Table of Contents
The financial services cybersecurity product set is designed to protect an industry which is among the most targeted sectors for cyber-attacks due to the type of information they collect and process: non-public information (NPI) about consumers, such as names, addresses, financial information, payments information, credit history, and Social Security numbers.
Consequently, governments worldwide have enacted local and state-level cybersecurity statutes and regulations to ensure financial institutions maintain adequate security measures to prevent data breaches, significantly increasing their regulatory burden. While these regulations may have been relatively straightforward to meet years ago, financial institutions face significant challenges balancing data security and user experience in the face of the global pandemic and the shift in business operations.
The global pandemic has decentralized the workforce; many employees now work remotely, and IT leaders continually try to solve the technological and security challenges resulting from distributed sensitive data access. At the same time, Cybersecurity vendors continue to bring products to market, claiming to solve the distributed access problem and touting increased user experience, productivity, security, and compliance. To avoid falling for vendor hype, financial institutions’ IT leaders should understand their organization’s compliance obligations concerning the protection of regulated information before making technology purchasing decisions that could potentially introduce poorly designed products and, consequently, liabilities.
This article outlines three key areas that IT leaders working in the financial services sector should evaluate in Cybersecurity Secure Access Service Edge (SASE) technology, mainly focusing on protecting the confidentiality of non-public information about consumers.
The Most Prominent Cybersecurity Risks Facing Financial Institutions
Financial institutions face unique risks due to the value of the information they handle, and any failure to protect such information could result in significant harm for impacted individuals. Among these risks are:
- Non-public consumer information exfiltration, including theft by insiders and outsiders (i.e., hacking groups) and inadvertent disclosure through human or technological errors
- Non-public consumer information modification or destruction
- Violation of data localization laws
Non-public Consumer Information Protection
A critical capability to detect and prevent data breaches is sensitive data visibility, inspection, and control, often delivered through Cloud Access Security Brokers (CASBs), Secure Web Gateways (SWG), and endpoint data loss controls. IT leaders should assess SASE vendors’ ingress and egress traffic inspection capabilities to ensure real-time detection and prevention of unauthorized sensitive data transfers, including the vendor’s ability to provide:
- Broad inline and API-based data channel coverage across cloud, Internet, and endpoint using a centralized policy engine. IT leaders should fend off SASE products requiring different policy engines for each data channel. SASE products operating in this manner can create a significant administrative burden on IT personnel tasked with developing and maintaining data loss policies. Furthermore, a decentralized policy engine is more likely to increase architectural complexities, present a steep learning curve, and introduce visibility gaps.
- Sensitive data discovery on endpoints, cloud, and on-premises servers to provide a holistic view of its usage.
Another critical point of consideration is the ability for SASE vendors to offer these capabilities natively rather than through partnerships and integrations with third-party products, as this would require transferring customer data to a third party, increasing downstream liabilities.
IT leaders should also ensure that SASE vendors provide end-to-end network session encryption using the latest SSL/TLS version to preserve regulated information confidentiality. Furthermore, IT leaders should evaluate the vendors’ practices in the following areas to identify potential areas of concern threatening data confidentiality and integrity:
- Key and certificate management, including key generation, rotation, use, and destruction.
- Usage of vendor-managed hardware security modules (HSMs) and HSM-as-a-Service.
- Secrets management, including SSH and API key generation, rotation, use, and destruction.
- Privileged access management by employees and third parties.
Lastly, IT leaders should favor SASE vendors that support “bring their own keys” to encrypt customer data stored on the vendor’s cloud (i.e., logs), giving customers complete control over data encryption.
Access Controls for High-Risk Use Cases
High-risk access generally refers to system or information access by contractors, third parties, privileged users (i.e., developers and IT administrators), and unmanaged devices. Controlling access to regulated information based on the principle of least privilege is crucial to ensuring ongoing compliance with privacy and cybersecurity laws and regulations. Zero Trust Network Access (ZTNA) is gradually replacing traditional access control methods, and while many SASE vendors claim to offer ZTNA, IT leaders should carefully assess such claims to ensure ZTNA principles are followed. IT leaders should lean towards SASE products that provide:
- Consistent, risk-based policy enforcement for all users, devices, and applications regardless of the point of access. ZTNA should continually evaluate user sessions for anomalies, and potential unauthorized or inappropriate access based on identity, threat, risk attributes, and contextual behaviors to enable dynamic access control.
- Strong user authentication with integration to third-party identity providers.
- Device authentication, posture validation, and integration with endpoint security tools, such as EPP, EDR, and MDM, ensure that only authorized devices can connect to company resources.
Compliance with Data Localization Laws
Data localization refers to specific laws requiring the storage and processing of regulated information within a particular territory or country. Like data localization, data residency refers to organizational policies mandating the storage of specific information types within specific countries. Data localization and residency mandates are particularly challenging for financial institutions with cross-border data flow requirements, such as off-country payment processing or access to regulated information from countries where the data was not created. Consequently, IT leaders should favor SASE cybersecurity vendors that allow customers to:
- Choose the data storage (geographical) location, whether on the vendor or customer cloud. In the context of this article, data storage refers to storing session information, audit logs, threats, incidents, and security logs. IT leaders should lean towards SASE cybersecurity vendors that can integrate their products with customer-managed cloud object storage accounts, giving the customer complete control over the storage location and security of the data.
- Allow customers to select the points of presence (POPs) through which traffic is routed and inspected to prevent cross-border regulated data transfers. SASE cybersecurity vendors should offer multiple in-country POPs to optimize performance, resiliency, and disaster recovery. Furthermore, SASE vendors should offer hardware or virtual enforcement points installed on the customer premises for situations where the customer cannot route traffic through a cloud POP. Lastly, SASE vendors should provide in-country connectivity to the major cloud service providers, such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform, to deliver fast and local access to customers’ cloud resources.
While SASE technology has the potential to enhance security significantly and provide a superior user experience compared to traditional access methods, IT leaders working in the financial services sector should implement SASE based on a security architecture focused primarily on protecting regulated, avoiding hefty fines, reputational damage, and personal liability for directors and officers.