This brings us up to date and is illustrated in the diagram below.
In essence, most banks have bits of security processing from every generation of technology development. This means we are running a complicated mess with a desire to move more of the access control to Centralised Web Security technology as the applications move to become more web based. There is a recognition however that the non web based, mainly staff driven, ways will continue for a long time (many years, probably decades) before they get replaced with web based screens.
Even within the Centralised Web Security world there is a desire to improve things. This is because there is a design tension between whether to put detailed security controls in a central place (e.g. Centralised Web Security or RACF) or put them in specific applications. Central control runs the risk of admin overhead for all users increasing. Application specific control gives a different set of admin and flexibility issues (e.g. it is easier to introduce a new authentication technology such as smart cards or biometrics once centrally rather than in lots of different places).
There is also no economic justification for the enormous software development costs associated with ripping out the security processing from applications and centralising it in RACF or Centralised Web Security.
Read further about the history of IT Security
Read also about the Likely Changes to IT Security in the Next 2 Years.