Morey Haber, Chief Technology Officer & Chief Information Security Officer at BeyondTrust, shares his thoughts on rethinking fintech security through the lens of Zero Trust.
I recently participated in a panel discussion hosted by The Fintech Times on the subject of why financial organisations require a zero-trust approach. I felt this was a thoughtful and productive session, and encourage you to check out the recording here. In this blog, I want to build on some thoughts I shared via my recent article (Why Zero Trust for Fintech, & Why Now?), and also expand on a concept that arose during the webinar, a Common Office Environment (COE) for zero trust.
Momentum in Fintech toward Zero Trust
As is now widely recognized, the global pandemic has sparked an era of aggressive digital transformation and vastly increased the proportion of remote working. As a consequence, the threat surface greatly expanded and new attack vectors have emerged. These developments essentially created momentum for embracing a zero trust model; a concept that had been much talked about for the past 5-10 years, but is only now being pervasively adopted.
Zero trust environments are set up to deny or distrust (rather than trust) by default. Authentication is granted dynamically, based on many contextual triggers and data sources, on a per session basis and behaviour is continuously analysed. In this setting, trust is no longer binary, but requires input from multiple trust sources that coalesce in an ecosystem to grant/or deny access. And any access granted is only finite–not open-ended. Segmentation and micro segmentation are also applied to further restrict lateral movement and restrict data bleed from one environment into another.
While financial services have traditionally been more risk-averse to going to cloud, the pull of digital transformation and the necessity of zero trust to enable work-from-anywhere will accelerate adoption. A zero-trust environment will help fintech:
- Improve remote access security and securely enable work-from-anywhere and BYOD-heavy environments.
- Reduce risk from ransomware, malware, and other threat vectors.
- Document access regardless of source to ensure the activity was appropriate
- Ensure more robust and seamless authentication between B2B. For instance, one organisation granting privilege from a foreign organisation without instantiating in their own directory services.
Consideration of a Zero Trust COE for Fintech
One topic that emerged during the panel session was the idea of a Zero Trust Common Office Environment. A COE refers to the common features, technology, consumables, and security present in an office environment, and can vary based on company and vertical. This can include everything from desks, staplers, printers, cameras, paper, pens, computers, and software. When we consider that an office is not the only location to conduct work, we realise very quickly that our COE for security has changed.
While the primary enterprise security controls once were firewalls, intrusion prevention, network segmentation, and wired network security, these are insufficient to manage technology in a modern COE. Organisations must adapt their COE security controls to home networks, and even public WiFi. Furthermore, security for a modern COE should adhere to the foundational principles of zero trust to remove the perimeter and network security controls from being the primary method used to secure resources.
What is emerging is a modern security COE that embraces the cloud for device and identity management. This also eliminates:
- The need to utilise VPN for every remote employee/session
- The redesign of security management solutions to make them available via a DMZ and potentially exposed to the Internet
- High-risk Internet-exposed services like remote access, log management, and other policy services.
One of the most powerful foundational technologies to lean into during this journey is Privileged Access Management (PAM). PAM perfectly supports zero trust and enables a digital transformation across multiple, diverse use cases—from protecting human/machine privileged credentials to enforcing least privilege across all endpoints, applications, and systems, to securing all privileged sessions—whether on-premises or remote, employee, or vendor.
With all the above said, zero trust cannot be readily adapted to every area of a fintech IT environment. For instance, some legacy technologies require secure networking technologies to operate and may not fit with zero trust. PCI zones also don’t adapt well to zero trust since they rely heavily on the network for security and fixed security zones. Moreover, financial services/fintech organisations embracing cryptocurrencies may need to plan for a significant investment if they seek to overlay zero trust controls since there truly is no perimeter for these transactions.
Simply put, you need to understand that some cloud solutions, products, and tools will adopt more easily to zero trust than others. For example, a cloud-based solution that does not use local agents on endpoints will be more difficult to monitor for appropriate behaviour, ensure secure communications, and provide authorization at a granular level as compared to something implemented with agents that can extend functionality to cover the tenets of zero trust. As an example, agents can inherently go deeper into a resource than using external API’s, but agents require more maintenance and overhead to implement. This is a tradeoff when deciding on your zero trust design and implementation.
In addition, not all cloud solutions are built with security in mind. Communications, log storage and forwarding, etc. can all hinder the ability to meet zero trust principles.
A COE is a valuable model to establish a baseline for the operations in an office environment and employees working remotely. In the last two years, the COE has changed significantly due to the impact of COVID-19 and initiatives like digital transformation. Establishing the cloud as a baseline for any new technology to be deployed is a sound decision that can accommodate fintech workers operating anywhere and provide an on-ramp for enabling zero trust. All financial organisations should consider adopting zero trust. However, you should consider how your COE must change to make zero trust a reality for your environment.