Zero Trust – never trust, always verify 

Safeguarding trust

A bank’s most valuable asset is customers’ trust. However, this trust is at risk when it comes to cybersecurity. According to Sandra Mavimbela, Manager Cyber Strategy at Deloitte Cyber Risk Services, cyberattacks in the banking industry are becoming more frequent and more sophisticated. “Cyber criminals are always looking for new weaknesses to exploit,” she explains. “Because of their size and the fact that they handle valuable transactions, banks are interesting targets.”

Essential ICT and data management modernisations in the banking industry can result in new cybersecurity risks. Reviving core systems, cloud migration, the introduction of automated decision-making models, and remote office technology are examples of developing and shifting enterprise environments that generate vulnerabilities. The growth of smart devices, 5G, edge computing, analytics and artificial intelligence results in more data and connections, and also leads to an increasing attack surface.

“Banks have heavily invested in cybersecurity and most banks currently have decent cyber threat response systems,” says Lourens Bordewijk, Director Risk Advisory at Deloitte Cyber Risk Services. “But as enterprise IT environments are developing rapidly and cyber criminals are always adjusting to the new circumstances, it’s important that security departments keep up with the fast-changing threat and IT landscapes.”
 

Cyberattacks in the banking industry

The IT infrastructure of banks can be divided in customer-facing frontend systems and internal backend systems. “Hackers try to attack both,” says Mavimbela. Common attacks on frontend systems are fraud on online channels, such as phishing scams in which people are tricked into clicking on a link with malicious software. “No matter how sophisticated your security systems are, humans are often the weakest link in the system,” Mavimbela explains.

Attacks on the backend systems of banks are less frequent but can have a high impact. A notorious example is the Bangladesh Bank cyber heist, in which hackers issued fraudulent transactions via the SWIFT network to illegally transfer close to 1 billion US dollars. Another example is the SolarWinds Supply Chain Cyberattack, in which hackers exploited a software update and got access to 18,000 SolarWinds customers, including many in the financial services industry.

“Supply chain attacks are not new, but on the rise again and particularly worrisome because these attack vectors have been overlooked in the past and were not always covered during system design,” says Bordewijk. “With adequate precautions such as threat modelling during system design, segmentation and monitoring of untrusted third-party software, the impact of these cyberattacks can be easily prevented, detected and contained.”

Zero Trust: technology companies provide best practices

In a lot of organisations, cybersecurity investments are prompted by incidents. Zero Trust, on the other hand, entails fundamentally reassessing the approach to cybersecurity of the organisation and the skills, processes and technology that support it. “Zero Trust is not one solution, but a set of controls and design principles that guides decision-making in your security architecture and that you instil in your organisation,” explains Mavimbela.

The concept of Zero Trust is to always treat your infrastructure as if it’s breached. It assumes that no user, workload, device or network can be inherently trusted. Every access request should be validated on all available data points, including user identity, device, location and other variables. This can result in both tightening existing cybersecurity measures and procedures, and implementing additional ones. Further simplifying, integrating and automating the security technology stack are also part of Zero Trust, and help to improve the efficiency of security teams and streamline security processes and operations.

Technology companies such as Google, Microsoft and Netflix have already integrated a Zero Trust approach to cybersecurity throughout their organisation. For banks this is harder to achieve, since they often do not have a unified IT landscape and have to deal with legacy systems from different mergers and acquisitions. However, technology companies do provide best practices that banks can implement, such as least-privileged access, micro-segmentation, and automated detection of unusual behaviour based on trust scores. “Banks already do this to some extent, but there are more high-impact Zero Trust controls that banks can implement,” Mavimbela explains. “The more you can standardise and automate, the more your security teams can focus on the more complex issues.”

The way forward: implementing Zero Trust step-by-step

The move towards Zero Trust requires significant change effort and planning. “Zero Trust is not a one-click solution,” warns Bordewijk. “In fact, it might take decades before banks have fully integrated Zero Trust throughout the organisation and it might be too expensive.” This means that banks need to prioritize where impactful security improvements are most needed. “Start with a pilot,” recommends Bordewijk. “For example, try to implement several high-impact Zero Trust controls for the new cloud environment or for critical payment systems on-prem.”

Start with identifying the attack surface, model relevant security threats and agree on the scope of the project, says Bordewijk. Optionally, perform a red team exercise to measure the current risk exposure. Then, several high-impact and best-practice Zero Trust controls should be considered, such as validating and strengthening endpoint security and measuring their health and risk-score, implementing strong, adaptive authentication (e.g. for identities, devices, services and applications), micro-segment assets at risk, tailored monitoring, least-privileged access and encryption to critical data sets, and only allow access from trusted/secured devices. Afterwards, security tests or red team exercises will be performed to measure the realised risk reduction.

It can be tempting to wait with implementing high-impact security controls until it’s too late. “That’s why it is important to continuously measure the attack surface and effectiveness of critical security measures and demonstrate their value to the board of the organisation,” says Bordewijk. This helps to develop a business case for your security programme and contributes to an effective security architecture that can be reused in other parts of the organisation.

Ultimately, each bank that adopts Zero Trust will need to determine what approach best suits their unique environment. This includes balancing risk profiles with impactful controls to be implemented. Adoption and standardisation of impactful Zero Trust controls can help the security department to keep up with the increasingly changing threat and IT landscapes, says Bordewijk. “High-impact Zero Trust controls should become part of every modern enterprise (cloud) environment.”