Financial firms have long been a prime target for cyber attackers looking to compromise and exploit sensitive data. From bank account and credit card numbers to customer login credentials, a wealth of highly coveted data assets are potentially exposed, visible, and exploitable by any number of malicious actors or groups across the globe. With factors such as accelerated cloud adoption, the shift to remote work, and the ubiquity of mobile devices, enterprise IT’s risk landscape has never been more complex and rife with threats to data security.
Considering this new normal, enterprises are overhauling their traditional IT security approaches in response to their expanded attack surfaces and the growing sophistication of cyber threats.
This article explores one of the leading frameworks powering such efforts—the Zero Trust security model—and explains why forward-thinking organizations, like Akoya, are adopting the framework to protect their infrastructures against digital threats today and in the future.
The Problem with Traditional IT Security
According to a recent report by Duke University/CFO Magazine Global Business Outlook, over 80% of U.S. companies have been successfully hacked in attempts to steal, alter, or expose data. Additionally, most data breaches are caused by insider threat events, whether unintentional or planned with malicious intent. These statistics illustrate the complex and daunting security challenge that firms face today: how can organizations protect their data if they’ve already been breached by threats that most likely come from within?
The answer is through Zero Trust, a security framework that allows organizations to protect themselves from both internal and external threats removing explicit trust on the network or in users themselves. Traditional security approaches focus on controlling access to resources (e.g., data, applications, networks), with the assumption that entities are inherently trusted if they’ve gained access to the network and/or environment.
However, this approach is fundamentally flawed and no longer effective when applied to today’s cloud environments and remote workforce. Gone are the days when security was relegated to the networks and IT/data assets sitting behind a corporate firewall. In today’s IT environments, every device, user, and application should be treated as potentially hostile, with no entities granted access without the proper credentials or authorization.
Zero Trust addresses these issues with traditional IT security by bringing security controls closer to the protected assets themselves, with the assumption that a data breach will eventually occur, if not already. For example, by making extensive use of data encryption and tokenizing sensitive data (e.g., account numbers), organizations are better positioned to protect against threat actors, both internal and external.
Principles of Least Privilege & Need to Know
The Principles of Least Privilege and Need to Know are central pillars of the Zero Trust security model. They prescribe the following measures to reduce risk in today’s complex IT environments:
- An entity (e.g., user, device, application) should be given only those privileges needed for it to complete its task—if a certain access type is not required, it should not be granted
- An entity should only be given access to the data required for its job function
For example, access to resources per traditional security models is typically gated at the firewall, with further restrictions applied after the entity has been authenticated and allowed into a secure perimeter. Zero Trust enhances and bolsters cyber resilience by requiring authentication for every action performed either within or outside the organization’s network. Furthermore, extensive use of encryption ensures that, even if compromised, data is unusable and worthless to cyber attackers.
How Akoya Has Implemented Zero Trust
The core of Akoya’s security efforts has always been about protecting customers’ data, and Zero Trust is instrumental in accomplishing this crucial objective. To promote a safer, more secure method for sharing financial data, Akoya has integrated Zero Trust across our organization—on a myriad of fronts. From the policies governing our internal development practices and processes supporting our Data Access Network (DAN), to encrypting all data traversing our DAN, not accessing or storing customer data, and tokenizing account numbers to protect customer data, we’ve placed the “assume breach” philosophy front-and-center.
For more information about Zero Trust, please refer to the NIST Zero Trust Architecture Framework, or read more about Akoya’s approach to security.