Safeguarding the financial frontier: modern security architecture for technological leaders in financial services

In a fast-paced financial world where time to market is a constant pressure, security can be perceived as a blocker, causing businesses to take shortcuts. But with an ever-changing and sophisticated cyber-threat landscape and an increasing list of cyber regulations, it is important to consider security early across all capabilities. In fact, introducing security processes during the ‘run’ phase will only result in expensive operational overheads due to the higher cost of fixing security issues. In this article, we draw on our financial services industry experiences to outline the benefits of using enterprise security architecture and capabilities to achieve Secure by Design

07 Aug 2024

Mark Hendry Partner, Head of Cyber Security

Mark Hendry

Authors

Mark Hendry

Enterprise security architecture

Effective enterprise security architecture always starts at the top. The first step is understanding the business strategy and requirements, and enterprise risk concerns. This will drive the cyber strategy and requirements. For example, the Covid-19 pandemic drove businesses to adopt remote working strategies. As a result, cyber teams had to adopt equivalent strategies such as Zero Trust as they are no longer securing a ‘trusted digital perimeter network’. Another key outcome from this step is defining and building the key metrics that can be used to track and report the effectiveness of the cyber strategy.

The second step involves identifying security services that will enable the cyber strategy. This is generally realised by:

Adopting a cyber controls framework (such as NIST Cybersecurity Framework), which will help identify the various required cyber capabilities. As part of this, a common controls framework – that maps compliance requirements across the various regulations, laws, and certifications the organisation is subject to – can be established to help cyber and other teams to understand and manage risk and compliance obligations
Writing technical strategies for the identified capabilities, including an execution roadmap such as a network security strategy, identity and access management strategy

The third step is identifying the security mechanisms to implement for the identified cyber capabilities. At a high level, this is generally achieved through vendor comparisons across a set of identified functionality or features included in the technical strategies. Once a particular security mechanism is identified as the right fit, detailed design architecture is developed to underpin implementation and handoff to operational teams. All this must be supported by an effective governance, operating model, and cross-team collaboration across the management and implementation layers.

Adoption and execution of the above steps will establish the justification (i.e. ‘why do I need it?’ and completeness or traceability (i.e. ‘what business requirement do I need it for?’) of security capabilities and mechanisms.

Security capabilities and mechanisms to consider

Identity and access management is the capability to secure human and machine identities (such as a person, a system, or a device) as well as managing their access to company resources. Good practices for this capability include:
1. Considering strong authentication for identities to access resources. This usually means having two or more steps in the authentication process. Example mechanisms include a user and password combination and one-time password codes generated by an authenticator application
2. Always following the principle of least privilege when provisioning access to identities i.e. identities must be given basic levels of access that are required for them to perform their functions. Example mechanisms include role-based access, just-in-time access, and contextual access. Perform periodic access reviews and certifications to protect against ‘access drift’
3. Incorporating the principle of separation of duties to reduce dependencies and the risk of insider attacks
4. Separating administration accounts from user accounts and applying higher rigour in their maintenance
5. Automating joiner, mover and leaver (JML) processes to streamline and accelerate access provisioning and reduce the risk of accidental and malicious data exposure or loss
Infrastructure security is deploying appropriate security measures across both on-premise and cloud environments. This generally includes the following:
1. Securing the network: this involves -
  1. implementing mechanisms to protect against denial of service (DoS) attacks
  2. implementing encryption for in-transit network traffic
  3. implementing firewalls, secure web gateways, and email gateways for protocol and port filtering, URL filtering, and email spam filtering respectively
  4. segmenting the network to protect against lateral movement and privilege escalation by attackers
2. Securing the cloud: this includes using native and third-party solutions to secure cloud instances across various deployments and service models such as IaaS (Infrastructure as a Service), PaaS (Platform as a Service), FaaS (Functions as a Service), and SaaS (Software as a Service). A good start to securing cloud infrastructure would be to adopt frameworks (for example, the AWS Well-Architected Framework) that will identify the different domains that need securing. Another good practice is to adopt posture management tools that will help identify and remediate misconfigurations in the cloud environment
3. Securing the server infrastructure: this generally covers file servers, DNS (Domain Name System) servers, email mailbox servers, data analytics, and storage systems. Protection mechanisms include server hardening, antivirus software, endpoint data loss prevention, and data-at-rest encryption. Advanced active defense methods also help trap and detect attackers
Threat detection and response is the development and deployment of processes and technologies that will capture logs from various sources in the organisation, which will then be aggregated and correlated, and enriched with threat intelligence to identify and respond to security events and incidents. This capability area has seen rapid innovation in the past few years with cloud-based technologies and advanced extended detection and response (XDR) mechanisms. In addition, this capability has seen a massive generative AI use case in the form of incident response summaries, incident playbook automation, rapid IOC (Indicators of Compromise) generation etc
Endpoint management involves secure configuration and hardening, managing and protecting end user devices. Mechanisms include end point detection and response, mobile device management, attack surface reduction, antivirus software and remote browser isolation
Attack surface management is knowing where the assets are and deploying mechanisms to protect those assets. Performing vulnerability scanning, external web application scanning, penetration testing and/or red teaming are all ways to know your assets and their vulnerabilities, which can then be managed and patched from a central asset management solution
Data security includes protection mechanisms across various stages of the data lifecycle. This includes:
1. Data discovery to know your data and data repositories and apply the relevant protections and policies
2. Data classification to assign labels and understand which policy applies to a particular type of data. For example, data classified as ‘confidential’ must be encrypted, cannot be shared outside the organisation, and cannot be printed within the organisation
3. Data retention to define how long data will be retained for, based on the data classification
4. Data destruction to ensure data is disposed of in a safe and secure manner
5. Data loss prevention to protect against accidental and malicious data exfiltration across web, mobile, desktop, and cloud platforms
6. Cryptography to ensure keys and certificates are managed appropriately
Security awareness and training raises awareness about security across the entire organisation and providing the knowledge and tools to prevent and detect security attacks. Some of the ways in which this could be achieved include sharing security newsletters, establishing and identifying security champions within various lines of service and business units, delivering security trainings such as phishing simulations, annual awareness trainings as well as role-based training for executives, system administrators, and software engineers
Application security provides the capability to build secure applications across all platforms (web, mobile etc). Building robust secure development processes and providing the right mechanisms to software engineers and DevOps teams helps build this capability. This involves performing periodic security architecture and code reviews, threat modelling processes, developing secure coding standards to prevent against OWASP Top 10 and other application-based attacks, implementing secrets management and code scanning tools, and deploying security detection use cases (such as API rate limiting).

How Evelyn Partners can help

Having a well-rounded approach and process to architecting and implementing cyber security services is critical for financial and fintech businesses to address the adverse impact of monetary, reputational, and regulatory threats.

At Evelyn Partners, we have an experienced cyber team dedicated to helping businesses secure their digital services and footprint. Contact us to learn how we can assist you.

A special thanks to Siva Mallampati, Associate Director in the Cyber security team, for his valuable contribution to this article.