Headquarters: Saudi Arabia

Technology Partners Hilal Technology

Technology Partners

Technology Partners Hilal Technology

Technology Partners

SAMA Identity Based Network Security

The Shared Password Crisis Undermining Banking Security

Shared network credentials—a practice that remains prevalent in banking sectors globally—create a fundamental accountability gap: when multiple staff members use the same login credentials to access network infrastructure, forensic investigations cannot attribute actions to individuals. As Saudi Arabia Monetary Authority’s (SAMA) cybersecurity framework mandates identity attribution and continuous authentication for Saudi banks, the architectural shift from shared credentials to strong, identity-based access control using 802.1x RADIUS authentication on HFCL switches integrated with Active Directory addresses both a global security vulnerability and a specific regulatory requirement.

Executive Summary

  • Shared credentials undermine security and accountability: When multiple people share infrastructure credentials, it increases the risk of security breaches. In addition, it becomes difficult to attribute actions to individuals, which is inconsistent with modern regulatory expectations around identity and auditability in financial services.
  • 802.1x enables per-user/device access control: By tying network access to individual user or device identity via cryptographic authentication, every connection becomes attributable and auditable.
  • HFCL switches as enforcement points: IO Plus Series switches with native 802.1x support act as distributed policy enforcement, validating identity before granting Layer 2 connectivity and applying role-based access policies.
  • Active Directory integration centralizes identity: Banks leverage existing AD infrastructure—the same credentials used for email and applications now control network access, eliminating credential sprawl.
  • AAA servers enable dynamic policies: RADIUS-based central authentication and authorization servers evaluate identity and push role-specific access policies to switches via downloadable ACLs—tellers get banking app access, guests get internet-only.
  • Immutable audit trails: Every authentication attempt—success or failure—is logged with username, timestamp, device identity, and switch port, creating SAMA-compliant evidence.

The Shared Password Epidemic: Security Theater at Scale

Across the global financial sector, one pattern repeats quite often: shared credentials for critical systems and infrastructure. Multiple staff—tellers, operations teams, contractors—often use common usernames and passwords to access network devices or privileged tools, especially in environments with legacy processes or rapid staff churn. This practice may look convenient, but it creates deep structural weaknesses.

Zero Accountability

Insider threats—whether malicious staff, compromised contractors, or social engineering victims—operate invisibly when everyone shares credentials.

Audit Trail Fiction

Logs show “Branch_Admin” performed an action, but which human? Forensic investigations collapse. Regulatory fines follow.

Privilege Creep

Once shared credentials grant full network access, there’s no mechanism for least privilege—junior tellers have identical access to senior managers.

Password Entropy Collapse

Shared credentials must be memorized by many people, so complexity suffers. They’re written on sticky notes, stored in email, shared via WhatsApp. “Branch_Admin123!” becomes “Branch_Admin1” after the first password reset complaint.

No Termination Control

When an employee leaves, banks must either keep the shared password (ex-employee retains access indefinitely) or change it (disrupting all remaining staff). Neither option is acceptable.

SAMA’s Explicit Requirement: Identity Attribution

Saudi Arabia’s Monetary Authority has made the requirement unambiguous: financial institutions must implement strong authentication with individual identity attribution for all network access. This aligns with international frameworks (NIST 800-63, ISO 27001, PCI DSS) that prohibit shared credentials for any system accessing cardholder data or sensitive financial information.

SAMA’s cybersecurity framework demands:

  • Unique identities: Every user and device must authenticate with credentials tied to an individual or specific asset.
  • Multi-factor authentication (MFA): Critical systems require layered authentication.
  • Continuous authorization: Access decisions re-evaluated based on device posture and behavior.
  • Immutable audit logs: Every access event logged with sufficient detail for forensic reconstruction.

Shared passwords and opaque access practices run against these principles.

The 802.1x + HFCL Architecture: Strong Identity at the Switch

Network Access Control using 802.1x authentication inverts the security model. Instead of granting network access to anyone who can plug in a cable and type a shared password, 802.1x verifies cryptographic identity before forwarding a single packet.

How the Architecture Works

1. Device Connection (No Trust)

When a teller’s workstation connects to an HFCL switch port, the switch immediately blocks all traffic except 802.1x authentication frames.

2. Identity Challenge (Cryptographic Proof)

The device must prove identity by providing:

  • User credentials validated against Active Directory
  • Machine certificate issued by the bank’s PKI
  • Or both for high-security scenarios

3. RADIUS Evaluation (Policy Decision)

The RADIUS server evaluates:

  • User validity
  • Password correctness
  • Device certificate status
  • Security posture

It then returns Accept, Reject, or Challenge.

4. Dynamic Policy Enforcement (Downloadable ACLs)

Upon authentication, RADIUS pushes role-specific policies:

  • Teller → Staff VLAN, banking systems only
  • Manager → Reporting dashboards access
  • ATM → Isolated transaction VLAN
  • >Guest → Internet-only VLAN

Policies are enforced at the switch port.

5. Continuous Monitoring (Change of Authorization)

Access can be modified dynamically based on:

  • Security posture changes
  • Behavioral anomalies
  • Time-based policies
  • Threat intelligence

The HFCL Advantage: Native 802.1x Integration

At HFCL, IO Plus Series switches are architected specifically for mission-critical BFSI deployments.

Key Differentiators

  • Native 802.1x support without licensing complexity
  • Multi-authentication modes (802.1x, MAB, captive portal)
  • Downloadable ACL enforcement at hardware level
  • Comprehensive logging for compliance
  • Out-of-band management resilience

Active Directory Integration: Centralizing Identity

Single Source of Truth

Active Directory already manages:

  • User accounts
  • Group memberships
  • Password policies
  • Device accounts

Network access inherits this framework.

MFA Extension to Network Layer

RADIUS integration with MFA providers enables multi-factor authentication at network access level.

The Business Case: Identity as Operational Efficiency

Streamlined Access Management

Network access tied to AD reduces credential sprawl and helpdesk load.

Improved Incident Response Capability

Identity-based logs enable faster investigations and targeted isolation.

Centralized Policy Management and Workforce Considerations

  • Centralized policy definition
  • Zero-touch provisioning
  • Skills development alignment

Overcoming Implementation Concerns

Won’t 802.1x Break Legacy Devices?

Use MAC Authentication Bypass (MAB) for legacy devices.

What If RADIUS Server Fails?

  • Redundant RADIUS deployment
  • Automatic failover
  • Critical authentication mode

How Long Does Rollout Take?

Phased rollout over 12–18 months depending on branch scale.

A Technical Roadmap

Phase 1 – Foundation

Deploy RADIUS, integrate AD, configure policies.

Phase 2 – Pilot

Deploy to representative branches and validate authentication success rates.

Phase 3 – Scale

Roll out across network and integrate logs with SIEM.

Phase 4 – Advanced Controls

Enable posture assessment, CoA, eliminate shared passwords.

The Verdict: Identity is Infrastructure

Shared passwords are not just a security weakness—they are a regulatory liability. Strong identity architecture transforms network access into a compliance asset.

The perimeter no longer secures banking. Identity does.

About HFCL

HFCL is a global technology enterprise specializing in high-performance networking solutions for mission-critical industries. Our IO Plus Series switches deliver native 802.1x authentication, downloadable ACL enforcement, and comprehensive audit logging purpose-built for SAMA compliance and BFSI security requirements.

Archives

Categories

Cart

No products in the cart.