How a zero-trust architecture can help accelerate digital transformation for financial institutions without sacrificing regulatory compliance

Simplification, consolidation, and modernization of security infrastructure build a solid business case for accelerating transformation.

By Nate Smolenski, Head of Cyber Intelligence Strategy, Netskope

In the highly regulated financial services sector, every significant change in technology can have an impact that cascades from compliance with internal controls to affect regulatory requirements. Every niche within the financial services industry has various, and often overlapping, control requirements that are dictated by an assortment of regulatory bodies and industry-specific councils. Operating within a landscape that is perpetually in flux; while simply trying to determine the causality applicable to a new business endeavor, technology transformation, organizational changes, or approach to monetize a given dataset, can be challenging.

Regulations may be designed with the good intention of protecting customers’ funds and personal information, but they can also make it much more challenging for financial institutions to introduce new capabilities for customers, create new revenue streams, or otherwise modernize their technology infrastructure. 

The move to the cloud, from a controls perspective, is by definition a shift away from a traditional responsibility/internal controls model, of managing the entire stack of data, applications, hardware infrastructure, and often all the related controls for the physical facilities housing everything. The transition to a shared responsibility model where you are relying on third and nth party suppliers for key controls and varying elements of security can be challenging for any organization, but for a heavily regulated business like a financial institution, the implications can cause more than some hesitation. 

Nevertheless, organizations in the financial services sector have actively been moving more and more critical applications, workloads and storage to the cloud. Where initially there was a “lift and shift” strategy to take advantage of infrastructure-as-a-service scalability and cost savings opportunities; challenges with simply moving legacy enterprise-developed applications to the cloud became clear. The costs associated with refactoring legacy applications to realize cloud efficiencies and the massive increase in the availability of core business applications as SaaS platforms have enabled a multi-faceted approach to cloud adoption for the enterprise; refactor and re-architect what I cannot buy as SaaS and quickly move to SaaS for widely available core business needs. The potential organizations see to transform, simplify, modernize, and increase efficiency throughout operations makes the cloud transition worth the varying efforts to clear security, risk, and regulatory hurdles. 

This does not mean that the aforementioned hurdles are low, but that organizations in the financial sector are finding approaches to effectively gain visibility into a multitude of risks and are focused on protecting their applications and data in the cloud. Key among these approaches is the adoption of principles related to a zero-trust architecture.

Adaptive Trust, Contextual Visibility, & Improved Risk Management

Leveraging zero trust principles as part of an architectural design framework can help balance the benefits of shifting to the cloud without sacrificing regulatory compliance. In fact, federal government agencies are already facing a mandate to move to a zero-trust architecture by the end of fiscal year 2024. The Biden administration’s memorandum M-22-09 describes the transition to zero trust security as providing “a defensible architecture” for an environment in which agencies “can no longer depend on conventional perimeter-based defenses to protect critical systems and data.” 

With the federal government moving towards a zero-trust architectural mandate, financial services firms can reasonably expect their myriad regulators may also soon follow suit.

While the shift to a zero-trust architecture may be increasingly mandated for certain industries, the good news is that there are very real benefits to making this transition beyond simply meeting a mandate or a new set of regulatory requirements. A financial institution undertaking digital transformation—building an increasingly diverse cloud-based technology infrastructure—is in an excellent position to leverage this kind of change initiative to “reset” and rethink its approach to security.

Zero trust represents a paradigm shift in design and architectural thinking. The legacy security design mindset implicitly trusts any device, user, or application that is validated by control mechanisms guarding the perimeter. Traditionally, organizations invested heavily in architectures that featured perimeter protections, allowing for freer movement within that perimeter, meaning that the activities of external bad actors or insiders who intentionally or unintentionally violated policies often went unchecked with nearly free rein to cause all kinds of disruptions. 

By contrast, a zero-trust architectural design is built on the idea that no individual, device, application, or activity being actioned is ever fully trusted. Instead of just verifying identity and permissions at a traditional network perimeter, a zero trust architecture continuously performs validations, based upon many different contextual data elements to ensure that only the correct resources (i.e. applications, data, etc) are being accessed and only approved activities are being transacted based upon certain conditions that may change very dynamically based upon how a user may be working at any given time. Essentially, the goal is to remove implicit trust and allow for “trust” to be a continuum that is constantly challenged and adjusted based on varying conditions. The goal is to leverage the visibility and the context that can be derived from it to effectively limit the blast radius of a bad actor who may get past an initial perimeter control to reduce the scope of potential impact. 

Strict limitations on lateral movement throughout the internal network lead to much stronger security company-wide. Establishing more visibility that leads to controlling and monitoring access to applications and data, it also goes a long way to help ensure that any organization is meeting core cybersecurity regulatory requirements.

Gaining Efficiency in Today’s Tight Labor Market

At the same time, a cloud-fueled transformation can enable an organization to improve operational efficiency and user experience. In fact, the simplification, consolidation, and modernization opportunities available from adopting cloud infrastructure, offer a powerful justification for making the transition.

Consider a firm that has 100 locations and is currently hosting five core business systems across the locations. These systems must be available to onsite users, to remote users, and to those who are typically in the office but are traveling or otherwise offsite. The corporate IT, networking, and security teams are responsible for product updates, patching, maintenance, and other support needs across those core systems to ensure availability, integrity, confidentiality, and a consistent user experience for 100’s or 1000’s of users. Understandably, the labor costs and time consumption for IT, networking, and security teams mount rapidly.

Now, consider the benefits to that firm of offloading the management and maintenance of the underlying hardware and software platforms to a cloud provider. In-house staff can focus on application configuration issues, user support, and more strategic planning and decision-making. 

This approach can offer big efficiency benefits in any economy. Especially in today’s tight labor market, when skilled networking and security professionals are both expensive and hard to find, cloud applications can be a lifeline to more effective operations and security. They can free up staff to use their expertise in ways that add more value than performing the same change management activities, patching exercises, and maintenance over and over.

Efficiency and Security for M&A and Audits

Mergers and acquisitions present another efficient use case for zero trust. As we enter a period of economic volatility and uncertainty, businesses that find themselves on solid footing may leverage their position to grow their organization through M&A.

What zero trust principles offer in this scenario is the ability for the parties to a merger or acquisition to core applications and data that are necessary to support a new operating entity. Newly aligned business partners can grant colleagues access to any services or systems they need while keeping them out of areas they do not need. The dynamic architectures that zero trust principles make possible can save both companies substantial time and money by accelerating corporate transactions, while at the same time ensuring crucial data and applications stay secure.

Simplicity is the Ally of Effective Security

Zero trust architectures are not a one-off project, nor are they a single solution. It is a journey on the road to digital transformation. When any organization has launched a zero-trust architectural approach to securing resources companywide, it does not then check a box and consider its security or transformation to be complete. 

Like every other security philosophy, zero-trust architectures require continuous refinement through an ongoing feedback loop. As both our businesses and the bevy of bad actors continue to evolve and change, so too must our security strategies and approaches to solving problems. 

Simplification, consolidation, and modernization can bring major improvements in efficiency and security while creating massive opportunities for savings.

And because complexity is the enemy of security, zero-trust architectures improve efficiency while improving protection for users, data, and applications. What more could an organization’s technology and security teams want?