NHI Forum
Read full article here: https://www.andromedasecurity.com/blogs/cloud-iam-ny-dfs-2025/?utm_source=nhimg
The New York Department of Financial Services (NY DFS) has updated its Cybersecurity Regulation (23 NYCRR 500), introducing new identity and access management (IAM) requirements effective May 1, 2025. These changes directly impact financial institutions and other covered entities operating in cloud-first environments, emphasizing stronger controls over human and non-human identities.
The regulation addresses the critical security gaps in cloud access, where over 90% of identities are over-permissioned, posing significant breach risks. It mandates that organizations:
-
Limit access rights strictly to job function needs.
-
Conduct regular access reviews to remove excessive or outdated permissions.
-
Automate provisioning and deprovisioning to promptly remove access when staff depart.
-
Disable high-risk remote access protocols.
-
Enforce MFA and strong authentication across privileged accounts.
Compliance is not optional, non-adherence risks regulatory penalties, reputational damage, and operational exposure.
Recommended Compliance Roadmap
-
Gain Visibility – Map all human and Non-Human Identities (NHIs) across cloud, on-prem, and hybrid environments, including third-party access.
-
Reduce Permissions – Eliminate unused and excessive privileges using least privilege principles and continuous monitoring.
-
Implement Just-in-Time (JIT) Access – Enable temporary, auto-expiring privileged access to reduce standing privileges.
-
Enforce Governance – Automate access reviews, assign ownership, and ensure accountability.
-
Strengthen Authentication – Mandate MFA, and move toward passwordless authentication where possible.
Business Impact
By enforcing tighter cloud identity security, NY DFS 2025 moves financial institutions closer to Zero Trust and significantly reduces the blast radius of potential breaches.
How Andromeda Security Helps
Andromeda delivers real-time visibility, AI-driven risk analytics, and automated remediation for cloud identities. Capabilities include dynamic permission rightsizing, contextual JIT, automated anomaly detection, and streamlined access reviews, ensuring compliance while improving operational efficiency.