Zero Trust has been a hot topic among CISOs in recent weeks, Because of the hot major cyberattacks, the largest cryptocurrency exchange in the world revealed that a blockchain breach resulted in the theft of assets valued at $570 million. The fragility of current systems was shown by large system breaches at big tech businesses like Uber and Rockstar Games.

These surprising events uncover an eye-opening revelation – humans are often the weakest link in the system. These events have highlighted the systemic problems in real-world implementations of single sign-on and multifactor authentication. Thus, making zero trust security a panacea for this plaguing issue

The concept of Zero Trust is not new, the technology has just recently begun to catch up, making this hitherto hypothetical model a reality and inspiring great enthusiasm. Many companies are now introducing new products to the market that make bold claims and promise to change the game. Through this blog, we’ll cut through the hoopla to explain what Zero Trust is, the business motivations behind it, and the advantages it may have for the banking industry.

Conundrum of Castle & Moat

Despite the proliferation of cyber technology and ambitious efforts of Blue & Red teams of the big organisations, many leading companies continue to grapple with the issue of cyber threat.

The castle-and-moat paradigm has severe limitations when it comes to safeguarding today’s corporate digital estate because emerging cyberthreats have redefined what it means to guard against and defend against. One significant business that uses distributed networks of data and applications that are available both locally and online to partners, clients, and employees are banks. It is increasingly more difficult to defend the castle’s walls. The moat is likewise ineffective at defending the castle walls from internal dangers like compromised identities or other users yet being successful at keeping out opponents. Thus, the lack of wholesome security approach never ceases to be a point of concern in the financial institute’s tale of woes.

What is Zero Trust Security? And why should banks care?

Zero trust is framework created with belief that implicit trust is always a vulnerability and hence as the name suggest the security should be designed keeping in mind “Never Trust, always verify” in very crude form. A crucial component of zero trust is least-privileged access, which establishes trust based on context (e.g., user identification and location, the endpoint’s security posture, the app or service being requested) with policy checks at each stage.

A software vulnerability can be patched once it’s disclosed — but knowing a company’s employees can be fooled by a particular kind of request leaves security executives with few options for fixing the problem.

The majority of banks today have functional cyber threat response systems because to banks’ significant investments in cybersecurity. But because organisational IT infrastructures are evolving quickly and cybercriminals are always adapting to the new conditions, it’s critical that security teams stay on top of the swiftly shifting threat and IT landscapes.

Let’s have a look at the Zero Trust Principles

• Verify Explicitly: Anomalies, user identification, location, device health, service or workload, data classification, and authorization should all be considered when authenticating and authorizing.
• Least Privileged Access: To safeguard both data and productivity, restrict user access using just-in-time and just-enough-access (JIT/JEA), risk-based adaptive policies, and data protection.
• Assume Breach: Restrict entry and reduce the explosion radius. To get visibility, drive threat detection, and strengthen defences, confirm end-to-end encryption and leverage analytics.

The way forward

The transition to Zero Trust calls for intensive planning and change efforts. In fact, it may take decades for banks to fully implement Zero Trust across their entire organisation, and it may also be too expensive. This means that banks must give priority to the areas where significant security upgrades are required. Run a trial programme, for instance, or try to install numerous high-impact Zero Trust measures for the new cloud environment or for crucial on-premises payment systems.

Banks & financial institutions could leverage these 5 Pillars of the CISA Zero Trust Maturity Model for the better implementation of Zero Trust Security

1. IDENTITY

• Use of corporate resources controlled by a single person system for administration and access.
• MFA implemented at the application layer that is resistant to phishing.

2. DEVICE

• Complete and accurate device inventory.
• Device health and compliance is ensured prior to enabling authorization.
• Installation of endpoint detection and response (EDR) tools and established information sharing capabilities.

3. NETWORK/ENVIRONMENT

• Strategically segmented networks with monitoring to identify behavioural anomalies.
• Encryption of all Domain Name System requests, HTTP traffic and emails in transit.

4. APPLICATION WORKLOAD

• Applications treated as internet connected.
• Applications routinely subjected to rigorous testing.
• Repeatable, immutable workload deployment.

5. Data

• Data identified, inventoried, classified, labelled, and protected.
• Enterprise-wide logging and information sharing.

Each bank that embraces Zero Trust will ultimately need to choose the strategy that best fits their circumstances. But many of them aims to look at the business from a threat-led lens. This includes identifying critical assets and sensitive data, exploring how these assets and data are currently stored and accessed and pinpointing potential weaknesses and implementing resolution plans, balancing risk profiles with the necessary controls that will be put in place.

In other words, if banks wish to neutralise dangers in the future, they must remain cautious. They will also need to accept this new reality for what it is, rather than clinging to antiquated defence methods. The security department can keep up with the rapidly evolving threat and IT landscapes by adopting and standardising effective Zero Trust policies.