Financial Institutions

Managing assets and keeping ahead of the competition while keeping up with regulatory obligations is the burden of all companies in the financial services industry.

CHALLENGE

Financial services, banking institutions, and credit unions (“financial institutions”) face a mix of compliance obligations, IT operational challenges (risk), and cyber threats. To effectively secure these organizations, you must understand how those pressures and other business drivers represent their overall risk footprint.

 

To get a handle on the pressures, you must examine how the existing or emerging technology portfolios can address the issues outlined above and, ultimately, how technology impacts your overall organization. You need to decide if your organization is there to serve the technology – or if the technology is there to serve your organization.

 

Specific concerns include:

  • Segmenting payments systems like SWIFT and ACH transfers.
  • Ensuring that the infrastructure can evolve to support new types of compute and public cloud providers.
  • Protecting card holder data.
  • Unauthorized lateral movement within the data center.
  • Security standards.
  • Broader internal and external regulatory regimes on cybersecurity and privacy.

To solve these problems, there are a variety of inputs that need to be considered:

  • Cost and limitations of existing technologies such as networking (including SDN). Financial institutions increasingly realize that using networking and SDN for fine-grained micro segmentation inside the data centers is expensive. Consider the time and expense of upgrading an entire network infrastructure. Upgrading the network may not be fit for purpose because of emerging forms of compute (e.g., containers) and future adoption of public cloud.
  • Mitigating different types of attacks. Much has been written about sophisticated multi-stage attacks that focus on exfiltrating data, ransomware, and disrupting critical services. The new types of sophisticated attacks are focused on altering or destroying data and are much more difficult to detect until after the fact. One lens through which to look at these attacks is the MITRE ATT&CK framework.
  • Keeping up with security standards and regulatory regimes. Regulatory standards like PCI-DSS, SWIFT, and GDPR continue to evolve and new regulations like PSD2 require constant awareness of and mitigation for changes in your attack surface.
  • Digital transformation and cloud first initiatives. Financial institutions are continuously under pressure to develop new products and services, acquire new business and technologies, and open up APIs to third parties. These developments potentially create new attack vectors. You need to determine if existing infrastructure would be able to effectively segment critical applications and prevent malicious actors from moving inside these new compute environments.

Solution

Attackers employ multiple techniques to get to their goal. For example, they often compromise a low-value asset to gain a beachhead within a bank. According to NIST, it is best practice to assume that your systems have already been compromised and the best course of action is to stop the lateral movement of a malicious actor. This mindset underscores the need to have always-on visibility to map out connectivity within your data centers, and use that traffic map to show bad actors’ potential attack pathways. You could then use segmentation to control and restrict lateral movement – effectively cutting down the surface area by which a bad actor can traverse the environment.


The Illumio Adaptive Security Platform® (ASP) offers financial services organizations the following benefits:

 

BUILD FOUNDATION OF ZERO TRUST SECURITY FOR COMPLIANCE

Financial institutions have compliance requirements (e.g, SWIFT/ACH, PCI DSS, and PSD2) and also have an urgent need to prevent bad actors from laterally moving inside the network. Zero Trust security is their strategy to get there and micro-segmentation is a critical foundation. In Zero Trust security, organizations determine how transactions flow across the entire business ecosystem and how users and other systems access applications, services, and data. They then create micro-perimeters across dependent applications, services, and other resources, apply granular policies and control, and continuously monitor for any suspicious behavior or anomaly — the tell-tale signs of an intrusion.

 

Illumio enables Zero Trust compliance with:  

  • Application dependency mapping (Illumination) provides workload and user visibility.
  • Continuous monitoring by turning every host in your data center and public cloud into points of visibility and into sensors that detect unauthorized connection attempts and policy deviations.
  • Policy Generator creates the relevant micro-segmentation policies based on context about the environment, workload, and processes.
  • Adaptive user segmentation controls user connectivity to managed workloads in Zero Trust environments.
  • Vulnerability maps overlay third-party vulnerability scan data and use this information to determine patching strategy and to apply micro-segmentation as a compensating control.
  • RBAC to enable fine-grained segregation of duties across application owners, security, compliance/audit, infrastructure teams.
  • Explorer to monitor, detect, and investigate anomalous connections and failed connection attempts.
  • Explorer to collect evidence data for security incident response, compliance testing, and auditing.

 Learn more:

REAL-TIME VISIBILITY VIA ILLUMINATION APPLICATION DEPENDENCY MAPS

Understanding the applications, workloads, and their dependencies is a critical first step to understanding a financial institution’s attack surface and developing the relevant security segmentation policies.

Illumination application dependency mapping offers the following benefits:

  • Execute a Zero Trust strategic map.
  • Gain real-time visibility into applications, their behavior, and interdependencies, and enable application baselining to detect for anomalous behavior.
  • Enable security policy modeling with visual feedback prior to enforcement, which ensures you don’t break applications.
  • Enable targeted monitoring or policies – a vital step before moving into enforcement – to ensure previously unseen connections are not dropped but alerted on.
  • Validate that authorized third-party users and systems are only connecting to internal systems that are in scope for the supplier relationship.

Learn more about Illumination and application dependency maps.

ENABLE MICRO-SEGMENTATION ACROSS HETEROGENEOUS ENVIRONMENTS

RangeOfAdaptiveSeg_WhatWeDo_1400x920_Aug2017

 

Segmentation projects are critical to protecting applications in complex and dynamic environments. Modern data centers are comprised of applications that run on bare-metal and virtualized OSs and containers in public and private cloud instances. Many of the most critical applications run on older operating systems. To ensure resiliency for critical applications, operations teams stripe workloads across data centers to ensure that a data center failure does not impact application availability and assets under management.   

 

Financial institutions are highly incented to choose the right micro-segmentation strategy, as failure to do so could result in the institution acting as an integrator forced to make disparate solutions work and the resulting management complexity. Illumio ASP enables financial institutions to design and enable a micro-segmentation strategy that fits their current data center architectures, as well as future-proof their segmentation.

 

Illumio ASP offers the following benefits:

  • Centralized policy management that programs micro-segmentation rules across bare-metal, virtual machines, public and private clouds, containerized hosts, load balancers and switches.
  • Use Policy Generator to automatically suggest policies based on the application dependency maps.
  • Tune the applicable level of granularity from coarse-grained to nano-segmentation based on contextual information about the workload environment.
  • Secure high-value assets from unauthorized connections from unmanaged workloads like endpoint devices by programming the ACLs in switches.
  • Ensure segmentation policies automatically follow the workload when it is moved or its environment changes.

 

Learn more:

USE NATIVE ENFORCEMENT POINTS YOU ALREADY HAVE

architecture_web_april2018

 

Financial institutions are using networking, data center firewalls, and software-defined networking (SDN) to prevent malicious actors from traversing the network and to demonstrate compliance to environmental separation requirements. However, this approach is expensive because:

  • Managing VLANs and Layer 3/Layer 4 data center firewall rules at scale and in highly dynamic environments presents significant management and cost overheads.
  • VLANs and switches have limited context about the workload, applications, and processes running on the workloads to determine if the connections and flows are legitimate and should be allowed.
  • SDNs also have limited visibility when data centers are a mix of bare-metal, VMs, and public and private clouds, and are moving into containers.
  • Organizations cannot install SDNs or data center firewalls in a public cloud, so migrating applications to these environments will require an entire infrastructure overhaul.

With Illumio ASP, you will be able to use existing infrastructure investments to enable micro-segmentation for security, instead of having to re-architect your environment and introduce more networking infrastructure and data center firewalls. By programming the Layer 3/Layer 4 firewalls native to each host operating system, the organization eliminates cost and management overhead. 

 

Illumio ASP optimizes policies and programs rules for the following enforcement points:

  • Layer 3/Layer 4 firewalls in the host OS – Windows Filtering Platform (WFP) for Windows, iptables for Linux, and IPFILTER for AIX/Solaris.
  • Programs ACLs for the following:
    • Load balancers (F5) and switches (Arista)
    • Containerized hosts
    • Cloud security groups (AWS Security Groups and Azure Security Groups),
  • SecureConnect programs IPSec connectivity between Linux or Windows workloads to enable secure, encrypted communications without requiring any changes or upgrade to the existing network infrastructure across private data centers or public clouds (AWS, Azure, Google Cloud, Rackspace).

Learn more:

How to Build a Micro-Segmentation Strategy

How to Build a

MICRO-SEGMENTATION STRATEGY 

Use this guide to create a rock-solid micro-segmentation strategy in only five steps.

Get the guide »