Most the industries today must adopt zero-trust security, especially banking. Why? We will know the following reasons in this section.
What Is Zero Trust Security?
Zero trust security is a concept that is based on the premise of the zero-trust model. The zero-trust model assumes that a network is completely untrusted. Also, every device in the network is compromised.
The following are some of the foundations of the zero trust model:
The core assumption of the model is that there are no trusted devices in the network. This means that administrators must assume that every device in their network is compromised and treat it accordingly.
Controlling access through authentication of every of the following:
- User,
- resource, and
- the device in the enterprise
Zero trust security also assumes that users, resources, and devices have limited or no access to other devices.
Now, why does banking need to adopt that zero trust security?
Reasons Why Banking Need To Adopt Zero Trust Security?
First, when we talk about banking, we talk about money. Banks are being targeted and attacked by cybercriminals. Banking is one of the most targeted industries in the world.
According to the latest statistics, more than 9 out of every 10 organizations have experienced a data breach. Most of these data breaches were not caused by malware.
It was caused by phishing attacks through a web application. Or it was caused by social engineering attacks (attacks that trick users into giving away their credentials).
This shows that the traditional approach that has been used by banks to protect their systems is no longer enough. They must implement the zero-trust security model to prevent such attacks from happening again.
So, how banks can adopt zero-trust security? Here are the following things.
Identify Trust Zones
Identify trust zones: In the zero-trust architecture, there are three trust zones:
Untrusted Zone
This zone contains all external devices that can be accessed from the bank’s network (i.e., the Internet). Most of these devices are compromised already. So they cannot be trusted at all.
Therefore, they must be granted only limited access to the bank’s resources and services or blocked completely. If they do not need to access any of those services or resources.
Trusted zone: This zone contains all devices that are directly owned and managed by the bank or its subsidiary organization (i.e., on-premises server and network devices).
In this zone, administrators can grant complete access to all resources. Also, services because they already know that none of them have been compromised yet.
Unknown Zone
This zone contains all devices that have been owned by the bank in the past but have been sold or leased to another party (i.e., off-site server). These devices might be compromised. So it would not be wise to grant them full access to any of the bank’s resources or services.
However, it would also not be wise to block them completely. Because they might still need some level of access to some services or resources (for example, a customer portal).
Create Controlled Interfaces
Administrators should create controlled interfaces between each trust zone and define them. Which protocols they should use on those interfaces (in IPsec VPNs).
Controlled interfaces allow administrators to enforce security controls on traffic traversing these interfaces without breaking the applications or services that run on top of them.
For example, when a user connects to a web application (i.e., HTTP) over the Internet through an IPsec VPN, administrators can enforce security controls such as content filtering, WAF, and Identity Access Management (IAM).