Since the Covid-19 outbreak, financial firms have not only grappled with technology and connectivity issues associated with enabling traders, investment bankers, and others to work from home, but have also needed to address security concerns around how employees access to sensitive systems and data outside highly secure offices and trading floors.

These concerns range from whether a connection between a server in a datacenter and a device registered to an employee is secure and encrypted, to verifying the identity of the employee using that device, and whether they are exposing their secure access to the risk of data breaches.

One lasting impact of Covid may be to drive adoption of more stringent security protocols, such as Zero-Trust Architecture (ZTA), which works exactly the way it sounds: everything on a network assumes it cannot trust anything else on the network as default, and requires authentication and verification of each person, device or application attempting to access it.

“At its core, ZTA is essentially saying that there is no longer implied trust between systems just because they exist on the same network,” says Phil Vachon, a security architect at Bloomberg.

“A dozen years ago, if I was using a corporate desktop, I might be able to access all sorts of sensitive applications just by virtue of being connected to the same network. So moving to ZTA is a big upset to that model, because it adds layers of authentication to ensure people can only access the systems they need to do their job,” he says. “It’s extremely useful and powerful, but also can be disruptive to how employees are used to working. It will be a huge shift in the way firms operate.”

Interest in ZTA has risen in the past couple of years, but are firms acting fast enough? Dr. Chase Cunningham, principal analyst covering security and risk at Forrester Research, says that rather than delaying spend on IT security projects, Covid may even have accelerated them.

“Our original projection was that banks would be done with ZTA by 2025. But with Covid, we think that anyone not done with ZTA by 2022 will be behind the curve, and will be left open to breaches, and the regulatory fines that such breaches incur,” Cunningham says.

Firms have implemented security measures for years to govern who can access what systems, and the principles of ZTA have been around for a decade or longer, depending on who you ask. Charles Porter, CTO of distributed ledger-based digital rights startup TradeX, describes how, previously in his career while working on a major investment bank’s architecture and engineering team, he was not able to access production systems without first scheduling a specific time to access a system, then being assigned a temporary support login to access only that system at the allotted time.

Zero-Trust takes this a step further, requiring these kinds of authentication for even those who need to routinely access systems.

“With ZTA, each account only gets the minimum access they need, and for any new device, they need to get authorized. And some ZTA models track behavior and understand if any access is out of line with someone’s profile—for example, if they are trying to access something they don’t need, or if the number of access attempts by someone or a device goes up dramatically,” says Scott Rose, a computer scientist at the National Institute of Standards and Technology.

The bulk of any ZTA program should take place behind the scenes. But for those responsible for underlying technology architectures and market data infrastructures, the impact is more visible and disruptive.

ZTA is heavily dependent on a service-based architecture. … It’s like, instead of locking your house, you lock down everything inside it.

Guy Warren, ITRS

A market data technology executive at a major US bank says their firm’s ZTA program forces staff to obtain multiple levels of permission each time they need to access servers running data systems—even if their job is maintaining those systems on a daily basis—which can result in routine tasks taking up to 20 times longer than previously.

However, this is “significantly more pleasant” than in the past, now that the foundational technology elements of ZTA are widely adopted and mature, says Grigoriy Milis, CTO of RFA, a provider of IT services to buy-side firms.

“Right now, ZTA is having a renaissance, driven by two significant factors. First, the way companies use systems and data has significantly changed. The big factor is that there’s no perimeter anymore, and many companies run significant portions of their architecture over the internet in the cloud. Second, the technology that runs ZTA has evolved. Factors such as multifactor authentication are already standard. Companies should already have device management in place. Then you have the evolution of list privilege to support more granular permissioning of users. And, of course, segmentation has become much more mature, and we can build dynamic policies by observing users’ behavior,” Milis says. “For example, if I’m based in New York and, after logging out in New York, I’m seen logging in from Hong Kong, that would be identified as risky.”

‘Growing Pains’

NIST’s Rose acknowledges that ZTA involves a “learning curve,” but says this is not as steep as people first think, because those charged with implementing it—whether a chief risk officer, CIO, someone else within a firm’s technology organization, or a COO—would be well-versed with IT security challenges.

To further flatten this learning curve, Forrester created the Forrester Certification Program to familiarize market participants with the main principles of ZTA, create standards, and unite the industry around a harmonized approach. The on-demand program comprises about 20 modules of videos, written materials, and assessments. The whole program can be completed part time over two weeks, or full-time in two working days.

“All the challenges of ZTA are understandable growing pains facing IT organizations today,” Vachon says. “Workforces are increasingly mobile; people are using their own devices, and BYOD (bring your own device) is a big motivator. But this is how people expect to work now—or have to, for example, under Covid-19…. It’s a natural evolution for the industry to think this way about security.”

Certainly the ongoing pandemic has forced the industry to reevaluate security procedures for people and computers accessing core corporate systems from their kitchen table rather than the boardroom table, but many measures so far have focused on securing those new end-points, rather than tackling large-scale, enterprise-wide security protocols.

For example, Porter says TradeX’s platform can be an enabler in firms’ drive towards implementing ZTA, leveraging their existing permissioning systems and monitoring the flow of data internally to ensure that only those who need access to a system actually have access to that system.

“For any FTP site where you log in with a password, you’re always going to get people trying to access that. With us, you have to be a registered user with a login and password, and be on a registered end-point with a piece of software that securely communicates back to the server… and you can’t generate a key to access any data unless you have that software,” Porter says.

Though ZTA restricts internal access to sensitive data or applications, it aims to hinder external attacks—ransomware or data exfiltration attacks, among others—that conceal their origins using the labyrinthine layers of complexity that comprise modern enterprise architectures, and use their point of entry to impersonate a device or user with existing authorization to access important data systems, says NIST’s Rose.

If there is a silver lining to the Covid crisis, it’s that it proves that ZTA is the correct approach to security, and that there is no perimeter anymore—we’re all outside of it.

Dr. Chase Cunningham, Forrester Research

Sometimes the easiest point of entry for an attacker is a on-network device whose function may be so mundane that it is simply overlooked, such as printers and copiers.

“Printers are terrifying. They have a lot of privileges, such as the ability to scan-to-email or scan-to-folder, and therefore represent a large risk because they can access a lot of assets,” Vachon says. “So you’ll have to put in place a lot of extra security controls around printers; you have to say that a corporate laptop can’t print directly to any printer—instead, it has to go through another system first. So a device in one trusted zone can’t interact with a device in a less trusted zone.”

The risk associated with Covid is that an attacker could breach a home worker’s technology and use their remote access to infiltrate corporate networks. Hence, the work-from-home Covid economy present the perfect justification for enacting a ZTA strategy—to ensure that each remote access is who or what it claims to be. But depending on firms’ existing systems, the very rules set up in the past to minimize the risk of attack may make it harder for firms to implement changes to prevent future attacks—for example, whether they allow major changes to be implemented remotely, such as under current circumstances. Indeed, the more lightweight a firm’s technology is, the easier it may be to move.

“ZTA is heavily dependent on a service-based architecture. When you break down applications into their components, the services and microservices need to understand each other and who is accessing them. It’s like, instead of locking your house, you lock down everything inside it,” says Guy Warren, CEO of real-time systems monitoring technology vendor ITRS, which has built monitoring capabilities for microservices, such as Red Hat OpenShift and Kubernetes. “Because the microservice doesn’t know who the user is, they are likely to take the ZTA approach.”

But not all firms are yet that advanced. Forrester Research found that progress spans the full spectrum, from early stages to advanced deployments.

“We’re in the early stages, and are certainly hampered by legacy infrastructure,” says an enterprise security executive at a North American bank. “We are finding that the more we abstract from the physical technology layer, the more things we can do around ZTA. It’s easier to make changes when you are dealing with the software layer.”

Therefore, any ZTA strategy needs to be developed alongside adoption of a modern architecture. And while a firm’s security function may not be able to singlehandedly drive IT modernization, it needs a seat at the table of those tasked with setting the agenda, the executive adds.

Story continues after BOX

Casting a Wide Net

But ZTA needs to extend beyond that table and the primary offices where firms’ users, devices and corporate networks reside, to encompass off-site locations that constitute important kernels of infrastructure and house huge swathes of sensitive data about a firm, its activities, and its customers.

“The crown jewel of any financial services business is probably its datacenter. It houses customer data, trade data, and systems that give a firm its critical advantages. So, to me, the whole concept of ZTA naturally must extend to datacenters,” Vachon says. Under legacy infrastructure rules, on-site applications could access off-site servers. But since any on-net datacenter is vulnerable to attempted cyberattacks, firms must apply the same controls to their datacenter as they would to assets housed within their own four walls. “You can’t stop attackers in their tracks if you don’t have resources and assets ring-fenced by controls with depth of authorization,” he adds.

Mark Kovarski, co-founder and CTO of Alegious Innovative Partners, a startup incubator and accelerator, believes the key to providing this depth of authentication is blockchain technology, which could validate and authenticate users and end points trying to access systems and data. Blockchain’s immutable and distributed nature also makes it basically tamper-proof, ensuring that any technology managing security processes also itself remains secure.

“I think that, form a security perspective, blockchain becomes a very powerful technology,” Kovarski says. “As workforces are more mobile, remote, and freelance, firms need to onboard new employees quickly, while ensuring that they can validate who they are for security purposes.”

‘Fertile Ground for Shadow IT’

However, a natural response to change is that people will try to minimize the on their day-to-day work.

“It’s inevitable that people will get creative and find workarounds, so you have to be innovative,” says Bloomberg’s Vachon. “You need to facilitate the business operating while you are making these changes. And you have to understand your business inside and out, and talk to the business users, and involve them in these technology decisions—all with the understanding that if what you’re doing is creating too much inconvenience for end users, you’re creating fertile ground for ‘shadow IT.’”

For example, if a firm restricts employee access to an internal chat program, they may simply set up their own Slack group outside the auspices of corporate networks or a firm’s ability to monitor it.

• READ MORE: Financial firms’ boards are increasingly taking a more hands-on role towards IT security—thus driving adoption of important new security measures for their firms and the industry as a whole. Click here to read more.

“It’s about having a good plan for how you get people used to the concept of ZTA, and how you not only will disrupt but also enhance how users do their work… [and] actually simplify the way people use systems,” Vachon says. “I’ve never seen a ZTA project go flawlessly. You have to weigh productivity against the risk of downtime during implementation, and maybe focus on low-risk areas to deploy to first, before looking at non-critical systems, and doing it in phases that allow people to get used to—and benefit from—any changes. For the end user, if it’s done right, it should be a seamless experience.”

ZTA also can’t be done in a “big bang” approach. While it must have a single purpose, the complexity of firms’ infrastructures, and legacy technology challenges, mean that a phased approach is inevitable.

“If it’s too much to tackle across the enterprise as a whole, we look at the criticality of each business line, and ask what systems would benefit most from increased security or better operations,” says the bank enterprise security executive. “Even if we do risk stratification, we look at it across the organization. If something is high risk in the capital markets, it is probably also high risk in retail, too. So we work with all teams and hopefully build a cohesive model or patterns that can be used across the bank.”

Good Housekeeping

ZTA offers secondary benefits beyond its core security aspects. The bank data executive admits that the challenges of working under ZTA have forced staff to be more conscious and critical of every time they request access to a system, and that fix changes first time around, so they don’t waste time repeating the authorization process to fix any errors.

“It did make us realize that we were being somewhat liberal with our accesses before,” and as a result has tightened up internal processes, the data executive says.

And in the event of a “breaking-glass” emergency access to a system, where someone may need root control—a higher-risk process because root access gives complete control over who has access and over ports for sending and receiving data—to restart a system after a malfunction, an engineer or administrator must still log the cause and time taken for access to a system. IT may then question how they plan to reduce that number. That, plus the fact that logging each instance makes accessing systems far more onerous, should encourage firms to also work more efficiently under ZTA, says ITRS’ Warren.

“To reduce the number of instances, you need good housekeeping routines. So you need to move anything you do routinely into your weekly ‘housekeeping,’ so that you only have to dive in to fix something unexpected,” Warren says.

He and Forrester’s Cunningham agree that harnessing ZTA to make banks’ most critical data and systems bulletproof will automatically deter external threats because they represent more effort and less chance of success to would-be hackers, while NIST’s Rose says firms should view ZTA as “an opportunity” to refine and improve their existing workflows. “It forces you to reevaluate and improve your business processes,” he says.

And therein lies the key to success: though ZTA is a technology architecture issue, the key to its success is not treating it purely as an IT problem, but involving the business side of an organization, and assessing and articulating the benefits and risks in terms of business objectives.

“I tell people that security is about enabling the business. Firms want to do this if not doing it would hold back their ability to do business. It’s business enablement through security strategy,” says Cunningham. “If there is a silver lining to the Covid crisis, it’s that it proves that ZTA is the correct approach to security, and that there is no perimeter anymore—we’re all outside of it.”