To overcome compliance challenges, financial institutions must look beyond ZTNA

Originally published on Security Magazine

Corporate compliance functions at today’s leading financial institutions are dealing with a massive sea change. The embrace of new technologies and the roll out of a seemingly endless stream of new digital services are making it difficult for compliance teams to adjust their policies and procedures accordingly. The burden of this change is compounded by growing regulatory complexity around these new digital services, as well as mounting data privacy concerns, heightened cybersecurity risks and ever-higher customer expectations.

Today, cybersecurity finds itself at the center of overall compliance enforcement and adherence. This is universally true for today’s most relevant and wide-reaching regulations being applied to the financial sector like the Sarbanes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA), or the New York Department of Financial Services (NYDFS). From a cybersecurity standpoint, these regulations and agencies are concerned with protecting and restricting access to personal identifiable information (PII), corporate financials and other sensitive data maintained by financial institutions. Cybersecurity represents a means to an end as far as these regulations are concerned — it is ultimately how banks, financial services companies, insurance carriers, etc. protect their data and remain compliant.

Of course, the meat of what cybersecurity actually does here, and the specific technologies that are leveraged to meet these compliance requirements, are much more complex than that.

Controlling access & the emergence of Zero Trust

When it comes to controlling access to data, financial institutions have long relied on Network Access Control (NAC) — a tried and true technology that manages the configuration and enforcement of authentication, access control, risk mitigation, and compliance enforcement policies across the corporate network. This mature toolset has stood the test of time, but in recent years has faced growing scrutiny for its lack of flexibility in the wake of remote and hybrid work policies, the proliferation of new device types (think personal devices and IoT), the rapid adoption of enterprise cloud applications — all of which have extended the network outward and simultaneously increased every company’s threat surface.

With the COVID-19 pandemic, it seemed that the reliance on the physical corporate network was coming into question. This trend, along with those aforementioned, would help accelerate the popularization of a new, more stringent approach to security: zero trust. Zero trust promised financial institutions relief from their security compliance concerns. The concept’s “never trust, always verify” mantra represented a sort of security holy grail — where no unauthorized individual could gain access to data on a network or application in use across an organization.

Zero Trust Network Access (ZTNA) emerged as a potential solution to help address the flexibility issues of NAC across the new, perimeter-less network and sure up newly emerging compliance loose ends. In time, however, ZTNA would prove to be not much more than an overpopularized stopgap that sent many down hair-pulling implementation rabbit holes and eroded trust in the very concept of zero trust.

What ZTNA promised vs what it delivered

What many organizations — financial institutions included — failed to ask themselves was: will the status quo today remain the status quo a year from now? 

There had been an overnight shift to remote work at the beginning of the pandemic, and many companies were woefully unprepared from an IT security perspective. The panic over how to control access for remote employees to corporate resources was warranted, and ZTNA hit the scene at precisely the right time. The technology promised to be a compliance silver bullet AND help lift companies into the modern age of security and employ a zero trust strategy.

The answer to the above question, however, was ultimately: no, it would not be. The remote work policies were shortest lived for financial institutions, as their bottom-line-driven bosses feared productivity dips and revenue losses that could bring long-term turmoil to the markets. Their investments in ZTNA already made, they had no choice but to trudge ahead. What banks and financial services companies would come to realize is that ZTNA was not a replacement for NAC, and that it still had some growing up to do to deliver true, widescale zero trust access control and security.

ZTNA implementation has proven to be overly complex. The need to redesign your network architecture should’ve been a non-starter, but much of that reality was hidden behind promises of flexibility and seamless user experiences. There also is no coverage for physical networks with ZTNA. A bank’s wired and wireless networks surely weren’t (and aren’t) going away entirely, which means it wasn’t a question of ZTNA or NAC, but do you want to invest in something ON TOP of NAC? If large-scale remote work was here to stay forever, then yes, perhaps that’s a wise investment. But that wasn’t what happened.

A unified approach to Zero Trust

Amendments to portions of GLBA, SOX and other federal and state regulations are like death and taxes. They’re going to happen — and rarely do these regulations get smaller in size. Financial institutions will continue to be asked to meet more and more compliance requirements to safeguard the critical information they process and maintain.

Zero trust is the real deal. If applied correctly, it can be the difference between a cybercriminal breaching your defenses, stealing your data, holding it ransom or giving it out to the world, ultimately ending with your company paying a huge regulatory fine — or none of that happening.

A calculated approach to implementing zero trust means thinking beyond just NAC or ZTNA. Instead, banks and other financial institutions should consider lightweight, flexible cloud-native tools that can unify access control across their entire IT environment — encompassing both their networks and applications, as well as all the devices that are used to connect to them — no matter the location of those devices.

Doing so can help these institutions future-proof themselves for any forthcoming changes to these regulations and ensure they’re always maintaining the utmost compliance despite shifts made across their workforce or updates to their IT policies.