Ian Collard, Managing Director of Identity Methods, examines the role of Zero Trust and explains how banks and financial institutions can better protect their systems.

The 20^th anniversary commemoration of 9/11 to remember those lost on that tragic day served as a stark reminder of the role that terrorism continues to play in our own country and around the world. But, it also served to highlight that while the potential for physical terrorist attack has certainly not gone away, the nature and scope of hostile attack has evolved and taken on an ever more sinister guise. This year’s Microsoft Exchange cyber attack[1] resulted in the European Banking Authority’s email servers becoming severely compromised, while a dramatic escalation in cyber attacks on financial institutions prompted Australian banking officials to describe such activity as ‘the biggest risk in banking’[2].

Such attacks draw attention to the vulnerabilities of major financial targets now in the sights of criminal gangs, terrorist units and nation-state threat actors. In May 2021, US President Joe Biden made an announcement that would change the way we think about cybersecurity: the US had to improve its digital defences. Biden’s ‘Executive Order on Improving the Nation’s Cybersecurity’ represents a big step forward in the way we think about and respond to cyber threats. A key part of Biden’s instruction revolves around a concept called ‘Zero Trust’, which is set to soon become the standard in security and is cybersecurity’s biggest change in years.

Long-term access and its pitfalls

Cyber-criminals focus on weak points in the security infrastructure of financial institutions to gain access to highly targeted and lucrative data. We therefore need to understand what can be done to remedy this situation. The first step is recognising that the basic plumbing of cybersecurity depends on the way computers trust each other, as well as the way they trust human users. After satisfying checks, like a password, a location or some other factor, such as a code sent to a phone, people, programmes and systems get ‘trust’, a license to roam in permitted parts of an organisation’s digital space.

At this point, the system’s users can upload and download data, and change, move and create digital information. When security blunders happen, the amount of trust we give individuals, tasks and computer systems can mean the difference between a costly breach and a minor incident.  Unfortunately, an overly generous amount of trust is quite common among the cyber defences of many organisations. With increasingly sophisticated ransomware technology, this implicit digital trust only helps today’s hackers. They are able to dwell undetected for longer before making their move, allowing them to learn more about the systems they’ve unlawfully accessed. This situation makes less tech-savvy employees more likely to be the source of a breach without realising, until it’s too late.

Of course, organisations can provide training to make their staff more aware of the risks. But reducing digital trust to a minimum is the most important way to lower the risk of an attack. This means that we need to widely adopt a Zero Trust approach to cybersecurity. A Zero Trust approach means that your cyber defences never allow long-term access to information and continuously check that any access is in keeping with a strict set of policies; whether automated or user-generated. Advice on what these policies should look like has been set out by the US Government’s National Institute for Science and Technology (NIST) using guidelines that are reviewed every few years[3]. These have been largely adopted by the UK Government[4], among others.

Never trust, always verify

The end goal of a Zero Trust approach is a state of never trusting and always verifying digital activity. This way, we ensure constant vigilance and reduce access to information for employees and computer processes down to a need-to-know structure. By setting Zero Trust policies, we grant access to resources and networks only when it’s really needed and remove access as soon as it’s not. This way, permissions don’t linger, denying attackers the chance to spread widely around your network.

Getting these Zero Trust policies right is a bespoke process. Every financial and banking organisation works differently, but there are rules of thumb. If your organisation assumes high levels of trust in its approach to cybersecurity, stolen usernames and passwords can give away excessive levels of access to intruders. This quickly becomes difficult to trace, amplifying the damage they can do. With Zero Trust, an organisation needs to be clear on what kind of access its users need, mapping out their identities against the permissions they require. While this process represents an investment of both time and business resources, the protection gained is immense. It prevents a small human error from snowballing into a massive, costly mistake from which it can be much harder to recover.

The challenge of secure flexible working

While transitioning to Zero Trust is important, COVID-19 has made it imperative. Traditional cybersecurity has always relied on implied trust. As an example, consider the offices of a modern investment bank. Users physically working inside the building are trusted, gaining large amounts of access to resources. Anyone outside the office building is not trusted, thus gaining no access. Note that this is entirely based on their location; when they’re in the office, trust is automatically granted. With the mass shift to more flexible working patterns, this approach is no longer practical.

Security must now centre on what the individual user is doing, not on implied factors like their location. After all, humans are the critical security factor. Most breaches happen because of human error, for example, downloading viruses from spam emails or giving passwords away to fake websites operated by criminals. Done well, with policies that follow official guidelines, Zero Trust saves people from themselves.

In an age of flexible working and hyperscale computing, we have the opportunity to adopt a more intelligent approach to security with Zero Trust. Banking and financial institutions of all varieties can reduce the possibility of cyber attack. In the process, hybrid working between home and the office becomes more secure, more reliable and more business-friendly, while being supported by government-backed standards. In a time of huge change and upheaval, Zero Trust represents a unique chance for progress in our digitally connected world.

Find out more about Zero Trust: https://identitymethods.co.uk/zero-trust-a-complete-guide/

Author Bio:

Ian Collard – Founder and Managing Director, Identity Methods

Ian is a successful managing consultant and business development professional with 35 years of involvement in the cyber technology and digital security sector. Since 2011, Ian has utilised his skill and understanding to grow Identity Methods into a specialised, high-value consultancy and service delivery organisation. He now leads an established solutions and professional services provider catering to a variety of clients – from multinational, blue-chip organisations seeking to ensure continuity and competitive strength, to ambitious start-ups looking to improve their security and organisational posture. Ian leads Identity Methods’ product and service selection and its strategic partnerships.

About Identity Methods:

Identity Methods helps organisations of all sizes adopt a Zero Trust framework for IT security. Through a consultancy-first approach and tailored solutions & services, it eliminates implicit trust from an organisation’s digital network. This facilitates greater control of the identity and data lifecycle, fortifies the enterprise, and reduces expenditure. Founded in 2011 in the UK, Identity Methods is an independent company working with carefully selected strategic partners to maximise the value and security from IAM, governance and monitoring solutions. With service expertise in banking & finance, higher-ed, media & IT and transport & logistics, Identity Methods’ best-in-breed approach greatly enhances security and organisational posture. To get to Zero Trust with Identity Methods visit:

www.identitymethods.co.uk

 

[1] https://www.afr.com/companies/financial-services/cyber-is-the-biggest-risk-in-banking-today-20210330-p57f5n

[2] https://www.afr.com/companies/financial-services/cyber-is-the-biggest-risk-in-banking-today-20210330-p57f5n

[3] https://www.nist.gov/publications/zero-trust-architecture

[4] https://github.com/ukncsc/zero-trust-architecture