Censys: The World of Attack Surface Management
How are financial services firms addressing the requirements of digital transformation, security, and compliance? Adrian Taylor, Regional VP of Sales for A10 Networks, explores in this article.
The financial services sector is experiencing significant commercial disruption coupled with rapid innovation as established institutions strive to become more agile and meet evolving customer demand. As a result, financial services organisations are undergoing rapid digital transformation to meet changing customer needs and preferences, and to compete with a new generation of digital-native competitors. Hybrid cloud environments play a key role in this strategy, allowing greater speed, flexibility, and visibility over application delivery than on-premises data centres while also reducing costs.
But the move to hybrid cloud introduces new challenges as well. So, as financial services organisations plot their strategy for transformation, firms must make critical technical decisions about the clouds and form factors best suited to host their hybrid environment. They also need to consider how they will secure web applications against evolving threats such as ransomware, data theft, and DDoS attacks through measures such as DDoS protection and using a Zero Trust model. At the same time, they must also maintain regulatory compliance, governance, and auditability across complex, fast-evolving infrastructures.
To understand more about these challenges, we recently conducted a survey with Gatepoint Research involving senior decision-makers to gain insight into the current state of financial services technology and the future direction for organisations in this sector. Here are some of the key findings:
Today’s Financial Services Technology Landscape
Although financial services businesses are making a steady move to the cloud for application delivery, on-premises data centres continue to play an important role.
While adoption of public cloud infrastructure is strong, with almost half of those surveyed hosting applications primarily in the cloud, most respondents (58 percent) continue to rely primarily on their private on-premises data centre for application delivery. 35 percent of organisations described their environment as a hybrid cloud, though with an emphasis on their own private data centre. This shows that even as transformation continues, the traditional data centre remains prominent in the technology strategy of financial services organisations.
That said, the balance between on-premises and cloud infrastructure may well shift soon. When respondents were asked about their plans for the coming year, 57 percent of decision-makers reported that they intend to move more applications to the cloud.
Ransomware and PII Lead Security Concerns
Today, financial services organisations face a broad spectrum of security threats, including many being targeted at sensitive customer data. The survey highlighted that organisations’ biggest security concerns or consequences were ransomware (57 percent); personally identifiable information (PII) data theft (55 percent); and phishing or fake sites (49 percent).
While threats to customers and their data are seen as the highest risk, dangers to the company’s brand image and reputation were not far behind. 38 percent of leaders cited concerns about hacking and cyber defacement, tied with brand damage and loss of confidence. Nearly as many (37 percent) were concerned about DDoS attacks, which can undermine a firm’s perception among customers through impaired service quality and customer experience. Meanwhile, insider attacks remain an issue, named by 28 percent of respondents, if not quite at the same level as most external threats.
To address the changing security landscape, many organisations have started initiatives around the Zero Trust model, in which traditional concepts of secured zones, perimeters, and network segments are updated with a new understanding that a threat can come from anywhere or anyone inside or outside the organisation. As of June 2020, 41 percent of respondents had already established a timeline for their Zero Trust model initiative with 15 percent having projects currently underway. Still, nearly two-thirds have no current plans or initiatives around the Zero Trust model.
Moving to Improve Flexibility, Agility, Scalability and Security
Technologies and strategies planned for the coming year reflect a key focus on the competitive requirements of fast-paced digital markets. The top-two initiatives included moving from hardware appliances to more flexible software form factors and deploying hybrid cloud automation, management, and analytics to increase operational efficiency.
With DDoS attacks a prime concern, 29 percent of respondents planned to deploy or replace an existing web application firewall (WAF) or DDoS protection solution. Surprisingly, even several years after the introduction of modern Perfect Forward Secrecy (PFS) and Elliptical Curve Cryptography (ECC) encryption standards for enhanced security, 29 percent of organisations are only now working to upgrade their Transport Layer Security (TLS) capabilities to support these technologies.
Even as cloud adoption continues to be strong, five percent of decision makers intend to repatriate applications from private cloud environments to their private data centre. While not a high number, this is not entirely insignificant. Given the diversity of form factors, architectures, and deployment methods to choose from, it is important to make sure that the approach fits the organisation’s needs before proceeding.
Addressing the Requirements of Hybrid Cloud and Rising Demand
Moving forward, decision-makers view capabilities related to risk as especially important for their financial platforms. When it comes to the most important capabilities for financial platforms running in hybrid cloud environments, regulatory compliance, comprehensive application security and redundancy/disaster recovery are top must-haves.
In addition to the importance placed on redundancy/disaster recovery, many respondents (43 percent) named centralised management and analytics as important capabilities. Along with elastic scale for variable/seasonal demands (25 percent), this shows a recognition of the requirements to provide effective service through redundancy, scalability, and a sound infrastructure.
Compared with risk-related and operational priorities, cost saw considerably less emphasis in the survey. While 28 percent of respondents placed importance on automation for operational efficiency and reduced costs, just 18 percent prioritised flexible licensing and pricing.
Desired Benefits from New Technology Investments
As they plan new technology investments, decision-makers are motivated foremost by risk reduction—far outpacing business factors such as revenue, customer experience, and competitive advantage.
By a large majority, security was the most likely benefit to spur funding for new technology. Operational considerations followed, including operational improvements (65 percent) and cost savings (63 percent). Regulatory compliance, emphasised earlier in the survey as a priority for a hybrid cloud requirement, was not necessarily top-of-mind in the technology funding stage—but still of high importance (57 percent). Revenue generation was named as a highly important benefit by only 35 percent, followed by customer satisfaction at 32 percent. Even in an industry undergoing rapid digital transformation, just 32 percent of decision-makers cited business advantage from new technology as a prime factor—and only 17 percent were moved by the ability to accelerate development speed.
The results of the survey offer a snapshot of an industry in transition, as decision-makers seek to keep control over security and compliance and maintain operational consistency, as they look to tap into the agility and scalability of the cloud. It is clear that, while security is important for digital transformation initiatives, application delivery and managing multi-cloud environments are of equal importance. Above all financial services organisations must maintain their good reputation and ensure customer trust. Firms must demonstrate that they are protecting customer assets, providing an ultra-reliable service, working with trustworthy partners and reducing risk to the business.