Zero-trust access has become more popular across all sectors — but perhaps nowhere does the concept resound more strongly than in financial services, where protecting sensitive data and enforcing “least privilege” access to information assets is critical to security and compliance.
In recent months, zero-trust access has arguably become the security term du jour — a buzz phrase, denoting that enterprises should enforce more dynamic control over their assets, more strictly limit access (particularly to their most sensitive information) and utilize managed services to hopefully reduce network security costs and high overhead for technology support.
In principle, zero trust is “built upon secure peer-to-peer (P2P) communication, conditional access and continuous authorization, as well as robust data protection for data at-rest, in-use, and in-transit are consistently applied to each session, regardless of the type or location of the applications being accessed, [which includes] legacy hosted applications, software-as-a-service (SaaS), thick-client and web-based applications,” according to a recent release from management consultancy Deloitte.
Indeed, earlier this week, the global consultancy launched its own zero-trust access managed service, to offer “a cloud-native approach to securing communications between users, on any device, and enterprise applications, wherever they may reside,” according to Deloitte. “With innovative data protection leveraging device-level secure microcontainer technology, zero trust access helps protect infrastructure while also enabling organizations to protect sensitive enterprise data,” said the Deloitte release, “and enforce least privilege through dynamic access control to enterprise assets.”
According to Andrew Rafla, Deloitte Risk & Financial Advisory’s zero trust offering leader and a principal with Deloitte & Touche LLP, the concept of zero trust has lately been “trending across all industries and sectors, including financial services.”
“Some business drivers specific to financial services include the increased focus on and need for cyber resilience, increasingly complex and hyper-connected IT ecosystems, acceleration of cloud adoption and digital transformation initiatives, mergers & acquisitions,” Rafla said, “and increasing regulatory oversight for data privacy and geo-specific data sovereignty.”
Zero trust removes a lot of the potential regulatory and network security headaches simply by “removing implicit trust within an information technology (IT) ecosystem and replacing it with a risk-based approach to accessing organizational resources across identities, workloads, data, networks and devices," according to Deloitte. “This trend is gaining momentum, given legacy approaches to security architecture are no longer suitable to secure the ubiquitous nature of the modern enterprise.”
Legacy approaches to secure an organization’s IT ecosystem relied on layering a set of security controls at the organization’s physical and logical boundaries, according to Rafla. “This may have been fit for purpose when all of an organization’s IT systems, data, and workforce were housed within the walls of their data centers and office spaces,” he said.
However, many financial institutions no longer host all of their assets and applications in corporate-owned data centers. Instead, they have a hybrid environment, hosting applications in the public cloud, with increased adoption of software-as-a-service and platform-as-a-service (PaaS) solutions and an increasingly mobile and hybrid workforce.
“Ultimately, the zero-trust concept offers an agile and dynamic security foundation that is resilient to organizational change and flexible enough to deal with the challenges imposed by modern business, workforce, and technology trends,” Rafla added.
With so many third-party relationships to manage, zero trust offers “a modern approach to enabling and securing connectivity from managed service providers and other third parties,” especially for financial institutions, according to Rafla. “The core principle is to ‘never trust, always verify’ each connection request and to only grant access to enterprise resources only after the source is authenticated, authorized, and entitled to access its intended destination.”
“Embracing modernized zero-trust-enabled capabilities allows [financial institutions] to enforce the concept of least privilege and ensure that third parties have access to the enterprise assets they need to get to, and nothing more," he added. “These modernized controls should also embrace dynamic and continuous authorization such that each connect attempt is interrogated and verified at the beginning of each connect attempt as well as throughout each connected session.”