Many banks today still rely on a “castle-and-moat” approach—also known as “perimeter security”—to protect data from malicious attacks. Like medieval castles protected by stone walls, moats, and gates, banks that use perimeter security invest heavily in fortifying their network perimeters with firewalls, proxy servers, honeypots, and other intrusion prevention tools. Perimeter security guards the entry and exit points to the network by verifying the data packets and identity of users that enter and leave the organization’s network, and then assumes that activity inside the hardened perimeter is relatively safe.
Savvy financial institutions are now moving beyond this paradigm and employing a modern approach to cybersecurity—the Zero Trust model. The central tenet of a Zero Trust model is to trust no one—internal or external—by default and require strict verification of every person or device before granting access.
The castle’s perimeters continue to be important, but instead of just pouring more and more investment into stronger walls and wider moats, a Zero Trust model takes a more nuanced approach of managing access to the identities, data, and devices within the proverbial castle. So, whether an insider acts maliciously or carelessly, or veiled attackers make it through the castle walls, automatic access to data is not a given.
Limitations of a castle-and-moat approach
When it comes to safeguarding today’s enterprise digital estate, the castle-and-moat approach has critical limitations because the advent of cyberthreats has changed what it means to ward and protect. Large organizations, including banks, deal with dispersed networks of data and applications accessed by employees, customers, and partners onsite or online. This makes protecting the castle’s perimeters more difficult. And even if the moat is effective in keeping enemies out, it doesn’t do much for users with compromised identities or other insider threats that lurk within the castle walls.
The practices below are all sources of exposure and are common in banks that rely on a castle-and-moat approach to security:
- A single annual review of staff access rights to applications.
- Ambiguous and inconsistent access rights policies dependent on manager discretion and insufficient governance when staff moves occur.
- Overuse of administrative privileged accounts by IT.
- Customer data stored in multiple file shares and little idea who has access to it.
- Overreliance on passwords to authenticate users.
- Lack of data classification and reporting to understand what data is where.
- Frequent use of USB flash drives to transfer files that include highly sensitive data.
How a Zero Trust model empowers bankers and customers
The benefits of a Zero Trust approach have been well documented, and a growing number of real-world examples show that this approach could have prevented sophisticated cyberattacks. However, many banks today still adhere to practices that diverge from Zero Trust principles.
Adopting a Zero Trust model can help banks strengthen their security posture, so they can confidently support initiatives that give employees and customers more flexibility. For example, bank executives would like to untether their customer-facing employees—such as relationship managers and financial advisors—from their desks and meet clients outside bank premises. Today, many financial institutions support this geographic agility with analog tools like paper printouts or static views of their counsel. However, both bank employees and customers have come to expect a more dynamic experience using real-time data.
Banks that rely on a castle-and-moat approach to security are hesitant to disperse data outside the physical network. As such, their bankers and financial advisors can only tap the dynamic models of proven and disciplined investment strategies if their client meetings take place on bank premises.
Historically, it’s been cumbersome for bankers or financial advisors on the go to share real-time model updates or actively collaborate with other bankers or traders, at least not without VPNs. Yet, this agility is an important driver of sound investment decisions and customer satisfaction. A Zero Trust model enables a relationship manager or an analyst to harness insights from market data providers, synthesize with their own models, and dynamically work through different client scenarios whenever and wherever.
The good news is this is a new era of intelligent security—powered by the cloud and Zero Trust architecture—that can streamline and modernize security and compliance for banks.
Microsoft 365 helps transform bank security
With Microsoft 365, banks can make immediate steps towards a Zero Trust security by deploying three key strategies:
- Identity and authentication—First and foremost, banks need to ensure that users are who they say they are and give access according to their roles. With Azure Active Directory (Azure AD), banks can use single sign-on (SSO) to enable authenticated users to connect to apps from anywhere, enabling mobile employees to access resources securely without compromising their productivity.
Banks can also deploy strong authentication methods such as two-factor or passwordless Multi-Factor Authentication (MFA), which can reduce the risk of a breach by 99.9 percent. Microsoft Authenticator supports push notifications, one-time passcodes, and biometrics for any Azure AD connected app.
For Windows devices, bank employees can use Windows Hello, a secure and convenient facial recognition feature to sign in to devices. Finally, banks can use Azure AD Conditional Access to protect resources from suspicious requests by applying the appropriate access policies. Microsoft Intune and Azure AD work together to help make sure only managed and compliant devices can access Office 365 services including email and on-premises apps. Through Intune, you can also evaluate the compliance status of devices. The conditional access policy is enforced depending on the compliance status of the device at the time that the user tries to access data.
Conditional access illustration.
- Threat protection—With Microsoft 365, banks can also bolster their ability to protect, detect, and respond to attacks with Microsoft Threat Protection’s integrated and automated security. It leverages one of the world’s largest threat signals available from the Microsoft Intelligent Security Graph and advanced automation powered by artificial intelligence (AI) to enhance incident identification and response, enabling security teams to resolve threats accurately, efficiently, and promptly. The Microsoft 365 security center provides a centralized hub and specialized workspace to manage and take full advantage of Microsoft 365 intelligent security solutions for identity and access management, threat protection, information protection, and security management.
The Microsoft 365 security center.
- Information protection—While identity and devices are the primary vectors of vulnerability for cyberattacks, data is what cybercriminals ultimately want. With Microsoft Information Protection, banks can improve their protection of sensitive information—wherever it lives or travels. Microsoft 365 enables customers to 1) identify and classify their sensitive data; 2) apply flexible protection policies; and 3) monitor and remediate sensitive data at risk.
Example of a classification and protection scenario.
Simplify security management with Zero Trust
Microsoft 365 helps simplify the management of security in a modern Zero Trust architecture, leveraging the visibility, scale, and intelligence necessary to combat cybercrime.
10 tips for enabling Zero Trust security
Widespread adoption of public cloud services and the growth of a mobile workforce have rendered perimeter-based security models obsolete.Read more
As you consider how to safeguard your modern “castle,” a Zero Trust environment is optimal for modern cybersecurity threats. A Zero Trust environment requires up-to-the-minute oversight of who is accessing what, where, and when—and whether they should even have access.
Microsoft 365 security and compliance capabilities help organizations verify before they trust a user or device. Microsoft 365 also offers a complete teamwork and productivity solution. Altogether, Microsoft 365 provides a comprehensive solution to help bank executives focus on customers and innovation.