Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .

Business

ECB compliance is driving security policy automation
ECB compliance is driving security policy automation

Published : , on

By Nick Lowe, VP EMEA at Tufin

The pace of digital transformation and explosion in new apps within the banking sector has brought  huge challenges.  For security teams tasked with managing security policies from the network down to the application level, lack of visibility can cause significant security and compliance issues. The fundamental issue of what can talk to what, across the network, is one that many would struggle to comprehensively answer.

Yet this is the issue which banks must get on top of in order to comply with ECB regulations as published in its assessment guide for the security of internet payments. These requirements cover a range of security measures including: evidence access to applications and workloads are limited to those who need to do so for their job; certification of proper implementation and a full, tamper-proof audit trail covering the entire time period under review.

Collating and presenting this information manually to auditors presents several significant challenges for banks and many of those that attempt to do so by hand are likely to fail due to the complexity and resource demands of the task, compounded by the requirement for an audit trail.

However, these challenges can all be met through automation. With a comprehensive, automated security policy discovery, provisioning and verification system that integrates into permission and access workflows, banks will be able to present accurate, timely information regarding the business justification of security policies, and how all assets are complying and have remained compliant throughout the given timeframe.

The race for tech

Nick Lowe

Nick Lowe

The C-level executives of traditional banks are now clambering to innovate using technology. They see banking moving from a point of sale, personal contact, brick and mortar model to one that is highly agile and always available to customers by deploying fintech solutions. These older institutions want to be able to better compete with those digital challenger banks that don’t have huge amounts of money and resources locked up in running branches or even large offices. The result is that these smaller banks can provide all the same services to customers at a fraction of the cost of their older, more established rivals.

Yet the more complex traditional banks’ network topologies become as they move towards more technology-based models, the greater the risk that their systems will be exposed to and compromised by threat actors. This is the very reason that the ECB has decided to conduct these audits.

The penalties for not complying with such audits is not yet clear. However, where an audit finds applications that are not running safely, the auditors could give the organisation time to fix the issue or demand that the application is decommissioned until the issue is resolved. This latter option could have severe consequences on the business if the application provides a key function. No bank will want to have to risk losing functionality due to an audit failure.

Compliance without automation is a struggle

While the requirement for the IT security of banks to be audited only started this year, the ECB has been consulting on the process since before 2014. While they may have had time to plan, many have underestimated the complexity of the task.

These banks thought that if they had a defined list of policies controlling network connectivity to their apps and who was authorized to access them, this would then satisfy the ECB. But what has happened is that the banks have discovered that controlling access has become complex. To be compliant banks must undertake multiple different actions, including maintaining documentation of every access request, its justification, its business owner and whether it was approved.

Each access request must also be connected to its firewall or device rule. These rules must also have a defined business owner, and all must be confirmed to be compliant against the firm’s standards.

There must also be a high level of control over access rights by both human users and application. Apps that have been changed or decommissioned should have access removed in a timely fashion, while user rights should be governed by a least privilege approach – users should only have access to resources required by their job role.

Finally, there must be separation of duties (the person requesting a change should not be the one who approves or provisions it), and a tamper-proof audit trail must be implemented to capture all changes made over a defined time period.

This is compounded by the fact that hundreds or even thousands of policies that define access are nested and are being changed constantly by other users within the organisation.

In effect, banks have created a giant hair ball of hundreds of interconnected policies and applications, where if one element is changed it could have a knock-on effect elsewhere in the system. For audit purposes, this needs to be untangled and presented in a way that can be readily understood to demonstrate compliance.

Initially, some banks thought this could be managed through spreadsheets, while others believed it would be possible to manage the process with data management tools, such as Splunk. However, these need to be continually maintained and only provide a snapshot for audit purposes. Not only that, but this work can take a significant number of employee hours each year to complete. As such, the hoped for streamlining through introducing tech is dramatically curtailed.

How automation can help

Most banks now recognise that automation is the key to completing these audits successfully. Automated solutions will instantaneously review a change request against relevant standards to see if they are compliant. This will instantly create a ticket that will indicate if the change is low risk, enabling the security team to act upon it. In the case where the action is benign, these can be approved straight away. There will be exceptions that will require additional analysis before they can be approved. Finally, in the instances where there is a major conflict or high-risk access request the security team will be able to prevent this action from happening and ask the user to reconsider and find another option.

Automation allows the security team at any time to show the auditors the current state of their policy management. What could take several weeks or months to achieve manually, can now be done in a matter of minutes. This will create a list of access requests that are compliant, approved or are an exception.

If the prime objective of banks for moving over to a more technology-based model is to become more agile and streamlined, it makes sense that their auditing processes help meet this objective.  The benefits will extend beyond audit to productivity, associated cost savings, and improved security posture. Greater use of network security policy orchestration and automation technologies allows banks to complete ECB audits at the push of a button.

Uma Rajagopal has been managing the posting of content for multiple platforms since 2021, including Global Banking & Finance Review, Asset Digest, Biz Dispatch, Blockchain Tribune, Business Express, Brands Journal, Companies Digest, Economy Standard, Entrepreneur Tribune, Finance Digest, Fintech Herald, Global Islamic Finance Magazine, International Releases, Online World News, Luxury Adviser, Palmbay Herald, Startup Observer, Technology Dispatch, Trading Herald, and Wealth Tribune. Her role ensures that content is published accurately and efficiently across these diverse publications.

Global Banking & Finance Review

 

Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!


By submitting this form, you are consenting to receive marketing emails from: . You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post