The rising cost and growing frequency of these breaches (primarily caused by stolen or compromised credentials, often due to phishing) emphasize the need for more robust and sophisticated security solutions.

The National Institute of Standards and Technology (NIST) Cybersecurity Framework describes five key phases which organizations should continually review and adapt in order to reduce their exposure to breach risk: Identify, Protect, Detect, Respond, and Recover. With IdAM playing a key role across all 5 – well-thought-out IdAM practices and security guardrails are critical, not only for simply protecting data, but also for ensuring ever-increasing and more complex regulatory compliance (GDPR, PSD2/3, HIPAA, SOX, PCI DSS, etc.).

One such example currently on the minds of technology and security leaders in financial services is the Digital Operational Resilience Act (DORA), which is being mandated in January 2025 and requires financial services organizations to (in some cases) significantly enhance their ability to withstand threats by improving operational resilience and security. Strong IdAM principles play a big part in this by providing strict access control to systems for internals, customers and third parties; ensuring well-audited and comprehensive identity governance; facilitating efficient reporting mandates; and supporting high availability and service continuity.

Zero Trust (which assumes by default that no user or system should be trusted) is at the heart of this. The Zero Trust model supports IdAM by continuously validating identities and access, enforcing the principle of least privilege, and ensuring detailed monitoring—all crucial for complying with DORA.

Beyond Security

But, whilst security and regulatory obligation can be the most obvious factors to focus on when analyzing IdAM strategy and considering which IdAM products to choose in financial services, there are many other challenges and features which can be of equal importance to ensuring successful integration and adoption for the organization’s ever-evolving needs. Customer experience and operational efficiency are as important, if not more so, in an increasingly budget-conscious and competitive market.

So, what are the key features you should look for in an identity platform?

• Automation and Operational Efficiency: This is a key factor that is sometimes overlooked. How easy is the IdAM solution to live with? Do the components complement each other holistically, and is there deep integration between those components which provides rich synergy? Or is it a disjointed set of barely compatible tools that overlap functionally and require customization to bridge gaps?
• Integration: Seamless integration that enables you to exchange data and secure legacy systems without the need for complex customization work is a big advantage. Being able to easily hook into third-party security tools (e.g. fraud or biometric services), cloud applications, and data stores in a loosely coupled, out-of-the-box manner allows you to enhance and innovate user experience and security assurance.
• Flexible Data Model: The scale, hierarchy and complexity of an institution’s working structure can mean that generic or non-adaptable IdAM products are inadequate for their needs. The ability to customize the central directory to organize identities to align with the business as well as federate with external Identity Providers (IdPs) needs to be considered.
• Orchestration: Are you able to create powerful and flexible automated journeys and continually evolve these without massive investment?
• Scalability: Your chosen platform should be able to dynamically scale as the organization grows, managing increasing numbers of users, endpoints and applications without compromising performance. Check the licensing model too.
• Strong Auditing and Reporting Capabilities: IdAM platforms should be able to track all interactions and behavior, whilst providing built-in reporting tools or the ability to export data on demand to generate detailed reports for regulatory compliance such as DORA, SOX, PCI-DSS, and GDPR.
• Identity Governance and Privileged Access Management: Insider threats (both direct and indirect) should be a key concern. The ability to identify which users can access certain systems or data, and the ability to ensure that those permissions are automatically revoked when no longer required, are highly important. The ability to enforce Separation of Duties (SoD) is also key to reducing risk by avoiding excessive control of sensitive operations to individuals.
• Delegated Administration: allows specific access control responsibilities to be distributed across different teams, reducing the burden on centralized operation teams and ensuring the right people control particular privileges. This may be applied to empower internal teams or to support B2B scenarios.
• Adaptive Access Control: Whilst Multi-Factor Authentication (MFA) is already an established feature across financial services, IdAM vendors are increasingly integrating AI technology to support risk-based authentication methods that assess factors including device, location, and behavior to determine whether to grant or restrict access. Some vendors are also integrating the Shared Signals Framework (SSF), a new standard being developed by the OpenID Foundation, which uses a collaborative crowdsourcing-type model to allow companies to seamlessly exchange security data. This enables continuous threat detection improvement.
• Data Sovereignty: In a market moving quickly to Software-as-a-Service (SaaS), ensuring compliance with where identity data is stored or processed can be a challenge. Some IdAM SaaS vendors offer the ability to deploy your tenant to a specific country/region, whilst others allow you to connect to your own managed data store. A more traditional solution is to deploy and manage the entire IdAM software yourself though this comes with its own complications. Checking the deployment options early in your validation can quickly allow you to eliminate product options.
• Supporting Multiple Business Units: Large institutions will often have multiple lines of business with distinct access needs and identity populations. Each line may have specific user journeys, branding, and compliance requirements. Whilst a converged and centralized IdAM solution is ideal, not all vendors can support this complexity without using multiple independent instances/tenants – which can make licensing costly and subsequently increase operational overhead.
• Service Level Agreement (SLA): Systems that are nominated as Critical National Infrastructure can require levels of availability not possible with certain products or services. Given that the nature of IdAM is to provide the lock and keys to mission-critical applications for both humans and devices, you should ensure that any potential vendor can satisfy the levels of availability required.

Understanding the Needs of Your Organization

The above list is by no means complete, and organizations need to ensure they spend adequate time and resource gathering comprehensive intelligence and analyzing requirements from stakeholders across the enterprise to fully understand the wide and varying needs for IdAM, both today and in the future.

An oven-baked solution is rarely able to provide full coverage, especially in an ever-evolving regulatory world, where sophisticated threat landscapes clash with complex organizational structures and often legacy infrastructure – all the while faced with every high customer experience expectations.

IdAM impacts a wide range of stakeholders, often with conflicting views and desires. Clear product management and leadership are needed to ensure that security and experience requirements are balanced and prioritized effectively, aligning to the organization’s strategic goals.

What About the Cloud?

In a world where most industries are making a definite strategic leap to reap the benefits of the cloud, many of the larger, more established players in the financial services sector have, for varying reasons, been reluctant to make that jump completely. Even when faced with pressure to evolve and adapt from the emergence of nimbler digital-first banks and fintechs, many financial institutions are keeping one foot in traditional data centers and private cloud, wary of not having full control over SaaS deployments, along with reservations around security and associated risk, as well as the complexity of integrating with non-standard legacy applications.

In the face of these doubts, primary IdAM vendors are keen to push the benefits of cloud adoption and constantly strive to negotiate these adoption barriers by enhancing product lines. Features, which include a range of deployment models (self-managed, hybrid, cloud), single-tenancy models, increasing deployment region options and the ability to “Bring Your Own Keys” (BYOK) help ease security fears, whilst migration acceleration tooling and powerful integration plugins for heritage software help to ease the transition.

The operational, technological, and commercial benefits of moving to the cloud are becoming more and more compelling, but the future has an ever-evolving narrative. Public cloud hosting may not be optimal for every workload. In fact, a recent article from the IDC highlighted the growing trend of cloud repatriation, with more organizations starting to move workloads back to on-premise data centers and local private cloud providers, citing cost efficiencies and reduced latency for time-critical processes.

What this highlights is that IdAM strategy needs to accommodate ever-changing needs, and the increasingly difficult challenge of operating consistently and comprehensively across an evolving and hybrid technology landscape.

Finding the Right IdAM Partner

So, which are the key vendors that should be considered leaders in the IdAM market and best suited to enable organizations to navigate these challenges?

Technology choices should be based on the ability to enable positive business outcomes and holistic fit, rather than simply ticking capability requirements on paper.

A robust and comprehensive IdAM fabric will need to encompass multiple identity-related disciplines and functions that complement and support the effectiveness of each other synergistically. The disciplines of Lifecycle Management, Identity Governance and Administration (IGA), Privileged Access Management (PAM), API Security (inc. FAPI, CIBA), Threat Detection and Behavior Analytics (and more) all overlap. When the tools that underpin them integrate easily and can work in unison, platform convergence can be achieved. This results in reduced cost, management efficiencies, and a persistent lens across complex IT estates to identify and thwart threat actors.

Whilst some vendors have good coverage across the entire IdAM spectrum, others are limited and will require a mix-and-match of tooling to cover all bases. This can result in a fragmented and sub-optimal IdAM landscape.

A good place to start your research is by looking at the most recent analyst papers by the likes of Gartner, Forrester, and Kuppinger Cole. While the list of vendors featured varies slightly, the findings are generally consistent. Taking a broad look at the reviews of each vendor and product will give you the reassurance to start your own, more detailed assessment.