In January of this year, credit union trends were focused on uncertainty in the economic environment, demographic changes in the customer base, and disruptors in the financial services space. Specifically, credit unions were concerned with digital transformation. How could they:
- Create the Amazon Effect?
- Attract and retain younger customers?
- Realize operational efficiencies?
Two months later, credit unions were dusting off business continuity plans. Their concerns had shifted to meeting customer needs, keeping employees and customers safe, and managing an environment where business was conducted remotely.
In the middle of a global pandemic, one industry thrives — crime. Indeed, cybercrime flourishes in chaos. According to American Banker, phishing attacks are up 350%. As far back as April, the FBI was issuing warnings regarding remote work threats. Additionally, the Credit Union Times warned that many credit unions were ill-prepared for the infrastructure demands that a remote workforce requires. Thus, with these heightened threats, now is the time for credit unions to look at a zero-trust network.
What Is a Zero-Trust Network?
Zero-trust networks function on the premise that you can trust no one and nothing. Zero-trust looks at every attempt to access the system. Thus, that means scrutinizing requests from machines, applications, or IP addresses. If the source of the request cannot be verified, access is denied, including requests coming from behind the firewall.
Why Is Zero Trust Needed Now?
With lobbies closed and in-person meetings by appointment only, consumers are turning to digital solutions for financial services. As demand increases, so does the opportunity for unauthorized access. Add to consumer demand the need to support a remote workforce, and you have the perfect storm for cyberattacks.
Branch operations extend the perimeter. Data-center configurations lack a boundary. With a move to cloud computing, the perimeter becomes impossible to contain. The defense approach to security is no longer enough.
A remote workforce complicates cybersecurity, especially if employees use their personal devices for remote access. Suddenly, shadow IT is no longer an annoyance. It’s a threat that is hard to contain. What software is running on personal devices? How secure is an employee’s home network? Is it even possible for IT to secure the network?
As an employer, you can’t control an employee’s personal devices. Unless you provide every remote employee with a secured device, you need the strength of a zero-trust security model to ensure the safety of your digital assets. Moving to a zero-trust network requires planning, but if your organization uses Microsoft 365, you already have what you need.
Microsoft’s Zero-Trust Model
Microsoft has taken its years of experience and applied the lessons learned to create a zero-trust model for any enterprise. Its solution covers identity management, endpoint protection, and application control. Additionally, its tools centralize information to make it easier to assess network security. Let’s look at the tools that make up Microsoft’s zero-trust model.
Azure Active Directory (AAD)
The first step in a zero-trust model is to establish a single source of truth for identity and access management (IAM). Every access request must go through this source not only for verification but also for determining access rights. With Azure’s Identity Protection, access control is determined dynamically. The software evaluates the device, the user, location, and risk before granting access. The evaluation is performed not only for users but for all resources requesting access, including branches, data centers, or the cloud.
The conditional access model uses a set of rules designed to regulate which user can access what resources from where. It operates on the concept of least-privilege, which restricts access to a minimal number of resources. Under a perimeter model, a user has a one-time request for a given resource. Since the user is behind the firewall, the request is granted, but it is never removed, creating possible vulnerabilities for unauthorized access to sensitive digital assets.
Organizations don’t have to give up the convenience of single sign-on with Microsoft’s 365. They can even establish levels of authentication, requiring some users to use multi-factor authentication (MFA) to gain access. Azure AD forms the basis for a zero-trust network, but it’s not the only component in a zero-trust system.
Windows Defender Advanced Threat Protection
As an extension of Windows Defender, Microsoft’s 365 Advanced Threat Protection (ATP) provides additional security features. These features address enterprise security concerns, such as the following:
- Software Vulnerabilities. ATP performs a real-time software inventory on endpoints. This information can mitigate security vulnerabilities caused by missing software patches on installed applications.
- Network Segmentation. Systems no longer assume that trusted installed applications. So, to reduce the damage caused by an attack, ATP uses hardware isolation and application control to reduce the attack surface.
- Advanced Protection. Machine learning is incorporated into scanning software to detect possible threats. Then, the Security Graph helps visualize potential threats for immediate action.
- Endpoint Detection and Response. By correlating endpoint detection with a response, ATP makes it easier for security personnel to investigate and respond to threats.
These added security features increase the volume of information that security professionals have to analyze. ATP helps organize this information through the following:
- Automated Investigation. ATP automatically examines alerts and removes the status alerts so personnel can focus on security notifications.
- Secure Scoring. Security scores prioritize security vulnerabilities. Prescriptive guidelines, which are included, can help organizations improve security scores.
- Threat Experts. These “threat experts” use artificial intelligence to detect and rank possible attacks.
Microsoft’s ATP contains a collection of APIs that allow integration into an organization’s workflow. Incorporating ATP with other Microsoft 365 components such as Azure Security Center, Cloud Security, and Information Protection creates an end-to-end security solution for any financial institution.
As employees continue to work from home, vulnerabilities as a result of Shadow IT applications multiply. With growing demands on IT resources, Microsoft’s cloud security tool can help monitor and highlight usage. Here are a few ways Microsoft’s Cloud App Security (CAS) tool can help:
- Consolidate system logs from multiple firewalls.
- Parse information for analysis in a matter of hours.
- Display status on over 16,000 cloud applications.
- Present usage by bandwidth and type.
Perhaps, the best feature is the visualization of the information so staff can quickly see what is happening where. It provides the flexibility to view the information in multiple ways — by security score, by risk level, by usage, and more.
Drill-down capabilities are built into a map display to allow for quick assessments of potential threats. Then, configure alerts based on events to keep staff informed. As network perimeters fade, security professionals need access to information in real-time to prevent attacks.
Azure Information Protection
Microsoft’s Azure Information Protection (AIP) protects on-premise documents, emails, or other sensitive digital information. An organization labels its digital data, assigning rules, and conditions to each label. The rules can control access, notify users of sensitive content, or restrict offline access. Then, assign rules automatically or manually.
For financial institutions, time-sensitive restrictions are especially valuable. Control auditor to the period of the audit. Bringing on a new branch or location always presents potential vulnerabilities. Setting controls on sensitive information can limit exposure should an incident occur. With the possibility of industry contraction, AIP provides control of information during a possible merger or acquisition.
AIP is one tool in Microsoft’s Information Protection (MIP) package. MIP is a unified package that incorporates features of Cloud App Security, Windows Information Protection, and Azure Information Protection for centralized access.
Azure Security Center uses best practices to create an integrated software solution with a mobile-friendly interface. Thus, security staff can easily access Microsoft’s security information for their mobile device. Personnel no longer have to use devices with full-screen displays, enabling staff to be more effective no matter where they are.
Intune manages mobile devices, computers, and applications. Because it provides overall management of mobile devices, end-users need to have their equipment enrolled and registered. Once under the Intune umbrella, security staff sees the asset. Thus, meet zero-trust requirements through tools such as AIP and CAS. Intune is now included in Microsoft’s Endpoint Manager.
Zero Trust for Credit Unions
Implementing a zero-trust network is becoming a necessity as “behind the firewall” loses its meaning. With the increased demands on credit unions’ digital solutions, organizations have to deploy solutions that mitigate the risk of a security breach. Indeed, with Microsoft’s zero-trust network solution, financial institutions can access a comprehensive solution that doesn’t take years to implement.
Agile Advisor provides strategic security and compliance guidance to regulated industries, including finance, defense, and healthcare. Thus, to find out, we can help your organization meet compliance requirements and remediate risk, schedule a free consultation today.