FINANCE INDUSTRY MUST ADOPT ZERO TRUST APPROACH TO TACKLE SECURITY CHALLENGE FROM THE INTERNET OF THINGS

By Wieland Alge, VP & GM of EMEA at Barracuda Networks

Despite all the hype around the Internet of Things (IoT), it’s not as new as you might think. Webcams, printers and other machines have been connected and communicating via IP protocol for almost a decade. Once the preserve of IT professionals who took ownership and responsibility for devices connected to the Internet, now it’s a free for all where anyone and anything is online.

With the explosion of devices, cyber security takes on a whole new dimension for financial institutions as digital vulnerabilities expand exponentially and the consequences for the finance and banking industry could be huge.

Wieland Alge
Wieland Alge

Firms are already investing heavily in cyber security. A recent BIS paper indicates that the UK financial sector is already spending over £700 million annually.  The issue is also being managed at board level, with 86 per cent of banking and capital market CEOs identifying technological advances as the trend that will have the greatest impact on their businesses.

Ten years ago, the IoT (such as it was) was a big mess from a security point of view. Worms were spreading at immense speed as servers talked to each other without the involvement of administrators or users. The industry’s response was to incorporate basic security features into the architecture and since then there have been very few successful automated mass threats similar to those outbreaks in the early 2000s.

A decade on, and despite there being hundreds of millions of smartphones being permanently connected to the Internet, there have been no major pandemic threats.  However, targeted attacks are on the increase and are incredibly easy to deploy.   According to a recent report published by the British Bankers’ Association and PwC seven in 10 banking chief executives see cyber security as a key risk to growth.   Furthermore, Global market watchdog International Organisation of Securities Commissions (Iosco) has warned that the next major financial shock – or ‘black swan event’ – could come from a cyber-attack.

At present, there are many discussions about moving infrastructure to the cloud and it is conceivable that eventually many businesses will have almost no infrastructure on-premise. However, there will be other devices communicating via the Internet, such as smartphones, printers and light bulbs that will remain in situ and the threat surface will continue to increase.

Ironically, the infrastructure that IT has spent time and effort securing will be placed in an environment run by somebody else, while the business hosts more and more devices that it doesn’t manage or own.  There is a danger that businesses could lose control of the devices and end up with an Internet of Foreign Things where they are responsible for the infrastructure but do not own basic elements of it. There will be more and more IP addresses in the infrastructure that the businesses will have to control even as the amount of nodes it owns will be drastically reduced. The security layer and tools will be transferred from devices to the network. IT will be charged with establishing a secure infrastructure where it doesn’t manage the devices or their communication.

As an analogy, think of how in the past, printer companies communicated with printers via a dial-in modem and the security around that was non-existent. Anyone who hacked into the printer/scanner/copier could access everything stored on the device’s hard disk, including contracts and documents. Imagine having thousands of scenarios like that. That’s what the future could be like where most of the devices on the IoT will have the same level of reliability and trust as those printers.

It is an ironic fact that the paradigm we developed in the second half of the 2000s, namely the self-defending networks with NAC/NAP frameworks, has now been turned upside down. Instead of creating a closed system by increasing device controls, we seem to be facing a world of utter anarchy in a system that we formerly called the internal corporate network.

In 2010 technology analyst firm, Forrester Research, came up with the concept of the zero trust network.  Zero Trust is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust from the equation.

A zero trust network takes this basic insight into consideration and looks at the problem of security in the context of the bigger picture. All aspects of network infrastructure are moving at a speed that is quicker than the speed at which the traditional security approach is able to react. Your attack surface changes every day and your exposure to threats of all kinds changes with it. Additionally, the threats themselves are also changing at high speed.

In a zero trust network, none of the people or parts involved are granted complete trust. This is achieved with segmentation and containment. Many different types of firewall can be used to make sure that threats are detected and have limited effects. The firewalls of the future will be very varied. These firewalls will be required to follow the data, applications and users wherever they go so they will develop to become virtual, mobile or cloud-based. Firewalls will continue to be there to protect and guide users, their data and those that need to communicate with them.

What can be done? Security is not a puzzle or a problem to be solved; it’s a mess. Messes can only be managed and mitigated. Without a zero trust environment, there is no secure foundation.