Last updated: 07 November 2017
Financial Institutions! Protect Your Data and Stay Off the Front Page!
The financial industry is in the headlines again for a series of data breaches exposing millions of customer records and confidential industry information. In the first half of 2017, 1.9 billion records have already been lost globally; that is more than was lost in all of 2016. The financial services sector alone has seen 125 breaches in just the first 6 months of 2017. Check out Gemalto’s Breach Level Index for more stats on breaches.
As financial institutions across the globe become the focus of criminal hacks, we must take a step back to determine how to protect data, the new oil, in these modern times. More sophisticated technology makes it nearly impossible to build walls around IT networks or protect increasingly extended and porous perimeters.
What is ironic is that the technology that could help organizations protect their “oil” is that it has been around for hundreds of years: encryption. Organizations will get hacked, but fortunately, a layer of encryption backed by proper key management can keep sensitive data safe even when the network is compromised.
Though these organizations appear to be particularly vulnerable to web application attacks, they actually face a variety of serious risks. In 2016, according to Verizon’s Data Breach Investigations
Report (10th Edition), financial services organizations alone faced 376 web app attacks. On the whole, the sector faced 998 attacks with the methods running the gamut of possibilities.
So how can organizations implement a defense in-depth strategy that addresses the most commonly faced challenges by those within the financial sector?
Web Application Attacks
Web applications are the most vulnerable point for many financial services organizations. Financial firms must strike a fine balance between customers demand for easily conducting business online and potentially cumbersome network security.
Building encryption directly into the web application prevents hackers from accessing clear text data even when they’re on the application server. To best secure data, organizations should encrypt it immediately in the web application as it is created. Since application-level encryption secures data early in its lifecycle, it stays safe both at rest and in transit wherever it travels whether to a database, a folder on a network share drive, or even to the cloud. Alternatively, administrators could choose to incorporate tokenization at the application level so that only surrogate values are transmitted between systems instead of sensitive data.
When large IT organizations gradually adopt silos of encryption from different vendors in a large, complex enterprise, encryption becomes unmanageable. Each additional endpoint secured by encryption generates at least one key that needs to be rotated, monitored and controlled on an on-going basis. Too many keys creates problems for security administrators; the sheer volume of keys can entice overwhelmed administrators into taking shortcuts. Inefficient management can lead to violations of both best practice and regulatory mandates.
Consolidating encryption key management behind a central point improves security by improving oversight and reducing the likelihood that an administrator will cut corners when it comes to on-going administration. In addition, key management appliances prevent encryption keys from ever leaving its confines to reduce the risk that an attacker will get a hold of both data and the key needed to decrypt it. In the event that an application or a server are hacked, the separate key storage ensures that the hacker can’t access the master secret that unlocks the encrypted data. Additionally, centralized management lets administrators layer access policies that strengthen encryption security and restricts otherwise potentially unfettered access to connected systems.
Privileged Insider Risk
There is an inherent risk in trusting someone with administrative privileges. Disgruntled employees can abuse their position to steal or alter sensitive data. Or, hackers that successfully penetrate a network can masquerade as an administrator and use their privileges to get to valuable data. For financial services firms with highly valuable data, the vulnerabilities associated with administrative privileges is a particular concern.
Using policies to control encryption key access allows organizations to finely restrict data access according to roles, responsibilities, and/or context. The combination of encryption and these access controls address the risk posed by administrators and their privileges. Such controls, for example, could allow an application administrator to work on their application server without ever seeing the application data it creates in clear-text. A security administrator, alternatively, can control security but have no access to the application. Suddenly, the organization’s data is secured from external attacks as well as the vulnerabilities that exist from privileged users within the organization.
Demonstrating Control of Sensitive Data
The threat landscape for financial firms must also take into account their regulatory compliance obligations. The broad array of regional and industry regulations covering the financial services industry include data protection auditing and reporting requirements that affect how organizations marshal their resources. The core of these auditing requirements is the notion that organizations demonstrate full data control—that is, unauthorized users haven’t been able to gain access to sensitive information. The challenge for organizations is not only to secure their data but to do so in a way that lets them prove they are the only ones who have it and can use it.
Encryption puts the encryption key holder in direct control of the secured data. Encryption allows organizations to decide who or what accesses data, when they access it, and how. The byproduct of this decision is clear and transparent data oversight which lets administrators assure the data’s integrity. When organizations control key access and monitor its usage, they in turn know about all of the changes to the data. More importantly from a compliance perspective, they have a verifiable record for regulators. Centralized key management systems comprehensively log encryption key usage to produce reports that give organizations a detailed data-centric view of their security.
Secure Data Collaboration
Organizations can use encryption to ensure that data remains isolated in multi-tenant environments. Administrators have the ability to use different encryption keys for each application/database/file server and user to limit which systems and data are accessible. Such a fine level of control gives security teams the flexibility to set up a framework of policy based access controls based on user privileges, job responsibilities, and data location in a highly collaborative environment without seriously impacting ongoing operations or reducing information availability.
Finally, encryption satisfies the diligence requirements put forth by the new era of data protection regulations. Many of these new standards articulate encryption as an approved method, precisely because it keeps data unreadable as it transfer from partner to partner until it is time for the data to be used. For these reasons, offering or requiring encryption as part of a contract will make the relationship compliant with new regulatory standards.
So how do financial institutions begin to assess their needs in order to prevent data from being stolen or accessed in the event of a breach?
Start by identifying where your most sensitive data assets reside in your on-premises data center and then move to your extended data center (cloud and virtual environments). Search your storage and file servers, applications, databases and virtual machines. Don’t overlook the traffic flowing across your network and between data centers. Once this data leaves the confines of your organization, you no longer have control over it.
Next, encrypt it. The promise of data encryption is probably familiar territory for you. However, the technological capability to encrypt data at scale, and in a centralized way that does not disrupt the flow of business, is a reality with today’s enterprise-ready solutions.
And don’t forget the keys. By managing and storing your keys centrally, yet separate from the data, you can maintain ownership and control and streamline your encryption infrastructure for auditing and control.
Finally, implement access control and two-factor authentication to control access for folks accessing the wrong data within your network.
If you are ready to evaluate the safety of your most important asset, your data, and stay off the front page, download our Web Application Security Toolkit.