Integrating identity and access management and privileged access management for enhanced identity security in financial institutions: A zero-trust approach
Abstract
This paper explores the critical role of identity and access management (IAM) and privileged access management (PAM) in securing the digital identities of employees within financial institutions. It emphasises identity-centric security as the first line of defence in protecting sensitive data and IT assets, especially in legacy IT environments where technological constraints and regulatory demands pose unique challenges. The paper outlines how integrating IAM and PAM supports compliance with industry regulations and enforces zero-trust principles, ensuring continuous verification and control of privileged accounts. Key concepts such as the confidentiality, integrity and availability (CIA) triad, least privilege and need-to-know principles are examined in relation to data classification and risk management. The paper further introduces a practical framework for transforming legacy IT systems through comprehensive organisational and technical measures. Readers will gain insight into the core PAM controls essential for safeguarding privileged access, including account discovery, session isolation, behavioural monitoring, audit trails and risk-based remediation. By following these strategies, financial institutions can enhance transparency, reduce attack surfaces and maintain full control over privileged activities. This paper equips IT and security professionals with a clear understanding of how to implement robust identity-centric security frameworks tailored to complex legacy environments, supporting operational continuity and regulatory compliance in an evolving threat landscape. This article is also included in The Business & Management Collection which can be accessed at https://hstalks.com/business/.
The full article is available to subscribers to the journal.
Author's Biography
Felix Behringer is a seasoned IT security professional currently serving as Senior Manager at Cybrex GmbH, where he is recognised as an expert in privileged access management (PAM) and identity security. With eight years’ dedicated experience in the identity industry, he has successfully spearheaded complex projects, including a four-year internal project directing the implementation of a state-of-the-art PAM solution for a premier direct bank in Germany. His four years of consulting experience further complement his strategic insights into security and best practices frameworks tailored to the stringent demands of the financial sector. His academic background in international business management with a focus on strategy and finance, combined with certifications including Certified Information Systems Security Professional and Certified Information Security Manager, underpins his holistic approach to security across the entire identity life cycle. Additionally, his expertise is further validated by his effective project management skills (PRINCE2, Scrum Master and Product Owner) and his contributions as a speaker at leading industry conferences such as the European Identity Cloud Conference.
Patrick Baumann is a Senior Manager at EY with expertise in information security, focusing on identity and access management (IAM) and privileged access management (PAM). He supports organisations across various industries in developing IT security strategies, governance frameworks and processes to meet regulatory and compliance requirements. His experience includes designing and implementing IAM and PAM solutions, establishing effective processes and controls, and aligning security practices with regulations such as the Digital Operational Resilience Act, Minimum Requirements for Risk Management, and Versicherungsaufsichtliche Anforderungen an die IT, among others. He works on defining access controls, managing emergency access procedures and integrating monitoring tools to ensure continuous risk assessment and compliance. Patrick holds a BSc in business information systems and certifications including Scrum Master and IT Infrastructure Library Foundation. He is proficient in using IAM and PAM platforms such as CyberArk, SailPoint, IBM and One Identity. He has been recognised with EY’s EMEIA Risk Excellence Award in the category ‘Lead by Example’.
