Mark Guntrip, Senior Director, Cybersecurity Strategy at Menlo Security
Most regulations tell an organisation what they need to protect, whether it’s a certain classification of data, remote system, or user, but they rarely indicate how they should meet these requirements.
So, a law might say that companies dealing with personally identifiable information (PII) use strong passwords, but the regulations often fail to define what makes a password strong – a certain number of characters, a mix of letters, numbers, and symbols? Perhaps passwords are strong only if they are paired with multi-factor authentication (MFA)? Typically, it’s up to the security team to make that determination. Whether they follow the National Institute of Standards and Technology (NIST) or the MITRE Att&ck Framework, security professionals can access very robust and specific guidelines for how to identify and stop malicious activity.
But being compliant with all the appropriate regulations doesn’t necessarily mean that an organisation is protected from malicious actors. A company’s security posture is dependent on how the security team has chosen to meet the requirements. However, as compliance regulations evolve, financial services organisations can find the goals of maintaining compliance and enforcing security are being pushed closer together.
Rather than the traditional separation of compliance and security, companies are finding that they can achieve better results and economies of scale by combining both teams under leadership from the CIO. This allow them to go from securing their workforce to ensuring that their products, services, supply chain and partner ecosystem are protected from malicious activity.
What makes things difficult is the fact that larger financial services organiations have many departments with lots of users who all require different security access. A cashier in a bank branch may have no business connecting to the Internet, while a mortgage adviser might need to check third party sources for up-to-date information. These roles might also be impacted by different regulations making it even more complex. Traditionally, these different requirements would require separate hardware and networking — an architecture that leads to greater complexity.
A Zero Trust approach
Remaining compliant while protecting against evolving threats is a balancing act for organisations in the industry. Many take a Zero Trust approach to security, which turns traditional ‘detect-and-respond’ to cybersecurity on its head. In simple terms, instead of trusting everything except known threats, Zero Trust assumes that all content and users are untrustworthy. One way to reach a true state of Zero Trust is leveraging isolation technology.
Isolation enables a context-aware approach by ensuring trust between connecting entities. Along with other security controls, such as a web proxy, data loss prevention, or anti-malware tools, isolation ensures security and compliance by verifying that everyone is who they say they are, and that they are accessing only the information, applications and systems they need to do their job.
Three ways that isolation can help organisations accelerate the security/compliance convergence:
- Ensure complete visibility and control over managed and unmanaged assets.
Isolation provides companies with the visibility and control they need to ensure security and maintain compliance of both managed and unmanaged assets. Running all web traffic through an isolated layer in the cloud ensures that no malicious activity can force that initial breach on a connected device and then spread through the network. As web- and email-based threats become more sophisticated and use advanced evasion techniques, organisations need to stop relying on a flawed detect-and-respond approach to security and focus on prevention.
- Rely on cloud-native technologies.
Cloud-native isolation solutions allow organisations to ensure this visibility and control at scale without impacting the user experience. They can simply expand security controls wherever they do business — whether in a remote branch, a customer site, or a conference centre. This ability makes it possible to ensure security controls travel across borders and regulatory jurisdictions — effectively connecting compliance requirements with security posture.
- Extend security to vendors, tools, and the entire supply chain.
Successfully connecting security and compliance allows organisations to go beyond just maintaining a secure business. Having the framework in place to ensure compliance and security together makes it possible to extend security strategies to the products and services they are providing, all the way through the supply chain and partner ecosystem. Isolation ensures that a vulnerable partner doesn’t compromise a network, or a ransomware gang is unable to use a Software-as-a-Service (SaaS) platform to gain access and take down the network. A Zero Trust approach powered by isolation ensures trust between connecting entities — no matter who they are or who controls the asset.
For financial services, the convergence of regulatory requirements and security goals can help combine previously disparate teams and streamline efforts. A Zero Trust approach can help them gain visibility and control over managed and unmanaged devices, follow security controls and compliance across borders, and extend security across the entire ecosystem.