Financial Institutions Must Protect the Data Like They Protect the Money
If you are like most people and myself, you do not go into a bank and have a conversation with a teller when you make a deposit or withdrawal. You probably do not write paper checks and sign them. You have an app on your phone to access your bank account and use one of the thousands of automated teller machines (ATM), around the world to move money in and out of your accounts.
The financial world is very different with the advent of the internet and near real-time information. Gone is the time when Leonardo DiCaprio Frank Abagnale Jr. can forge checks and cash them at banks around the country. Today’s verification systems will flag the bad check immediately through online record matching. All of this information flying between branches and banks through the network depends on security technologies to protect the money as well as the personal information tied to all of the bank accounts and transactions.
Financial institutions have a responsibility to protect sensitive information on their systems and through their networks. The business must protect the data at rest, the data in transit, and the systems holding and transmitting the data.
Data at rest
Encryption algorithms and hashes are used to obscure the data within the applications and databases. There are many methods to protect the databases varying from field level encryption to solutions that encrypt the entire database. The method used often depends on the application requirements and how often individual records within the database are being updated.
All financial and personal information within these databases are vulnerable. The encryption protects the data even if the database is stolen by a malicious person. Without the proper key or credentials, the hacker will not be able to decipher the contents of the database.
Data in transit
For the past 20 years, SSL/TLS has been the encryption standard for communications over the network. The algorithms to encrypt the data have advanced as computer technologies have improved over the years. Today, the internet is using the RSA algorithm with 2K keys to encrypt data on the network. Elliptic curve cryptography (ECC) is emerging as a new standard with 256-bit keys to address the advancements in computing power.
The encryption standards and keys are important because the data is most vulnerable when it is in transit. The original data is often unencrypted so it is important for the network transport protocol to provide security and encryption. This is like taking a valuable item out of the secure vault and transporting it within a protected armored car to the destination, hopefully another vault. SSL/TLS is the armored car for the internet.
Systems accessing data
The data is not the only concern for financial institutions. They need to be concerned with the applications and tools that have access to the data. If the vault is compromised, it does not matter how strong or secure the armored car is. This is most likely what happened in the recent Equifax case. They used an application that had a vulnerability that the hackers exploited to access the data.
Businesses often assume that the applications accessing the data are secure. There are two problems with this assumption. First, as in the Equifax case, the application is not secure. There are vulnerabilities in software that can be exploited to access sensitive information. Applications need to be validated through a process to ensure that they are secure.
The second problem is that people access the data through the applications. People are the weakest link in the security chain. They can accidentally share their credentials, download malware, or expose sensitive data. Policies and security technologies need to be implemented to minimize the potential negative impact of an inadvertent or intentional mistake that a person makes.
Inspecting and securing the data
The application delivery controller (ADC) provides three key functions to secure the data within the financial institution. As a reverse proxy or load balancer, the ADC is a key network component to make the application data available and secure.
The ADC is the SSL/TLS termination point for the network communications. It needs to offer high performance encryption and decryption while supporting today’s RSA encryption standard and tomorrow’s ECC algorithm. Over 50% of the internet is encrypted today, and it is assumed that the financial services traffic percentage is higher due to its sensitivity.
Inbound SSL inspection solutions are necessary to protect the applications from threats. As the encryption termination point, the ADC can steer the decrypted content to different security solutions to inspect the traffic before it reaches the application. Financial institutions may use web application firewalls (WAF), next generation firewalls, intrusion prevention systems (IPS), and/or data loss prevention (DLP) technologies to protect their applications and servers.
Finally, the ADC provides outbound SSL inspection capabilities to protect the people from the internet threats. Outbound SSL inspection solutions decrypt and steer traffic between the users and the internet to security solutions. The security solutions look for malware, phishing sites, and other internet threats to protect the users and their internal systems.
Financial data is sensitive and vulnerable with the potential to affect every single person, if exposed. All businesses involved in the financial services industry must do their due diligence and ensure that appropriate architectures and solutions are put in place to protect the information that they manage. It is almost impossible to do too much to protect this information. If they do not take a fresh look at their security policies and practices, the Equifax breach may be the tip of the iceberg.