By Nick Lowe, VP EMEA at Tufin
A growing problem
It is no secret that the financial services industry is one of the most targeted by cybercriminals across the globe, and the repercussions of a breach are devastating. From declining customer loyalty and plummeting stock values, to company and professional reputation – the consequences of an effective attack are both wide-ranging and destabilising. Equifax recently signed a settlement related to the 2017 data breach that resulted in the theft of information of over 146 million people. The company will reportedly pay at least $575 million, and potentially up to $700 million in damages. Staying secure is imperative for institutions to be successful.
While banks have been physically robbed for more than two centuries, technological advancements in the last 20 years have made it possible for thieves to steal funds from the comfort of their own living rooms. Hackers and fraudsters are keen to make a financial killing and are constantly trying to find new ways to breach financial services’ security systems. In April 2018 alone, seven UK banks were threatened by a single coordinated attack and institutions often face specific, targeted assaults by coordinated group efforts called Advanced Persistent Threats (APTs).
Keeping a financial service secure when the internal systems are unlikely to change is easier to ensure effective preparation, but also unlikely. The business will require making essential access changes which can create a new, potentially vulnerable, access path. When it comes to making changes to improve internal processes and enable business agility, it is important those managing such initiatives are careful not to provide unnecessary access that opens a path of attack for hackers to compromise the organisation. You can almost guarantee that if you are the one responsible for negligence of a breach, it will be your job on the line.
So, how can financial organizations’ IT security teams empower the business by delivering critical connectivity without damaging consequences? Below are the problems financial services face when managing security policies and how automation provides the answer.
Centralising security policy
Many financial services have complex security policies that are not documented or referenceable, and therefore cannot be integrated throughout a process. When essential application connectivity needs to be supported, security configurations often need to be changed across each vendor device or platform and may conflict with organizational policies.
For example, consider that DevOps and IT security teams have differing priorities regarding how work should be carried out. While IT security professionals are characterised as meticulous and risk-averse, ensuring their organisation’s network access change process is compliant and secure, the typical application developer operates outside this security review process and simply ensures connectivity between application resources. As such, there are two common scenarios that organizations may encounter. The first is that IT security is often seen as an obstacle – they are managing a large volume of requests and treat each request as equal unless escalated by the business or due to a security incident. While security is ensured, it often comes at the expense of timeliness. The second possible scenario is that DevOps will bypass security, so connectivity is ensured quickly, but without any sort of security check or ability to review. Both scenarios incur unacceptable sacrifices to the business. So how do financial organizations achieve both security and agility?
Automation removes this headache from the equation and instead lets both teams become more efficient in meeting their respective goals. Automating risk assessments of change requests saves the security team from reviewing every request, and automated design and implementation eliminates misconfigurations and mistakes. And once policy is centralised, change management is consistent and auditable across your organization. In cases where automated risk assessment is integrated into the application CI/CD pipeline, companies can develop and secure in parallel speed.
Four steps to protection
In order to keep data and finances secure, businesses need to follow these steps to eliminate or limit the extent of breaches. This is done through:
- Define the security policy baseline of the organization
- Segment the network to align to the security policy
- Develop an automated change management process with built-in risk assessment
- Manage the designation and recertification of access exceptions
Attacks typically fall between, or at, two extremes. APTs are often silent intruders that will dwell in your network for a prolonged period of time to carefully navigate the network without alerting security of their presence. This is often done by using existing access to navigate across different network segments to gain access to the desired assets, or through the compromise of credentials. The least patient of attacks are fully automated – trick an employee or third party with access to the network to install malware and automate the detection of other vulnerable hosts and exploit them through available access. In either scenario, through proper planning and effective network segmentation, businesses can maintain a network that limits access and prevents hackers from easily completing their objective. Additionally, this requires the compromise of multiple network segments before an attack is successful, providing more time for incident detection.
To realize the above security benefits, organisations need to define a centralised security policy in order to identify violations, and to ensure changes made across the heterogeneous and hybrid network don’t introduce new risk. A centralised and integrated security policy is foundational to the network environment that effectively leverages automation and orchestration – to save time and resources, improve compliance, and increase security.
Protection necessitates automation
While many organisations are often caught in limbo between staying secure or prioritising connectivity, automation helps to maximize both to ensure their networks, processes, employees, and customer data are secure while keeping pace with internal and external business initiatives. Centralizing security policy management across physical, SDDCs and hybrid cloud platforms gives CISOs control by tracking all security and network changes. They define and enforce their security policy across their different vendors and platforms, through a single pane of glass to do what IT security is meant to do – secure the business without slowing it down.