The Importance of Zero Trust for Financial Services

With the 2023 RSA conference just around the corner, I am reminded that many of my first learnings about emerging security concepts came from the time at this event. In fact, it was at RSAC that I first began to explore how to secure data within cloud computing and the concept of ‘zero trust’.

Sitting with John Kindervag more than a decade ago, he shared his idea about building security inherently into an organization’s architecture. At that time, I was highly intrigued by what he had to share, as it was very similar to the approach we took to manage payment data within the PCI Data Security Standard (PCI DSS). Take one type of data or asset, such as a credit card number, and build your controls to prevent unauthorized access throughout its lifecycle.

John and I reminisced about that conversation at last year’s RSAC when we conducted a joint interview discussing the importance of zero trust to prevent ransomware attacks.

Zero trust is an important concept for all industries, but possibly more so for Financial Services, as there is an inherent expectation by consumers that their data will remain protected by those they have entrusted. As well as the expectation by governments that citizens' financial data will be safe, regardless of which third party is managing the information.

At the same time, financial data can be highly attractive to cyber criminals. According to Verizon Business DBIR, in 2021, there were 690 confirmed data disclosures within Financial Services, and 93% of data breaches were conducted for financial gain.

This is one of the reasons why I believe security leaders in financial services are moving quickly to adopt zero trust. When we conducted a survey with Financial Service professionals to identify areas of interest for CSA to explore, zero trust and regulation were not surprisingly the two topics of most interest.

And for me, those two subjects are intertwined. Regulators are increasingly relying on mechanisms to authenticate access to all types of data further and shift from validating compliance to a standard to continuous adherence to security frameworks. To achieve that transition, zero trust must be at the core of the strategy.

However, that is a “says easy, does hard” concept for many. Yet, one of the greatest attributes of a good ZT strategy is to take simple steps in complex environments to improve risk management a little at a time measurably.

That is, begin with identifying one critical type of data, system, or process that must never have access granted unless the user or device has been properly authenticated to a reasonable level of validation.

This starts with adequate data classification, an exercise that often is not given enough attention in most organizations. So many data breaches can be attributed not to mastermind plots to take over the world or cripple a Fortune 100 business but by botnets and other automated tools stumbling upon data being stored or transmitted in places unknown to security teams and far too accessible to non-privileged users.

This is why, I believe, so many smaller businesses, FinTechs, credit unions, and other organizations are more susceptible to compromise because they may not understand that the automated attacks do not discern if they’re stealing a few thousand records or millions until the compromise is already underway. Yet these organizations likely would benefit even more from taking steps to adopt zero trust.

Returning to the upcoming RSA Conference, if you are attending, I hope to see many of you there Monday at our CSA Summit, where the principles of zero trust will most certainly be discussed.

Also, if you have any questions or interest in all the good work our community is doing with cloud security in Financial Services or plans for other industry sectors to leverage zero trust methodology, I hope we have the opportunity to meet and speak about the next generation of security. Perhaps I’ll be sharing a similar story about your ideas in another decade.