Why financial services firms need zero trust security more than ever
Photo from Pexels
The cyberthreat landscape has evolved dramatically over the past couple of years, especially during the course of the pandemic. The massive rise of remote work has been one of the main drivers in this development, with millions of employees routinely accessing sensitive data over inadequately secured devices and networks from home.
As reliance on cloud services and remote access increases, security leaders need to deploy innovative new ways to maintain visibility and control over their environments. This requires a broad suite of security solutions that can encompass the entire attack surface – which is now far larger than it ever has been before. That starts with treating everyone and everything as a potential threat, hence the central role of zero trust security.
Attacks against financial services are on the rise
Cybercriminals select their targets based on maximum profit. This is why the financial services sector has always been disproportionately targeted. It is also why the sector invests an average of 7.6% of its IT budget in information security – second only to the software publishing and internet services industry.
Unfortunately, high levels of investment in security do not seem to be doing the trick. In fact, financial services firms have been particularly hard hit over the past two years by ransomware and other attacks. Social engineering attacks against the finance sector were also up 34.9% in 2021 compared to the previous year.
While it is true that cybercriminals are largely opportunists, that does not mean they only go for easy targets. Even though the finance sector may be more secure than most, financial data is still one of the most prized targets of all. And, thanks to the sudden, unprecedented rise of remote work, many firms have become easier targets than they were before the pandemic.
The threats will only continue to increase as financial services firms implement new solutions to facilitate hybrid workplaces, which is now well-established as the future of work. Growing reliance on cloud applications, such as communication and collaboration platforms, mean that the traditional notion of the network perimeter is no longer relevant. Employees have become accustomed to logging into work apps from their own devices at home. There is no going back from that now either, even as people return to the office.
Balancing usability with information security
The benefits of adopting a hybrid work model for the long term are without doubt – employees are happier and more productive when they have flexible working arrangements and they can use their own devices for work. There is also no denying the risks that such an environment introduces, which is why a top priority for security leaders must be to strike a balance between usability and security.
Many business leaders find themselves sacrificing one or the other. However, sacrifice too much usability, and employee morale and productivity will suffer. Worse still, they may try to circumvent security controls just to get their work done faster. On the other hand, prioritizing usability over security or regulatory compliance can quickly result in disaster, as JPMorgan learned when it was fined $200 million for letting employees use WhatsApp for client communications.
What is zero trust security?
Zero trust security is an approach built around the notion that every attempt to access data is potentially malicious. This includes attempts to access systems and data by employees, third parties, or other devices and applications. However, the precise definition of zero trust varies between vendors of zero trust solutions. Some vendors consider it in terms of not trusting data sources or users. Others, including us here at Worldr, consider true zero trust security to mean not automatically trusting any network traffic at all.
Zero trust security might sound daunting, but it can actually help reduce complexity, especially when managing multiple tech solutions and vendors. The idea behind the zero trust model is that you never assume an access attempt is trustworthy for any reason. Instead, you always verify the user or device’s identity, as opposed to assuming that anyone or anything logged into your network is trustworthy. This should apply not only on the network access level, but also on the software application level.
Establishing a software-defined perimeter
The biggest shortcoming of the traditional approach to security is that it follows the castle-and-moat model. In such environments, there is only one major layer of defense that encompasses the entire corporate network (i.e. the moat and wall). However, it is much easier for attackers to get past that line of defense in the age of remote work, simply because employees access the network from myriad different devices and locations. As such, there is no longer a clearly defined physical perimeter of the sort we used to have with air-gapped on-premises networks.
Since the finance sector is largely concerned with knowledge-work, it relies heavily on cloud communication and collaboration platforms, such as Microsoft Teams. While essential in any modern workplace, the use of such tools presents additional risks. These risks are especially pronounced during mergers and acquisitions, which are at an all-time high in the finance world, as firms struggle to overcome complexities associated with the integration of new processes, systems, and databases.
By establishing a software-defined perimeter, firms can enable secure, zero trust access to their systems. This helps mitigate risk when integrating new systems and managing business communications, especially during M& As.
Securing hybrid work communications
Financial services firms are operating increasingly complex IT environments, many of which depend heavily on remote workers and globally distributed branches and operations. Also, as one of the most highly regulated of all industry sectors, financial services must adhere to many compliance regimes, such as FCA, GBLA, PCI-DSS, and GDPR. Adhering to such regulations requires maintaining full control and visibility over your data, and that starts with securing all your communications to mitigate third-party risk.
Zero trust security helps protect your firm from numerous threats, such as phishing messages and eavesdropping attacks on popular communications platforms. For example, you might be holding a virtual conference on Microsoft Teams, but you should not automatically assume that everyone signing in from an invitation link is legitimate. For example, the invitation link could have been leaked, or an employee-owned device used to join the meeting could have been stolen. In such cases, zero trust security ensures that everyone attending the meeting is who they say they are.
Bolstering resilience with segmentation
The core value of zero trust security is that it allows businesses to defend themselves against identity-based attacks, which play a central role in the vast majority of data breaches. Being a layered approach to security, it consists of three primary building blocks – validation, control, and protection. To that end, it protects against the lateral movement of attackers if they are able to get inside a network.
Network segmentation plays a key part in this process. The idea is that by dividing the network into logical segments, each one with its own software-defined perimeter, you can limit the blast radius of an attack. This way, every device and app functions in its own security environment, granting access only to verified users, devices, and third parties. For example, collaboration and communications systems should not have automatic access to features like file-sharing without the user first verifying their identity.
Segmenting your network environment can be challenging, since you do not want to end up with every business function operating in a bubble. After all, organizational silos are among the main reasons for inefficiencies in the finance sector. To stop this from happening, security leaders should take an integrated approach to zero trust security, thus making it easy for legitimate users and devices to access the apps and data they need to perform their roles optimally.
Enforcing role-based access controls
Zero trust is all about decoupling security from the increasing complexity of IT infrastructure by instead addressing the roles of specific users or devices. It goes beyond perimeter defense measures, such as firewalls and network protocols, to considering individual applications and data assets. Chances are, each of those applications and data assets have a specific function, whereas regular perimeter defenses cover entire networks. This is why financial services firms need to implement role-based access controls that conform to the principle of least privilege. In other words, an employee or device should only ever have access to systems and data required to fulfill their role – and not more.
To implement zero trust security, financial services firms should build on existing identity and access management (IAM) policies by applying them on a per-application or per-asset level. For example, there is no legitimate reason for someone in the marketing department to have access to clients’ bank statements, while a customer support representative may need access to them under certain circumstances. By implementing these role-based access controls on a granular level, any attacker will be unable to move from one compromised asset or network to another, thereby keeping the threat contained and the fallout to a minimum. Of course, this approach reduces the risk of insider threat as well.
While the principle of least privilege is not quite the same thing as zero trust security, they are tightly connected. Zero trust concerns who is requesting access, the context of the request, and the risk posed by the request. The principle of least privilege ensures that it is impossible for anyone to escalate user privileges to access any systems that they do not have a legitimate reason to access.
Modern solutions for modern problems
Zero trust security might seem like an unattainable goal, but thanks to modern solutions, it is really just a matter of centralizing and automating policy enforcement. For financial services firms, this adds a vital extra layer of security to distributed workforces while also upholding the compliance demands of control and transparency.