Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

FINANCE INDUSTRY MUST ADOPT ZERO TRUST APPROACH TO TACKLE SECURITY CHALLENGE FROM THE INTERNET OF THINGS

By Wieland Alge, VP & GM of EMEA at Barracuda Networks

Despite all the hype around the Internet of Things (IoT), it’s not as new as you might think. Webcams, printers and other machines have been connected and communicating via IP protocol for almost a decade. Once the preserve of IT professionals who took ownership and responsibility for devices connected to the Internet, now it’s a free for all where anyone and anything is online.

With the explosion of devices, cyber security takes on a whole new dimension for financial institutions as digital vulnerabilities expand exponentially and the consequences for the finance and banking industry could be huge.

Wieland Alge
Wieland Alge

Firms are already investing heavily in cyber security. A recent BIS paper indicates that the UK financial sector is already spending over £700 million annually.  The issue is also being managed at board level, with 86 per cent of banking and capital market CEOs identifying technological advances as the trend that will have the greatest impact on their businesses.

Ten years ago, the IoT (such as it was) was a big mess from a security point of view. Worms were spreading at immense speed as servers talked to each other without the involvement of administrators or users. The industry’s response was to incorporate basic security features into the architecture and since then there have been very few successful automated mass threats similar to those outbreaks in the early 2000s.

A decade on, and despite there being hundreds of millions of smartphones being permanently connected to the Internet, there have been no major pandemic threats.  However, targeted attacks are on the increase and are incredibly easy to deploy.   According to a recent report published by the British Bankers’ Association and PwC seven in 10 banking chief executives see cyber security as a key risk to growth.   Furthermore, Global market watchdog International Organisation of Securities Commissions (Iosco) has warned that the next major financial shock – or ‘black swan event’ – could come from a cyber-attack.

At present, there are many discussions about moving infrastructure to the cloud and it is conceivable that eventually many businesses will have almost no infrastructure on-premise. However, there will be other devices communicating via the Internet, such as smartphones, printers and light bulbs that will remain in situ and the threat surface will continue to increase.

Ironically, the infrastructure that IT has spent time and effort securing will be placed in an environment run by somebody else, while the business hosts more and more devices that it doesn’t manage or own.  There is a danger that businesses could lose control of the devices and end up with an Internet of Foreign Things where they are responsible for the infrastructure but do not own basic elements of it. There will be more and more IP addresses in the infrastructure that the businesses will have to control even as the amount of nodes it owns will be drastically reduced. The security layer and tools will be transferred from devices to the network. IT will be charged with establishing a secure infrastructure where it doesn’t manage the devices or their communication.

As an analogy, think of how in the past, printer companies communicated with printers via a dial-in modem and the security around that was non-existent. Anyone who hacked into the printer/scanner/copier could access everything stored on the device’s hard disk, including contracts and documents. Imagine having thousands of scenarios like that. That’s what the future could be like where most of the devices on the IoT will have the same level of reliability and trust as those printers.

It is an ironic fact that the paradigm we developed in the second half of the 2000s, namely the self-defending networks with NAC/NAP frameworks, has now been turned upside down. Instead of creating a closed system by increasing device controls, we seem to be facing a world of utter anarchy in a system that we formerly called the internal corporate network.

In 2010 technology analyst firm, Forrester Research, came up with the concept of the zero trust network.  Zero Trust is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust from the equation.

A zero trust network takes this basic insight into consideration and looks at the problem of security in the context of the bigger picture. All aspects of network infrastructure are moving at a speed that is quicker than the speed at which the traditional security approach is able to react. Your attack surface changes every day and your exposure to threats of all kinds changes with it. Additionally, the threats themselves are also changing at high speed.

In a zero trust network, none of the people or parts involved are granted complete trust. This is achieved with segmentation and containment. Many different types of firewall can be used to make sure that threats are detected and have limited effects. The firewalls of the future will be very varied. These firewalls will be required to follow the data, applications and users wherever they go so they will develop to become virtual, mobile or cloud-based. Firewalls will continue to be there to protect and guide users, their data and those that need to communicate with them.

What can be done? Security is not a puzzle or a problem to be solved; it’s a mess. Messes can only be managed and mitigated. Without a zero trust environment, there is no secure foundation.