Last updated: 01 June 2016
When discussing IT security, people often use analogies from the physical world.It’s particularly common for people to take on a medieval flair, employing concepts like castle walls, armor, shields, and so on. While these descriptions may not always be perfect, it’s only natural to want to find physical realities to help illustrate or amplify the key points when discussing the very real, but also more ethereal concepts at play in our digital world.
Given that frame of reference, it’s interesting to look at the number of parallels between the security approaches required in the physical bank, and those that need to be employed in the realm of digital banking.
The Evolution of Layered Security
Layered security isn’t an approach that’s new. In fact it’s exactly what banks have been doing for decades.
As long as there have been banks, there have been bank robbers. Each new theft—or ideally every attempted theft—gave the bank’s security staff insights for establishing new or enhanced defenses. At the same time, when an initial attack is thwarted, would-be criminals keep trying and learning as well.
Consequently, over time, banks built up layered defenses, so when one defense was bypassed, another would remain in effect to safeguard assets. If criminals could devise a way to bypass an alarm triggered at windows, it was time to install motion detectors inside the building.
In the digital world, the same type of progression has been occurring. Cyber attackers have continued to evolve their approaches. This is especially true of the well-financed, well-organized criminal organizations and nation-states that are perpetrating cyber attacks against banks today.
Criminals went after sensitive transmissions, employing tactics like man-in-the middle attacks, so banks had to institute encryption to establish secure channels. When attackers went after user credentials to gain access to sensitive accounts, banks needed to establish multi-factor authentication. Once it was clear corporate databases were being hacked, banks employed encryption of the sensitive records in their databases.
The Physical Layers and Their Digital Equivalents
It’s interesting to consider the security layers within the physical bank, and their equivalents in the digital world:
- Where a guard may be hired to prohibit thefts at the bank branch, the digital equivalents are the controls that are put in place to establish the authenticity and integrity of user devices like smartphones, tablets, and laptops.
- In the branch, a customer will need to sign a new account application. In online banking transactions, digital signing is employed.
- In a branch, customers may need to provide a driver’s license or some other form of ID to establish their identity. In the digital world, mobile banking customers may be required to go through a multi-factor authentication process before making a withdrawal.
- In the physical bank, valuables are held in the vault. In the digital bank, encryption serves as the mechanism that safeguards the sensitive assets being held.
- Over the years, banks have established increasingly rigorous policies for audits and other processes to validate that the necessary safeguards have been implemented. In the digital sphere, security professionals leverage sound fraud management to track transactions, analyze trends, and identify and prevent fraudulent activities.
- Just as keys to vaults and other rooms have to be safeguarded at all times, so too must the cryptographic keys that the digital bank manages.
Which are the best security measures for banks?
The point is that no one tool or tactic will provide absolute, 100 percent fool-proof security. That was true in the physical bank and it is just as true in the digital bank. While the concept of layered security isn’t new, new security threats continue to arise, and so security requirements continue to evolve. If you’re interested in learning more about establishing strong, multi-layer security in your digital banking environments, be sure to visit Layers of Security: The New Imperative for Banks.