By Arshad Noor, CTO, StrongKey
Technology is evolving so rapidly that it leaves IT security professionals gasping for breath.
Keeping a financial services organization’s data safe can seem like mission impossible, but focusing on the application layer will eliminate the vast majority of data breach risks.
Within this layer, the information received, stored and processed must have the following three properties to ensure security:
- Confidentiality, where appropriate, and
This article provides best practices for banks and other financial institutions to make sure that their data meet these three criteria, also referred to as ACT.
What is Authentic Data?
When a power company bills a customer for power consumption, the meter reading must pertain to the specific customer, originate from an authorized meter and be accurate. This makes the information authentic. When data is accepted as being “authentic,” it establishes an initial level of trust in the data. However, an initial level of trust does not necessarily make data trustworthy later, unless the proper controls are in place.
Not all devices that produce data have security components built into them to guarantee data authenticity—the cost is still too high for general-purpose computing. As a result, the world has learned to use proxies to attest to the authenticity of information. The meter-reader is trained to identify customers’ premises, read meters and record data into information systems, all of which are proxies for the data’s authenticity.
The technology used to authenticate humans to information systems is the vulnerability in such a proxy-based system. If an information system can be tricked into accepting a masquerader as the “authentic source” (which most current systems can) then assumptions that data are authentic fall apart.
In addition to authenticity, confidentiality is another critical data attribute necessary to preserve stable business ecosystems. Data breaches that destroy confidentiality weaken the foundations of such ecosystems. Some of the largest and best-known financial services organizations in the world have been affected by data breaches, including Equifax,JPMorgan Chase, Bangladesh Central Bank through the Federal Reserve of New York and Veridian Credit Union.
The reason for most data breaches is the incorrect assumption that it is easier to stop “barbarians at the gate” rather than actually protect sensitive data in the application. Financial institutions over-invest in network-based security tools, such as firewalls, anti-virus, malware detection or intrusion prevention, rather than invest in the control mechanism that provides the highest level of data protection: application-level encryption.
Financial services organizations that use anything other than application-level encryption have a higher probability of getting breached. Data security today requires multiple strategies to deter attackers. Short of eliminating sensitive data from a system, encrypting and decrypting data within authorized applications (combined with a hardware-backed, cryptographic key management system) provides strong data protection control. When combined with FIDO-based strong authentication, risk management becomes formidable.
Making Data Trustworthy
Being able to trust the data is the third key to security. However, because of how standard database management systems are designed, it is always possible for a privileged user to modify data-at-rest directly without the knowledge of the application or users who created the record.
This risk is not easily mitigated, even when controls are in place so that the database system tracks changes and stores audit logs offline that privileged users cannot access. This is because even database management systems use usernames and passwords to authenticate users and applications. The probability of an attacker using a legitimate user’s compromised password to modify information in the database is very high—creating a breakdown in data trustworthiness.
Most applications today function on the premise that information stored within their databases is accurate. Even application programmers and system administrators are constrained in protecting the integrity of data for a variety of reasons: lack of knowledge, lack of resources, lack of business imperative, etc. It is possible to implement FIDO-based strong authentication and application-level encryption but still remain vulnerable to integrity attacks on data unless additional security capabilities are designed into the system.
Developing a data security strategy to preserve trustworthiness includes implementing digital signatures for both user transactions and stored database records. Transaction digital signatures using FIDO-based protocols are one of the strongest risk mitigation protection mechanisms to ensure only authorized users are capable of modifying stored data.
Similarly, transactions stored in databases must be secured using digital signatures generated by the applications themselves; the cryptographic key performing application-level signatures must be inaccessible to any human user—privileged or otherwise. Upon reading a database record, the application must verify the signature of the retrieved record before attempting to use it. Only when the signature is verified successfully can the application be sure it is using the same data it stored previously.
Financial institutions are responsible to both their customers, who are entrusting them with their personal information, and to a variety of data security and privacy regulations. Defending data through strong authentication, encryption and digital signatures provides extraordinarily high levels of security because it assumes an attacker may already be within the network and/or host, and if designed correctly into the application, can still protect data from being compromised.
When designed with appropriate cryptographic key management, authenticity, confidentiality and trustworthiness (ACT) protections create formidable barriers. While they are not infallible, they are the strongest risk mitigation technologies available today. In the past, implementation was a challenge due to the cost and complexity of integrating such technologies into business applications. But with today’s new market offerings, this is no longer true.
Today’s information systems work under an enormous security burden. Attackers from the far corners of the earth are capable of compromising systems as easily as an attacker next door. The above guidelines create powerful mechanisms to protect financial information, users and investments. Following them will ensure the authenticity, confidentiality and trustworthiness of your data.
About the author:
Arshad Noor is the CTO of StrongKey, a Silicon Valley-based company focused on securing data through key management, strong authentication, encryption and digital signatures. He has 32 years of experience in the Information Technology sector, of which, more than 17 were devoted to architecting and building key-management infrastructures for dozens of mission-critical environments around the world, including Central Banks. He has been published in periodicals and journals, as well as authored XML-based protocols for two Technical Committees as OASIS. He is a member of the FIDO Alliance, and also a frequent speaker at forums such as RSA, ISACA, OWASP and the ISSE. He can be reached at email@example.com.