Addressing Challenges of Zero Trust Implementation within Banking Infrastructures
In this article
The banking sector has been embracing the digital transformation movement for quite some time, but the unexpected events of 2020, that required employees to uproot and work from anywhere, forced organizations to execute on an effective digital strategy, and fast. Soon after was the SolarWinds hack that had security leaders scrambling to find ways to adequately close security gaps, update architecture, and keep data protected.
It's 2021, and for now, the corporate network is still extended into living rooms; workloads are being consumed by laptops on the kitchen counter. Never before has segmentation been more difficult to implement.
In 2020, 70 percent of financial services organizations instilled strict work from home (WFH) policies, all while having to adhere to ever-stringent regulation requirements for data security and privacy. The organizations that are now thriving made the smart choice to close security gaps in the remote work landscape by applying the principles and architecture of a Zero Trust model. Let's explore what this means.
What is meant by "Zero Trust"?
Zero Trust is based on a simple principle: "never trust, always verify." Sounds great, right? It is. But it's also much easier to say than to implement and comes with its own set of challenges if not executed properly.
Unlike other security models, a Zero Trust model takes a 360-degree view of a corporate network to include people, devices, networks and workloads — all drilling down to an abstract of a "requestor" and a "resource." This full-view angle is now essential because of the various endpoints and complex cloud infrastructures within the banking sector. As such, a 2020 report on endpoint devices and BYOD found that 63 percent of organizations are concerned about data leaks originating with the personal device.
Proving its efficacy during these challenging times, the Zero Trust model is rapidly going mainstream. NIST released a paper last year offering guidelines for a Zero Trust Architecture (ZTA). One of the four suggested architectures of a ZTA is the use of micro-segmentation (zones). Each operational segment would have similar security policies (think services and functions), appropriate security measures, and access controls applied. The ability to create secure zones fits well with the expanded network of remote work devices. Security policies within a ZTA can be used to control and secure traffic between and within each zone.
This is a more fluid approach to security that can keep up with an ever-changing landscape that is persistently threatened by security gaps. But, as mentioned before, it comes with its own challenges.
Five challenges of Zero Trust deployment
Implementing a a Zero Trust model into your organization can be demanding and requires a certain standard of deep data analyses, people and devices. The objective is to establish an integrated process involving research and deployment that aligns perfectly with its respective environment. Here are the top five challenges to consider before adopting a Zero Trust model.
Challenge 1: The retrofit effect
An estimated $3 trillion flows through legacy banking systems daily. With this staggering figure, it's clear that legacy technology is holding banks back by hindering digital transformation efforts.
Typically, older legacy systems are not compatible with a Zero Trust model. A Zero Trust approach requires the ability to control access at a granular level and allow for on-the-fly, dynamic verification. Many older technology applications cannot offer this level of control, verification or authentication.
Challenge 2: Integration and third parties
The various technologies and operations that come in to play, particularly when it comes to supply chain and extended endpoint devices pose an added challenge to Zero Trust integration.
The Zero Trust process begins with granular scanning and discovery, looking at how to identify users and allocate corresponding user privileges, in addition to determining which applications are in use, what devices are used, flow of system traffic, and behavior patterns. On top of this, endpoints may require configuration upgrades or new agent installations, complicating the Zero Trust approach even further. Further, this level of scrutiny in assessing accounts, roles, and permissions may require additional management overhead.
Challenge 3: Remote work
Remote work has been on the rise, but the 2020 pandemic forced thousands of bank employees to work from home with unsecure internet connections, causing logistical hurdles of epic proportion; adding Zero Trust at this time, with its micro-segmentation requirements and the decision-making that goes with it adds another layer of complexity.
Challenge 4: Technology
While targeted financial technology (fintech) applications are currently at the center of infrastructure transformation, where exactly does Zero Trust fit in? Which approach can better support the environment? If we look at this critically, fintech's particular solutions are integrated (or patched in) to a "Frankenstein body" of a network. Therefore, these solutions are at the mercy of the existing infrastructure.
Zero Trust, however, can be effectively used to address the existing network by applying Zero Trust architecture and solutions, and then containing/controlling the fintech solution being applied. To this effect, Zero Trust supports the working environment that supports the fintech application, reducing potential threats and closing security gaps in network and application infrastructures.
The challenge arises with the unification issues across hybrid networks and cloud infrastructures that hinder micro-segmentation and verification, particularly if a certain app or platform cannot run on a specific cloud provider infrastructure. Certain workloads will have an affinity to one of the three leading cloud service providers (AWS, Microsoft Azure, Google Cloud) or operate best while on-premise ONLY, and testing/validation is the best method for all critical applications and systems.
Challenge 5: The data
A fundamental principle of Zero Trust is mapping the data lifecycle and analyzing how users are accessing and interacting with sensitive information. This information underpins micro-segmentation design; that is, knowing what to segment, what protection measures are required and when, and what access controls are needed, including who receives privileged access rights. A further challenge for banking institutions is having to take the data-centric needs of Zero Trust and applying them to any legacy data silos.
WWT's end-to-end approach to Zero Trust
Zero Trust has what it takes to fulfill security goals within the banking infrastructure, but it requires the type of end-to-end approach that only WWT can deliver. Top global financial organizations are relying on WWT's experienced consultants and best-in-class solutions to overcome challenges faced while adopting a Zero Trust approach.
WWT's strategy for supporting a Zero Trust adoption involves an extremely client-specific methodology, where we start by understanding the fundamentals — technologically and operationally — that make the organization run, then devise a comprehensive plan according to specific requirements and goals, near- and long-term, and then execute on every facet of deployment and integration until the solution is operational and valuable. Key factors include location of sensitive data, how applications/workloads communicate and function, identity and access management (IAM) infrastructure and operational priorities.
WWT's full-lifecycle Zero Trust implementation approach consists of a process that includes technical workshops to define policies and develop a strategic roadmap, environment assessments, operational planning, and vision-to-value services that deliver measurable business goals for years to come.