By Nick Lowe, VP EMEA at Tufin
The pace of digital transformation and explosion in new apps within the banking sector has brought huge challenges. For security teams tasked with managing security policies from the network down to the application level, lack of visibility can cause significant security and compliance issues. The fundamental issue of what can talk to what, across the network, is one that many would struggle to comprehensively answer.
Yet this is the issue which banks must get on top of in order to comply with ECB regulations as published in its assessment guide for the security of internet payments. These requirements cover a range of security measures including: evidence access to applications and workloads are limited to those who need to do so for their job; certification of proper implementation and a full, tamper-proof audit trail covering the entire time period under review.
Collating and presenting this information manually to auditors presents several significant challenges for banks and many of those that attempt to do so by hand are likely to fail due to the complexity and resource demands of the task, compounded by the requirement for an audit trail.
However, these challenges can all be met through automation. With a comprehensive, automated security policy discovery, provisioning and verification system that integrates into permission and access workflows, banks will be able to present accurate, timely information regarding the business justification of security policies, and how all assets are complying and have remained compliant throughout the given timeframe.
The race for tech
The C-level executives of traditional banks are now clambering to innovate using technology. They see banking moving from a point of sale, personal contact, brick and mortar model to one that is highly agile and always available to customers by deploying fintech solutions. These older institutions want to be able to better compete with those digital challenger banks that don’t have huge amounts of money and resources locked up in running branches or even large offices. The result is that these smaller banks can provide all the same services to customers at a fraction of the cost of their older, more established rivals.
Yet the more complex traditional banks’ network topologies become as they move towards more technology-based models, the greater the risk that their systems will be exposed to and compromised by threat actors. This is the very reason that the ECB has decided to conduct these audits.
The penalties for not complying with such audits is not yet clear. However, where an audit finds applications that are not running safely, the auditors could give the organisation time to fix the issue or demand that the application is decommissioned until the issue is resolved. This latter option could have severe consequences on the business if the application provides a key function. No bank will want to have to risk losing functionality due to an audit failure.
Compliance without automation is a struggle
While the requirement for the IT security of banks to be audited only started this year, the ECB has been consulting on the process since before 2014. While they may have had time to plan, many have underestimated the complexity of the task.
These banks thought that if they had a defined list of policies controlling network connectivity to their apps and who was authorized to access them, this would then satisfy the ECB. But what has happened is that the banks have discovered that controlling access has become complex. To be compliant banks must undertake multiple different actions, including maintaining documentation of every access request, its justification, its business owner and whether it was approved.
Each access request must also be connected to its firewall or device rule. These rules must also have a defined business owner, and all must be confirmed to be compliant against the firm’s standards.
There must also be a high level of control over access rights by both human users and application. Apps that have been changed or decommissioned should have access removed in a timely fashion, while user rights should be governed by a least privilege approach – users should only have access to resources required by their job role.
Finally, there must be separation of duties (the person requesting a change should not be the one who approves or provisions it), and a tamper-proof audit trail must be implemented to capture all changes made over a defined time period.
This is compounded by the fact that hundreds or even thousands of policies that define access are nested and are being changed constantly by other users within the organisation.
In effect, banks have created a giant hair ball of hundreds of interconnected policies and applications, where if one element is changed it could have a knock-on effect elsewhere in the system. For audit purposes, this needs to be untangled and presented in a way that can be readily understood to demonstrate compliance.
Initially, some banks thought this could be managed through spreadsheets, while others believed it would be possible to manage the process with data management tools, such as Splunk. However, these need to be continually maintained and only provide a snapshot for audit purposes. Not only that, but this work can take a significant number of employee hours each year to complete. As such, the hoped for streamlining through introducing tech is dramatically curtailed.
How automation can help
Most banks now recognise that automation is the key to completing these audits successfully. Automated solutions will instantaneously review a change request against relevant standards to see if they are compliant. This will instantly create a ticket that will indicate if the change is low risk, enabling the security team to act upon it. In the case where the action is benign, these can be approved straight away. There will be exceptions that will require additional analysis before they can be approved. Finally, in the instances where there is a major conflict or high-risk access request the security team will be able to prevent this action from happening and ask the user to reconsider and find another option.
Automation allows the security team at any time to show the auditors the current state of their policy management. What could take several weeks or months to achieve manually, can now be done in a matter of minutes. This will create a list of access requests that are compliant, approved or are an exception.
If the prime objective of banks for moving over to a more technology-based model is to become more agile and streamlined, it makes sense that their auditing processes help meet this objective. The benefits will extend beyond audit to productivity, associated cost savings, and improved security posture. Greater use of network security policy orchestration and automation technologies allows banks to complete ECB audits at the push of a button.