Over the past 18 months, “unprecedented” surely ranks as one of the world’s most suddenly overused adjectives. With that said, the past 18 months have certainly been characterized by momentous shifts in how and where employees work and a massive acceleration in the pace of cloud technologies and digital transformation initiatives.
In this article, Moray Haber, the Chief Technology Officer and Chief Information Security Officer at BeyondTrust explains why.
During this juncture, cybercrime exploded, ransomware attacks increased 150% as average payouts nearly tripled, and once in a decade breaches (SolarWinds, Colonial Pipeline, Verkada, JBS Foods) seemed to occur monthly. Of course, these events and occurrences are not unrelated.
The hasty, largescale move to remote working—often made possible by over-stretching VPN, RDP and other technologies beyond their proper use cases—and use of new digital technologies vastly expanded the attack surface. Zero trust is the concept now being broadly embraced to secure this increasingly de-parameterized, digital world. In fact, according to a recent IDSA study, 93% of IT security professionals say zero trust is strategic to securing their organization.
Long ago, network security experts recognized that, no matter how good a firewall might be, network security can’t hinge on a single gateway. Additional layers of segmentation and authentication are necessary to separate different areas of trust and sensitivity, as well as to provide some further containment ability in case of a breach. This mindset helped lay the early foundation for zero trust principles.
While zero trust was coined in 1994, it was not “popularized” until 2010, when Forrester analyst John Kindervag created a model for the concept. However, as shown in historical search volume data in the figure below, Google searches for “zero trust” were nominal as recent as 6 years back, with a gradual increase followed by a big surge during the pandemic months. Obviously, a lot has changed.
With remote work, digital transformation, the proliferation of ransomware, and massive supply chain breaches (i.e. SolarWinds Orion), zero trust has finally catapulted from the realm of aspiration to one of necessity. It’s also increasingly being spelled out in compliance initiatives. In May of this year, President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity explicitly called out that “the Federal Government must adopt security best practices; advance toward Zero Trust Architecture”.
Fintech and Supply Chain Security
Let’s focus on supply chain security for a moment. Section 4 of the Biden EO also laid out guidelines and goals for enhancing security of software supply chains. While many of the guidelines pushed by the Federal government will be adopted in other security-conscious industries as best practices and incorporated into other compliance initiatives, fintech companies should particularly heed the relevance of supply chain security. After all, not only do financial services and fintech organizations count on the integrity of software (i.e. SolarWinds Orion, Microsoft Exchange, etc.) from third-party vendors to help run their businesses, but, at least in the case of fintech, they provide technology (software, applications, mobile apps) leveraged by their customers.
A key thing to understand here with supply chain security is that not only can a zero trust posture help reduce risk against attacks on your vendors and their software, but it can help ensure the software and other technology products you provide to your own customers is not compromised, which may rank amongst the most damaging type of breach to any brand. No one wants to buy “tainted” software that presents a hazard for creating backdoors for attackers across their environment.
The Fundamentals of Zero Trust
So, we’ve touched on the issues of why zero trust is needed, but how does zero trust work? While there are multiple frameworks (NIST, Forrester, etc.), at its core, zero trust aims to eliminate default and persistent trust, enforce continuous authentication, apply least privilege everywhere, and implement segmentation and micro-segmentation. A mature zero trust architecture (ZTA) will entail having visibility and control over who is doing what, and why, across the network.
In any zero trust environment, all access requests should be treated as potentially malicious. Two cornerstone tenets of zero trust are “always assume breach” and “always verify, never trust”. By embracing these tenets as security mantras, organizations can not only proactively prevent threat actors from breaching a network, but, just as importantly, prevent or impede lateral movement and privilege escalation, and rapidly identify and address potential threats.
A zero trust security posture reduces the threat surface, helping to protect against everything from simple malware to advanced persistent threats. It can not only help prevent attacks outright, but also stop the spread, or otherwise mitigate, an attack in progress. And in a world where the expectation is increasingly that anyone can and will get breached, containment and rapid response is a critical capability set.
Privileged Access Management – Foundational to Zero Trust
By nature of many compliance regulations and standards, including PCI-DSS, to which they are expected to adhere, most fintech and financial services organizations will already have some basic privileged access management (PAM) controls in place. However, many organizations are unaware of the breadth and expansiveness of enterprise PAM platforms. PAM is one of the most critical pieces to zero trust, and maturing your privileged access security is recognized as arguably the most powerful way to reduce your attack surface and threat windows.
In the appendix to the 2021 edition of Verizon’s annual Data Breach Investigations Report (DBIR), the U.S. Secret Service commented: ”Security postures and principles, such as proper network segmentation, the prevention of lateral movement, least privilege, and ‘never trust, always verify’ have proven to be strong indicators of an organization’s ability to prevent or recover from unauthorized presence in its network environment.” PAM is the identity-centric technology best poised to address these zero trust security controls and more.
Here are eight key ways privileged access management platforms help fintech achieve zero trust:
- Inventories all privileged assets to eliminate blind spots, spotlight shadow IT, and control access points
- Applies least privilege controls for every identity and account—human, application, machine, employee, vendor, etc.
- Enforces adaptive and just-in-time access controls based on context
- Implements segmentation and microsegmentation to isolate various assets, resources, and users to restrict lateral movement potential
- Manages and enforces credential security best practices for all privileged passwords, secrets, keys for accounts—whether for humans, non-humans, employees, or vendors.
- Secures remote access with granular least privilege and adpative capabilities well beyond that of VPNs, RDP, and other commonly used technologies
- Proxies access to control planes (cloud, virtual, DevOps) and sensitive or critical applications
- Monitors, managers, and audits for every privileged session that touches the enterprise
PAM can even defend thwart those tricky fileless (living-off-the-land) attacks that are often at the heart of advanced persistent threats (APTs), ransomware, and other modern threats.
For a deeper dive into how fintech organizations can implement zero trust and PAM to securely enable their hybrid workforce and infrastructure, I welcome you to join me and several other cybersecurity panellists on July 22 for the webinar: Securing Financial Organizations with Zero Trust, hosted by The Fintech Times.