Zero Trust for Financial Services: The Missing Piece

Financial services organizations struggle to make sense of Zero Trust security on the journey to cloud services. To start, they are often stuck between a rock and a hard place: caught between the ever-changing digital demands of customers and compliance with state and federal regulations. And when you add in organizational digital transformation initiatives, like moving to the cloud, accountability to prevent security incidents while conducting traditional identity management responsibilities can easily overwhelm security teams. 

CIOs and other leaders of financial services organizations find themselves with a jumbled mess of initiatives at their doorstep: needing to save money, increase security, and make end users happier. Many are feeling pressured to take on cloud initiatives, looking to reduce infrastructure costs and mitigate operational risk with enterprise-grade uptime and reliability. This reasoning is sound—SaaS solutions are often going to deliver value while allowing for flexibility in terms of offering the most services to employees, partners, and customers while lowering your organization’s overall risk posture.

Staying grounded in Zero Trust principles, however, and specifically leading your organization’s Zero Trust journey with identity, will not only increase your organization's security posture, it will also make digital transformation easier. 

Zero Trust, a modern security paradigm, is built around the principle of “never trust, always verify.” Or as Evan Gilman & Doug Barth say in their O’Reilly book Zero Trust Networks: “In the [Zero Trust] model, nothing is taken for granted, and every single access request – whether it be made by a client in a coffee shop or a server in the datacenter – is rigorously checked and proven to be authorized.” 

The idea that every single access request needs to be explicitly evaluated is particularly relevant to financial services organizations given heavy regulations around data protection and costly consequences to organizations that fail to protect their customers’ personal identifiable information and financial resources. Zero Trust literature is often centered around the concept of “the perimeter,” the simple idea that a perimeter-centric network approach to security won’t adequately protect your organization from internal, lateral attacks. 

Put differently, historical network access control relies on a castle-and-moat model, where your organization’s resources are the castle, and your network is the moat preventing bad actors from accessing the castle grounds. In this model, once users get past the moat, they have free rein inside castle grounds, which opens up the possibility for all kinds of internal and lateral attacks along with the security, reputational, and cost harms that accompany them.

Old security paradigms like Network Access Control rely on this castle-and-moat model, which cannot adequately secure organizational resources or provide the level of policy rigor necessary to evaluate access requests without knowing who is making the request. 

Just because Network Access Control isn’t the whole picture, however, doesn't mean that working towards a Zero Trust Architecture for your organization is impossible. As Gilman and Barth say, authorization is the missing piece of many financial services organizations' Zero Trust solutions. Authenticating users when requesting access to a network or specific application is an important and necessary part of security, but your organization needs to authorize each access request to truly align with Zero Trust best practices. 

You can’t trust who you don’t know. When Network Access Control can no longer be a guiding security paradigm and you need authentication and authorization services to get the level of security needed for your organization, identity is what you’re left with. 

Digital identity is the only way to verify users, authenticate every access request, and authorize post-authentication requests to ensure only the right people are accessing the right resources. Identification and authentication are just the first steps of the user journey: authorization dictates every access request after that. 

Zero Trust principles demand that you continuously authorize users appropriately when employees, partners, and customers try to access sensitive resources. Authorization allows for the evaluation of risk signals in real time after the point of authentication and across the full user session. 

Continuous authorization means that when real-time context changes, you are able to change the authorization, requiring a challenge or removing access when necessary, even if it may have previously been granted. This enables better decisioning around access requests, regardless of when they arise in a user’s journey. 

Without authorization capabilities, however segmented or modern your firewall is, it won’t give your team the tools to apply friction where appropriate in user journeys and deny access altogether when necessary. Leading Zero Trust initiatives with identity lets you rigorously check that users are both authenticated appropriately and authorized to access requested resources and perform requested actions.

1. Identity Accelerates Digital Transformation

In the last few years, financial services organizations have had to update policies for workers, partners, and customers to meet all parties’ needs, including remote work, increased regulatory scrutiny, and evolving customer experience demands. Your organization has likely had to transform procedures and digital assets to meet some of these challenges.

When you lead Zero Trust initiatives with identity, you have the foundation to make other business initiatives a priority. For example, TIAA, a leading provider of financial services in academic, research, and medical fields, uses IAM capabilities to push the boundaries of what’s possible in security to deliver better customer experiences. Identity gives TIAA the ability to secure user journeys by evaluating user risk signals during access requests to streamline and personalize customer experiences.

2. Identity Enables Authorization

Protecting access to data is crucial for employees, partners, and customers. Authorization is the only way to get the level of granular control needed to fulfill access requests in a way that protects your organization from internal, lateral attacks.

Authorization efforts that lead with identity unlock Attribute-based Access Control (ABAC), which is a flexible approach to authorization decisions, using additional information (attributes) to inform policy decisions. Attributes can include properties like risk and context-based signals, user attributes, resource attributes, and environmental attributes (like access time, date, and location) to ultimately better inform access request decisioning. Using attributes to inform authorization decisioning augments course, network-based access controls and ultimately gives your security team more management control.

Identity also gives you the ability to dynamically evaluate a user’s access request. Dynamic authorization is the real-time enforcement of the fine-grained business logic around what users can see and do, in what context, and for what purpose. Dynamic authorization enables financial services organizations’ fraud teams to aggregate risk signals from across the organization to craft policies and determine user journeys for different individual trust levels. 

The ability to check the level of risk associated with a user and their session context in real time allows organizations to get ahead of emerging threat trends to constantly adapt user experiences to the appropriate trust level. Externalizing and centralizing access policies along with enforcement also facilitates scalability in a rapidly changing world of privacy requirements and business drivers. Learn more about specific ways financial services architects embrace dynamic authorization to support their financial services organization. 

3. Identity Makes Integration and Alignment Easier

Zero Trust isn’t a one-vendor solution; and it’s not a single product either. Financial services organizations need the ability to integrate identity solutions into their existing technology stack so they don’t have to rip and replace existing architecture, stalling other digital transformation initiatives. A standards-based identity solution gives you the integration needed to enhance and extend your existing technology stack, while also allowing you to build an identity hub, an identity foundation that ensures that your existing applications, wherever they are deployed, can communicate and accomplish what’s needed for your teams and end customers.

With an identity hub, all your personnel, including your security, fraud, and incident response teams, can play from the same playbook. This creates organizational alignment, making problems easier to tackle and enabling you to respond to issues quickly and efficiently. Having an identity hub means that your teams are no longer separately tied to IT release schedules or working off of an incomplete view of employees, partners, and customers. Instead, they have access to a singular view of user attributes, allowing them to effectively secure resources, proactively spot threats, and quickly respond to incidents.

Your financial services organization’s Zero Trust initiatives and digital transformation initiatives can happen simultaneously. Zero Trust as a paradigm is fundamentally about embedding security into your tech stack, instead of just layering it on top, to properly establish trust and unlock secure experiences for your employees, partners, and customers. Identity enables a robust Zero Trust framework that gives you and your team the ability to apply the appropriate amount of friction for all user journeys when it makes sense, all while complying with tricky federal regulations, to meet the digital transformation goals of your team.

To learn more about how identity can benefit your organization, check out our IAM Solutions for Financial Services solutions brief.