Zero-trust access has become more popular across industries – but perhaps nowhere does the concept resonate stronger than in financial services, where protecting sensitive data and enforcing access “least privilege” to information assets are critical to security and compliance.
In recent months, trustless access has arguably become the security term of the day – a buzzword, indicating that companies should enforce more aggressive control over their assets, more strictly limit access (especially to their most sensitive information) and use managed services to hopefully reduce network security costs and high overhead for technology support.
In principle, zero trust is “based on secure peer-to-peer (P2P) communication, conditional access and continuous authorization, as well as robust data protection for data at rest, in use and in transit are systematically applied to each session, regardless of the type or location of the applications being accessed, [which includes] legacy hosted applications, software as a service (SaaS), thick clients and web applications,” according to a recent release from management consulting firm Deloitte.
Indeed, earlier this week, the global consultancy launched its own managed zero-trust access service, to offer “a cloud-native approach to secure communications between users, on any device, and enterprise applications, wherever they reside,” according to Deloitte. . “With innovative data protection leveraging secure microcontainer technology at the device level, Zero Trust Access helps protect infrastructure while enabling organizations to protect sensitive corporate data,” said Deloitte’s press release, “and enforce least privilege through dynamic access control to enterprise assets.”
According to Andrew Rafla, Leader of Deloitte Risk & Financial Advisory’s Zero Trust Offering and Principal at Deloitte & Touche LLP, the concept of zero trust has recently been “trendy across all industries and sectors, including financial services. “.
“Some business drivers specific to financial services include the heightened focus and need for cyber resilience, increasingly complex and hyper-connected IT ecosystems, accelerating cloud adoption and digital transformation initiatives, mergers and acquisitions,” Rafla said, “and increased regulatory oversight for data privacy and geo-data sovereignty.
Zero trust removes many of the potential regulatory and network security headaches simply by “removing the implicit trust within an information technology (IT) ecosystem and replacing it with a risk-based approach to accessing organizational resources across identities, workloads, data, networks and devices,” according to Deloitte. “This trend is gaining momentum, as legacy approaches to security architecture are no longer suitable for securing the ubiquitous nature of the modern enterprise.”
According to Rafla, legacy approaches to securing an organization’s IT ecosystem relied on layering a set of security controls at the physical and logical boundaries of the organization. “It might have been fit for purpose when all of an organization’s IT systems, data, and workforce were housed within the walls of their data centers and offices,” he said. -he declares.
However, many financial institutions no longer house all of their assets and applications in company-owned data centers. Instead, they have a hybrid environment, hosting applications in the public cloud, with increased adoption of software-as-a-service and platform-as-a-service (PaaS) solutions and a workforce increasingly mobile and hybrid.
“Ultimately, the concept of zero trust provides an agile and dynamic security foundation that is resilient to organizational change and flexible enough to meet the challenges imposed by modern business, workforce and security trends. technology,” Rafla added.
With so many third-party relationships to manage, zero trust offers “a modern approach to enabling and securing connectivity for managed service providers and other third parties,” especially for financial institutions, according to Rafla. “The basic principle is to ‘never trust, always verify’ every login request and only grant access to corporate resources once the source is authenticated, authorized and granted access to its intended destination.”
“Adopting modernized zero-trust capabilities enables [financial institutions] to enforce the concept of least privilege and ensure that third parties have access to the company assets they need to access, and nothing more,” he added. “These modernized controls should also include dynamic, continuous authorization so that every login attempt is queried. and checked at the start of each connection attempt as well as throughout each connected session.